In this high-level comparison of Nessus, Nexpose, and OpenVAS, I have not attempted a detailed metric-based analysis with the reason being it would be difficult to get a conclusive result due to the large differences in detection and the categorization of vulnerabilities by the different solutions.

Background Info

The testing deliberately focuses on network vulnerability scanning capabilities rather than looking at the web application vulnerability detection in detail. Here at Hacker Target, we believe a network vulnerability scanner must be capable of identifying poorly configured services, default services that have poor security, and software with known security vulnerabilities.

Notes on the Vulnerability Scanner Testing

• Apart from NMAP, external tools that OpenVAS can use have not been installed. These external tools are mostly web application vulnerability detection tools, including wapiti, Arachni, Nikto and Dirb.
• OpenVAS version 5 has been tested with the full scan profile. Ports were all TCP ports scanned with Nmap and top 100 UDP ports.
• Nessus version 5 was launched using the External network scan profile. It was also tested with Internal Network Scan however, results were similar.
• The Nexpose scanner was executed with the Full audit profile.
• No tweaking of default scan profiles was undertaken.
• No credentials were used during the scan. It was an external network service focused scan.

These results are only a quick overview. I have not followed up every discovered vulnerability to determine false positives and false negatives.

Edit 1st of September 2012 (clarification of scanner versions and plugins used)
Nessus : The home feed was used for the Nessus testing. According to the Tenable website The Nessus HomeFeed gives you the ability to scan your personal home network (up to 16 IP addresses) with the same high-speed, in-depth assessments and agentless scanning convenience that ProfessionalFeed subscribers enjoy.. Note when using the Nessus scanner with the home feed it cannot be used in a professional or commercial environment.
OpenVAS : The default OpenVAS 5 open source signatures and software was used. This is free to use under the GNU General Public License (GNU GPL).
Nexpose : The community version of Nexpose was tested. According to the Rapid7 website " Nexpose Community Edition is powered by the same scan engine as award-winning Nexpose Enterprise Edition and offers many of the same features." With this version you can scan up to 32 IP addresses.

And now for the results.....

Nessus 5 External Network Profile	Critical 3 High 6 Medium 22 Low 8 Info 137
OpenVAS 5 Full Audit Scan Profile	High 38 Medium 24 Low 36 Log 44
Nexpose Full Audit Scan Profile	Critical 49 Severe 103 Moderate 18

These total numbers, without any context around the categorization of findings or the accuracy of the results, provides us little value, except to highlight the wide variation in results from the different scanners.

Analysing a specific sample of Security Issues

In order to look at some more meaningful results, I have examined a sample set of exploitable and mis-configured services on the Metasploitable system.

At the last minute I decided to include Nmap with its NSE scripts against the Metasploitable host. The results were interesting to say the least, while not a full blown vulnerability scanner the development of the NSE scripting ability in Nmap makes this powerful tool even more capable.

the numbers get interesting...

These are the numbers of vulnerabilities correctly discovered and rated by each vulnerability scanner from the sample set of exploitable services.

Security Issue	Nessus	OpenVAS	Nexpose	Nmap
FTP 21 Anonymous FTP Access
FTP 21 VsFTPd Smiley Face Backdoor
FTP 2121 ProFTPD Vulnerabilities
SSH 22 Weak Host Keys
PHP-CGI Query String Parameter Injection
CIFS Null Sessions
INGRESLOCK 1524 known backdoor drops to root shell
NFS 2049 /* exported and writable
MYSQL 3306 weak auth (root with no password)
RMI REGISTRY 1099 Insecure Default Config
DISTCCd 3632 distributed compiler
POSTGRESQL 5432 weak auth (postgresql)
VNC 5900 weak auth (password)
IRC 6667 Unreal IRCd Backdoor
Tomcat 8180 weak auth (tomcat/tomcat)

Notes about the sample set of tests

• All the above vulnerabilities and mis-configurations, except for Anonymous FTP, can be exploited to gain shells on the system (in most cases with root privileges) using Metasploit or other methods.
• There are a number of examples where the scanners do not detect weak or default credentials. While not specifically testing passwords, if MySQL is being checked for weak credentials why not other services?
• Items such as the INGRESLOCK backdoor and the Unreal IRCd vulnerability are fairly obscure, however, this makes them good examples for testing overall capability.
• The Metasploitable version 2 release page has good examples of exploiting many of the mis-configurations in this list. This highlights not only how a poorly configured service can lead to a root shell but also the fact that vulnerability scanners need to be able to detect these types of security related mis-configurations.

These scans were conducted in a black box manner, when running internal scans it is recommended to perform credential supplied scanning. This means providing the vulnerability scanning tool with valid Windows domain, SSH, or other valid authorisation so it can perform checks against the local system. This is of most value when looking for missing patches in an operating system or third party software and detecting installed applications.

Conclusion

An organisation wishing to secure its IT infrastructure needs to implement Vulnerability scanning as it is essential to Security Control.

Vulnerability scanning is recommended by the SANS Institute as a Critical Control and US-based NIST as a Security Management Control.

The results shown in this article show significant variation in discovered security vulnerabilities by different tools. It may be helpful to compare vulnerability scanners to anti-virus solutions. Both are important to security control and will enhance an organisation's security posture. However, as with anti-virus, a vulnerability scanner will not find all the bad things.

The following is common knowledge for most in the security industry who perform network vulnerability testing;

• Check results for accuracy -> false positives.
• Actively look for things that were missed -> false negatives.

A recommended approach to vulnerability scanning

• Tune the vulnerability scan profiles to suit your requirements
• Perform a detailed analysis of the results
• Run secondary tools such as Nmap, a secondary vulnerability scanning solution and/or specialised tools. The use of multiple tools will provide a greater level of coverage and assist in confirming discovered vulnerabilities.

Performing internal focused testing in conjunction with external facing vulnerability scans adds value when working to secure Internet connected networks or servers.

The post Nessus, OpenVAS and Nexpose VS Metasploitable appeared first on HackerTarget.com.

The download of the Nessus 5 package (.deb) for Ubuntu is around 25mb which contrasts significantly to the recently tested Nexpose Community Edition that weighs in at 200mb+ download for the 64 bit binary.

Install takes less than a minute and is fast and easy as can seen below.

testuser@ninkynonk:~$ sudo dpkg -i Downloads/Nessus-5.0.1-ubuntu1110_amd64.deb
[sudo] password for testuser:
Selecting previously unselected package nessus.
(Reading database ... 193891 files and directories currently installed.)
Unpacking nessus (from .../Nessus-5.0.1-ubuntu1110_amd64.deb) ...
Setting up nessus (5.0.1) ...
nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 - 2012 Tenable Network Security, Inc.

Processing the Nessus plugins...
[##################################################]

All plugins loaded

 - You can start nessusd by typing /etc/init.d/nessusd start
 - Then go to https://192.168.1.123:8834/ to configure your scanner

Processing triggers for ureadahead ...

Heading to the URL listed in the output of the install script, starts the web based install wizard. Registering for a feed is required here whether that is for Home use or Professional use. Enter the feed key, the plugins are downloaded, and the scanner is initialised.

After setting an admin password during the web based configuration, I promptly managed to forget it. Me for the win! If you are as leet as me reset a Nessus password by running:

/opt/nessus/sbin/nessus-chpasswd admin

Nessus Management Console

After logging in you are presented with this web based console that is based on Flash. Doh! One of my least favorite things about Nessus 4 in the past has been its use of Flash, and here I see in Nessus 5 we are still using this Flash based console.

In a previous work environment where I was monitoring ~1800 devices on a globally distributed network accessing the network was reasonably restricted. If accessing from home I would use a VPN and then a Remote desktop jumpbox to access the Nessus Console on HTTPS 8834. When using the flash based console in this manner the refresh times are horrible. My connection was 20mb, the Nessus host was a grunty box, but still the slow refresh on the flash carried across the RDP redraw to make it a painful experience.

Create a Nessus Scan

Creating a test scan is easy enough. I like the clear default scan options. Lets face it; many users only use the default scan options so to clearly define the available options as "Prepare for PCI-DSS Audits", "External Network Scan", "Web App Tests" and "Internal Network Scan" helps the user understand the scope of the test.

Nessus Report and Detection

The test scan did a good of detecting missing updates on my test Ubuntu host. For those unfamiliar with vulnerability scanners, I recommend you take a look at the options to customise the scan policies. Even if you are adverse to tinkering too much the most important configuration options for Internal Network Scans is to ensure you are performing credentialed scans. This allows the Nessus scanner to login to the target host machine and collect information on the host locally. Giving valuable information to the scan engine such as patch levels of the system whether it is a Windows or Linux based host.

Malware detection with Nessus

A new interesting feature of Nessus 5 is the known malware detection feature. Malware has been a problem since the days of the first boot loader virus's, however in todays world of information syphoning botnets the threats are wide spread and potentially devasting to an organisation.

Anti-virus is generally a requirement on all your Windows based desktops but it is far from fool proof. In fact slight modifications to malware can make them virtually undetectable to many AV scanners until signatures become available for that particular variant. The security industry is creating all manner of network based anomaly detection products to discover unknown malware. Tenable has added an interesting feature to Nessus that seems quite simple and one I suspect will be beneficial to many organisations.

As the Nessus scanner performs a credential based scan of a system it can collect hashes of all the running processes and compare these to an online database that is effectively a clone of a system such as VirusTotal. The system uses the Reversing Labs database of known bad hashes that can come from 25 different AV vendors. So it immediately adds a new layer of defense to your Anti-virus capability. If your primary AV client misses a piece of malware; when you run your regular Nessus scan you may still catch the unknown malware. Understand however that like any AV detection it will also not find everything. For an addon that comes free with your $1500 USD Nessus subscription I believe this is a nice bonus feature.

Summary

Overall the latest Nessus 5 seems to be light on resource usage and easy to configure. You can literally be up and running within 10 minutes. Of course this has been a very quick review, further testing would be required to see how it scales on a large network and how comprehensive the vulnerability detection plugins are.

As was mentioned in the Nexpose install review, I like to have multiple vulnerability scanner options available. It definitely helps in correlation and also provides assurance that a vulnerability that was missed by one scanner may be picked up by the second option. We feel our online OpenVAS scan and other options provide an effective second assessment option particularly when reviewing Internet facing systems.

The post Nessus 5 on Ubuntu 12.04 install and mini review appeared first on HackerTarget.com.