Penetration Testing mailing list archives
RE: Vuln Scanner
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Mon, 31 Oct 2005 13:06:43 -0600
Nstealth isn't really any different from Nikto or Sandcat. They are mostly known-file checkers, though Nikto has some URL-based xss and sqli checks, though by default you will likely get false positives unless you tune them (if you can) for custom error messages. None of those are like Nessus; in fact Nessus can use Nikto for webby stuff. So, for a network vuln scanner that is cost-effective and has checks like Nessus: Talisker has a list of Scanners: http://www.networkintrusion.co.uk/N_scan.htm Shadow was a reverse-engineered version of Retina, which is why it disappeared if I remember correctly. Others not on Talisker's list (some are under "distributed scanners"; I don't understand the distinction but...): -Qualys Qualysguard -McAfee Foundstone Enterprise -nCircle IP360 -NGS Typhon Typhon is fast and usually more cost effective than the above three scanners. Another option is to explain to the client that if the reason they want two scanners is really for validation of the results, then you should look at an exploitation tool like: -Metasploit (free) -CANVAS (inexpensive) -Core Impact (varies) -Visionael (no idea cost; looked at a year or two ago and it was definitely not ready for prime time, and support was sub-optimal. It appeared to be a ripoff of Nessus code rebuilt into a combo vuln-scanner/exploitation tool) There have been some free scanner projects that have come and gone but I can't think of any that are still under active development or have current vulnerability checks. -ae
-----Original Message----- From: Lyal Collins [mailto:lyal.collins () key2it com au] Sent: Saturday, October 29, 2005 1:27 AM To: 'Michael Gargiullo'; pen-test () securityfocus com Subject: RE: Vuln Scanner Hmm. C rules out Newt! Nstealth looks Ok. I've trialled SandCat, but found way too many false positives (about 4 for every actual issue). Nikto is helpful, but only works at the http layer. Lyal -----Original Message----- From: Michael Gargiullo [mailto:mgargiullo () pvtpt com] Sent: Saturday, 29 October 2005 4:43 AM To: pen-test () securityfocus com Subject: Vuln Scanner I have a client that states in his RFP that we run nessus, and at least one other vulnerability scanner to compare the output. Does anyone here know of an inexpensive vulnerability scanner, that: A) Is as effective as nessus. B) Doesn't cost nearly as much as say ISS or SAINT (free would be good). C) Doesn't use nessus plugins (like x-scan). -Mike -------------------------------------------------------------- -------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -------------- --- -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Vuln Scanner Michael Gargiullo (Oct 28)
- RE: Vuln Scanner Lyal Collins (Oct 29)
- RE: Vuln Scanner Omar A. Herrera (Oct 29)
- Re: Vuln Scanner Frederic Charpentier (Oct 29)
- RE: Vuln Scanner Richard Zaluski (Oct 29)
- <Possible follow-ups>
- RE: Vuln Scanner Jarmon, Don R (Oct 29)
- RE: Vuln Scanner Evans, Arian (Oct 31)
- Re: RE: Vuln Scanner chingshiong (Oct 31)