Security Basics mailing list archives

Re: NMap Scripts Vs Nessus

From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 23 Jul 2010 11:46:18 -0500

Jacky Jack <jacksonsmth698 () gmail com> writes:

Hi

Some of NMmap Scripts are now moving on for vulnerability scanning.
Those scripts are a smallest subset of what Nessus is now doing.

I have no idea why NSE folks write scripts that re-invent the wheel.
Although I appreciate that we have two options to validate the results,
a great deal of time will be wasted if NSE folks are
writing/converting Nessus plugins to NSEs.

How do you think?

Fyodor's got some excellent folks working for him to improve nmap, and
I'd strongly encourage anyone to re-think calling any of it a waste of
time!

I think nmap scripts are excellent additions to an already powerful
tool. If there's some functionality overlap between some of those and
other existing tools, so be it. As you say, there's value in a second
opinion to weed out false positives. I also somewhat doubt they're
going about it primarily by reverse engineering Nessus plugins.

As another poster mentioned, Nmap is free, Nessus is not. Bringing
commercial functionality and getting it into the hands of more people
is good for state of security.

To make an analogy to a different tool, yes, Core Impact has been an
amazing penetration testing exploit tool for a long time, but given
its price tag, how many people ever were able to leverage it to show
clients how easy it could be for a sufficiently motivated attacker?
Now that Metasploit (free) is staggeringly awesome as an exploit
framework, the argument for pushing vendors to fix their bugs, or for
organizations to apply lagging patches has become a bit more
compelling. "A _free_ tool is avaialable with a plugin to exploit
this" is a lot more compelling to people than "There's this thing
called Core Impact has a sploit for this issue, but it costs [xx]
thousand dollars, and not many people have it."

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

NMap Scripts Vs Nessus Jacky Jack (Jul 22)
- Re: NMap Scripts Vs Nessus Fedora Hacker (Jul 23)
- Re: NMap Scripts Vs Nessus Todd Haverkos (Jul 23)
  - Re: NMap Scripts Vs Nessus Vincent Maury (Jul 27)
    - Re: NMap Scripts Vs Nessus Jacky Jack (Jul 29)
    - Re: NMap Scripts Vs Nessus Vincent Maury (Jul 28)