The Best Vulnerability Scanners for Kali Linux in 2024

Vulnerability Scanners for Kali Linux

You aren’t going to be hacking anything without first establishing your attack surface. That’s why you want to know the best vulnerability scanners for Kali Linux.

What is running on your target system? What services are exposed, and what service versions are they? Is something out of date? And most importantly to you, are there known vulnerabilities?

A good scanner will answer these questions for you. Today, we will examine three: Nmap, Nessus, and Greenbone Vulnerability Manager (OpenVAS). We will analyze their interfaces, ease of use, results, cost, and more to help you decide which you want to use and when.

What Are These Scanners?

Before we dive into the specifics of each, let’s take a look at an overview of these programs.

Nmap

Short for Network Mapper, Nmap is a free and open-source tool used for network discovery and security auditing. It has the ability to discover hosts on a network and provide a wealth of information on them, including the hostname, operating system, open ports, running services and service versions, and more. 

It comes preinstalled on Kali Linux and is often the first tool penetration testers use to enumerate their target. Nmap has a powerful scripting engine that includes scanners for a wide range of known vulnerabilities. 

There are outside repositories that can greatly increase the number of vulnerabilities Nmap can scan for, such as Vulners.

Nessus

Nessus is a vulnerability assessment tool made by Tenable, available as a free version, professional version, and expert version. Tenable advertises Nessus as the number one tool for vulnerability assessment, scanning for over 75,000 CVEs (Common Vulnerabilities and Exposures).  

Nessus offers a wide range of options to customize your scanning, including the intensity of the scan, the types of vulnerabilities to look for, and the ability to schedule a scan for a specific time and date. It can scan individual targets or multiple targets in a network.

This tool is not included by default on Kali Linux.

Greenbone Vulnerability Manager

OpenVAS (Open Vulnerability Assessment Scanner) was a vulnerability scanner managed by Greenbone Networks. Until recently, OpenVAS used to be its own framework but is now part of the Greenbone Vulnerability Manager (GVM). The software began as a fork of Nessus after Nessus changed from open source to closed source.

While many still call it OpenVAS, we will use the new name, GVM. 

GVM allows for authenticated and unauthenticated vulnerability scanning of individual targets or networks. GVM, much like the other scanners on this list, will perform a port scan on the target systems and check them for known vulnerabilities. 

GVM remains open-source but is not included by default on Kali Linux.

Ease of Configuration

In this section, we will set up each scanner to determine how easily and quickly we can have them up and running on our Kali Linux instance.

Nmap

This was easy. Nmap comes pre-installed and configured in Kali Linux. Since it is a command line tool, there is no bootup or login. Simply type “nmap” followed by the flags you wish to use in your scan, and your target. (Installing on Ubuntu? Check out our guide!)

Nmap

Nessus

There were several steps to getting Nessus ready to go. We needed to go to the Tenable website and download the program. 

Nessus

Once downloaded, we had to install it through the command line.

Install It Through the Command Line

Afterward, we selected the Essentials version (which is the free version). We needed to provide an email address to register an account and receive an activation key. It’s worth noting that a Gmail address was rejected as it had to be a “work” email. We used our StationX email to complete the registration.

Nessus began to initialize.

Nessus Began to Initialize

It took 32 minutes from downloading the package to Nessus updating all its plugins before we were able to perform our first scan.

Greenbone Vulnerability Manager

Setting up GVM was a nightmare. 

While the enterprise version boasts a turnkey solution for easy installation, there was a lack of clear documentation on the Greenbone website, or online in general for the community edition.

We were able to find a resource that walked through the installation using the command line. The commands were as follows:

sudo apt install gvm -y

sudo gvm-setup

sudo gvm-check-setup

After the installation is complete, you update the databases with the following commands

sudo runuser -u _gvm -- greenbone-nvt-sync

sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP

sudo runuser -u _gvm -- greenbone-feed-sync --type CERT

sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA

You can then log in to the GUI at https://127.0.0.1:9392.  Don’t forget to copy down your very long password generated during the setup. 

From the first command to successfully logging into Greenbone took 45 minutes. But the installation didn’t end there. 

We ran into multiple issues that eventually prompted us to reinstall. The first attempt had our scans “interrupted at 0%”. After going through many of the proposed solutions in the Greenbone forum, we reinstalled on a new virtual machine and tried again; this was another 45 minute initial install.

This time attempting a scan led to an error that GVM could not connect to a database. Again, this appeared to be a frequent issue on the forum, with multiple possible solutions which worked for some users but not others. We spent several hours working on these to no avail until realizing that the changes take time to propagate, even after a restart of the program and reboot of the VM.

The forum stated that these changes could take between 20 minutes and two hours. We left the VM running overnight and found it was working fine in the morning.

Winner: Nmap

Easiest to Configure - Nmap

Nmap takes this one easily. It’s preinstalled and preconfigured with nothing required of you except to open the Bash terminal.

Interfaces

A good tool should be easy to navigate. How intuitive are each of these scanners? Let’s take a look.

Nmap

Nmap is purely a command line program. You begin by typing “nmap” followed by the commands (flags) you wish to give it and their value. The -h flag will bring up the help menu, listing all the options you have.

Nmap h

Unquestionably, there will be a learning curve for newcomers. However, we can state from experience that once you learn the ins-and-outs of Nmap’s commands, it can become faster than most graphical interfaces. Use our Nmap Cheat Sheet to help get up to speed.

Nessus

Nessus is very easy to navigate. Starting new scans, creating folders, and viewing results are all very intuitive. There are custom scan templates created, where all you need to do is click and specify targets.

Nessus
Nessus

Even a novice would find maneuvering through the interface relatively easy. 

Greenbone Vulnerability Manager

Like Nessus, GVM has a web interface with menu options for easy navigation. 

The look isn’t as polished as Nessus. While a somewhat dated aesthetic is hardly a concern on its own, GVM does lack intuitive navigation. You would think that starting a new scan would be a very obvious icon, and yet it almost appears intentionally hidden.

Greenbone Vulnerability Manager

Despite being a graphical interface, the design choices will result in a learning curve for those new to the scanner. 

Winner: Nessus

Best Interface - Nessus

Nessus is well organized and intuitive. You can easily find the types of scans you’re looking for, sort the results, and get additional information on the vulnerabilities with a few clicks.

Ease of Use

A good vulnerability scanner should make your life easier, not complicate things. We’ll look at how easy it is to set up your first scan on each program.

NMap

As we said above, to use Nmap you need to learn the command line flags.

To run a complete scan with Nmap, we used the following

nmap -p- -A --script vuln <target_ip>

Let’s break this down.

The -p- flag tells Nmap to scan all ports.

Using -A has Nmap look for the operating system, version detection, script scanning, and traceroute.

The --script vuln flag told Nmap to use all vulnerability scanning scripts

Finally, we close with the IP address of our target. 

IP address of our target

This can seem complex to beginners, but we promise you will pick it up very quickly.

Nessus

Once you select your scan type, there are several options you can click through, setting your target, what ports to scan, the type of scan, and the complexity of the scan (common vulnerabilities vs all vulnerabilities in the database). 

New Scan - Basic Network Scan

The multiple steps slows down the process compared to Nmap, but it is well thought out in how it’s organized and is very clear in its description. 

Greenbone Vulnerability Manager

There are multiple steps to setting up a scan in GVM. First, you must create a target; this is done under the configuration tab. 

Edit Target SkyTower

After doing so, you can select the target from the “Scan Targets” drop-down menu when setting up your scan (under the Scan > Tasks menu). 

New Task

This can save you time if you are frequently auditing the same system, but will seem an odd extra step to those who rarely return to previous targets, such as pentesters. 

You are limited to two scan types, OpenVAS Default and CVE. The default scan is active, gathering information on the network. The CVE scan uses the data collected from the default scan to check for CVEs. To get a complete picture you must run both.

The benefit here is that you can check for new vulnerabilities without having to scan the network again, as the CVE scan is checking the information compiled from the default scan and is not interacting with the network again - it simply checks if new vulnerabilities have been discovered that affect the existing system.

Winner: Nmap

Easiest to Use - Nmap

Yes, Nmap has a learning curve, though it is actually quite small after some practice. Once you know the most common commands, you’ll be able to scan more quickly and with more customization than the other scanners.

Cost

While you can start with any of these scanners for free today, some do more than others until you grab your credit card. 

Nmap

There is no cost associated with Nmap. Even the GUI version, Zenmap, does not come with any price tag attached. A tool this useful and powerful being offered free of charge is truly amazing. 

Nessus

The free version of Nessus is limited to 16 targets at a time and only works on internal IP addresses. Nessus professional costs $3390 USD per year.

Greenbone Vulnerability Manager

Greenbone Community Edition is free but has a more complicated installation and requires you manually download updates and feeds, and handle your own configuration.

The paid version is designed for enterprises to use on their infrastructure as part of their internal security, not necessarily for pentesters. A paid version varies on the size of the infrastructure but can be around $3400 for a small business.

Winner: Nmap

Nmap provides full functionality at no cost.

Features

What unique features do each of these scanners bring to the table? Let’s take a look.

Nmap

Nmap doesn’t contain a lot of fancy features. Yes, it has the ability to do banner grabbing, IPv6 scanning, and some basic IDS evasion, but this isn’t unique to Nmap alone.

Nmap also has the ability to output its findings into different formats, including normal output, a graphical web-based XML (see image below), and a grepable format. The other scanners on this list can export into various formats as well. 

Nmap’s biggest feature is its speed and simplicity. Yes, the flags will take time to learn, but once you do you can craft your scans any way you wish.

conn refused

Nessus

Nessus has several interesting options available. Firstly, it can export a professional-looking report in multiple formats including web and pdf. This report will do a full breakdown of all findings organized for the client. 

Nessus

Nessus saves previous scans so you can re-run them at any time. You also have the ability to schedule scans to start at a particular time (say, at the agreed beginning of a penetration test) or on a schedule as a regular audit.

Greenbone Vulnerability Manager

GVM can save targets, allowing for quicker rescans of a network or individual machine. You also have the ability to schedule regular scans. GVM provides a newsfeed of new vulnerabilities and security bulletins. 

Greenbone Vulnerability Manager - NVTs

Winner: Nessus

Best Features - Nessus

Between its different report options, export features, and scheduling, Nessus brings more to the table in terms of extra features.

Scanners in Action

We ran all three scanners against a vulnerable VM called SkyTower. These are the results.

Nmap

Nmap completed a full scan in less than one minute.

It discovered three open ports; SSH on 22, an Apache web server on port 80, and Squid http proxy on port 3128.

It discovered what it thinks might be an admin folder and a possible cross-site request forgery vulnerability. It lists 65 discovered common vulnerabilities with links for more information and flags 18 as having exploits available, including a specific Metasploit module.

Scanners in Action

See our article “How to Scan Vulnerabilities With Nmap” for a detailed walkthrough on how to get the best results.

Nessus

We selected the basic network scan option. There were several menus to navigate through, but we were able to select to scan all ports for all known vulnerabilities. 

The scan took nine minutes to complete. In total it found 65 vulnerabilities, the same as Nmap. Nessus breaks these down as Critical, High, Medium, Low, and Informational. 

Nessus SkyTower

Vulnerabilities are grouped together by category, but can be expanded to see the complete list. Clicking on each reveals detailed information on the particular vulnerability.

Vulnerabilities are Grouped Together

This is excellent in that a fair amount of research has been done for you, including if there is an exploit available and possible mitigations - something you will need to present to your client. However, you must click through each one to get this information, which can slow the process down.

Greenbone Vulnerability Manager

GVM took roughly nine minutes to complete its scan. It found 76 vulnerabilities, breaking them down as 26 high severity, 47 medium severity, and three low severity.

Greenbone Vulnerability Manager- Repor Fri

As with Nessus, you can click a vulnerability to learn more about it, though the information provided does not seem to be as detailed. 

Detection Result

Winner: Draw - Nmap and Nessus

Scan Results - Draw

Nmap and Nessus both have strong reasons to take this category.

For Nmap, the results were much faster. The fact that everything is immediately visible in a list, showing not only the CVE number but if there is an available exploit will help you choose an attack path more quickly. Finally, the fact that the vulnerabilities are organized by port number lets you prioritize better, choosing what tends to be more likely targets.

Nessus, on the other hand, provides greater detail and remediation for each CVE, though they do take longer to go through. The ability to export a full report for your client is also a time saver. 

Both scanners have their unique benefits. Nmap is better for initial reconnaissance, while Nessus is better for creating a complete picture for you and your client in the long term.

Final Thoughts

Choosing the best scanner doesn’t just mean whichever has the fanciest abilities or gimmicks. Even though they all fundamentally do the same thing, the three scanners we examined are designed for different things. 

If you are an ethical hacker or penetration tester, Nmap is likely the one tool you could never do without. Nessus, however, can help in creating a detailed audit for your client and suggest how to mitigate the vulnerabilities you were able to exploit.

For hands-on training in scanning and exploiting vulnerabilities, take a look at these courses available in our Member Section.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Kristopher Morrison

    Kristopher is the Content Manager at StationX. He's a journalist, technology and business blogger, and CNVP who loves all things cyber. Combining his passion for technology with his skills in writing, he wants to bring you the most accurate and valuable information possible. You can always reach him on LinkedIn.

  • DramaKing says:

    Odd that Nmap is included but not Nikto. And GVM’s installation isn’t complicated; it’s broken.

  • >