You arenβt going to be hacking anything without first establishing your attack surface. Thatβs why you want to know the best vulnerability scanners for Kali Linux.
What is running on your target system? What services are exposed, and what service versions are they? Is something out of date? And most importantly to you, are there known vulnerabilities?
A good scanner will answer these questions for you. Today, we will examine three: Nmap, Nessus, and Greenbone Vulnerability Manager (OpenVAS). We will analyze their interfaces, ease of use, results, cost, and more to help you decide which you want to use and when.
What Are These Scanners?
Before we dive into the specifics of each, letβs take a look at an overview of these programs.
Nmap
Short for Network Mapper, Nmap is a free and open-source tool used for network discovery and security auditing. It has the ability to discover hosts on a network and provide a wealth of information on them, including the hostname, operating system, open ports, running services and service versions, and more.
It comes preinstalled on Kali Linux and is often the first tool penetration testers use to enumerate their target. Nmap has a powerful scripting engine that includes scanners for a wide range of known vulnerabilities.
There are outside repositories that can greatly increase the number of vulnerabilities Nmap can scan for, such as Vulners.
Nessus
Nessus is a vulnerability assessment tool made by Tenable, available as a free version, professional version, and expert version. Tenable advertises Nessus as the number one tool for vulnerability assessment, scanning for over 75,000 CVEs (Common Vulnerabilities and Exposures).
Nessus offers a wide range of options to customize your scanning, including the intensity of the scan, the types of vulnerabilities to look for, and the ability to schedule a scan for a specific time and date. It can scan individual targets or multiple targets in a network.
This tool is not included by default on Kali Linux.
Greenbone Vulnerability Manager
OpenVAS (Open Vulnerability Assessment Scanner) was a vulnerability scanner managed by Greenbone Networks. Until recently, OpenVAS used to be its own framework but is now part of the Greenbone Vulnerability Manager (GVM). The software began as a fork of Nessus after Nessus changed from open source to closed source.
While many still call it OpenVAS, we will use the new name, GVM.
GVM allows for authenticated and unauthenticated vulnerability scanning of individual targets or networks. GVM, much like the other scanners on this list, will perform a port scan on the target systems and check them for known vulnerabilities.
GVM remains open-source but is not included by default on Kali Linux.
Ease of Configuration
In this section, we will set up each scanner to determine how easily and quickly we can have them up and running on our Kali Linux instance.
Nmap
This was easy. Nmap comes pre-installed and configured in Kali Linux. Since it is a command line tool, there is no bootup or login. Simply type βnmapβ followed by the flags you wish to use in your scan, and your target. (Installing on Ubuntu? Check out our guide!)
Nessus
There were several steps to getting Nessus ready to go. We needed to go to the Tenable website and download the program.
Once downloaded, we had to install it through the command line.
Afterward, we selected the Essentials version (which is the free version). We needed to provide an email address to register an account and receive an activation key. Itβs worth noting that a Gmail address was rejected as it had to be a βworkβ email. We used our StationX email to complete the registration.
Nessus began to initialize.
It took 32 minutes from downloading the package to Nessus updating all its plugins before we were able to perform our first scan.
Greenbone Vulnerability Manager
Setting up GVM was a nightmare.
While the enterprise version boasts a turnkey solution for easy installation, there was a lack of clear documentation on the Greenbone website, or online in general for the community edition.
We were able to find a resource that walked through the installation using the command line. The commands were as follows:
sudo apt install gvm -y
sudo gvm-setup
sudo gvm-check-setup
After the installation is complete, you update the databases with the following commands
sudo runuser -u _gvm -- greenbone-nvt-sync
sudo runuser -u _gvm -- greenbone-feed-sync --type SCAP
sudo runuser -u _gvm -- greenbone-feed-sync --type CERT
sudo runuser -u _gvm -- greenbone-feed-sync --type GVMD_DATA
You can then log in to the GUI at https://127.0.0.1:9392. Donβt forget to copy down your very long password generated during the setup.
From the first command to successfully logging into Greenbone took 45 minutes. But the installation didnβt end there.
We ran into multiple issues that eventually prompted us to reinstall. The first attempt had our scans βinterrupted at 0%β. After going through many of the proposed solutions in the Greenbone forum, we reinstalled on a new virtual machine and tried again; this was another 45 minute initial install.
This time attempting a scan led to an error that GVM could not connect to a database. Again, this appeared to be a frequent issue on the forum, with multiple possible solutions which worked for some users but not others. We spent several hours working on these to no avail until realizing that the changes take time to propagate, even after a restart of the program and reboot of the VM.
The forum stated that these changes could take between 20 minutes and two hours. We left the VM running overnight and found it was working fine in the morning.
Winner: Nmap
Nmap takes this one easily. Itβs preinstalled and preconfigured with nothing required of you except to open the Bash terminal.
Interfaces
A good tool should be easy to navigate. How intuitive are each of these scanners? Letβs take a look.
Nmap
Nmap is purely a command line program. You begin by typing βnmapβ followed by the commands (flags) you wish to give it and their value. The -h flag will bring up the help menu, listing all the options you have.
Unquestionably, there will be a learning curve for newcomers. However, we can state from experience that once you learn the ins-and-outs of Nmapβs commands, it can become faster than most graphical interfaces. Use our Nmap Cheat Sheet to help get up to speed.
Nessus
Nessus is very easy to navigate. Starting new scans, creating folders, and viewing results are all very intuitive. There are custom scan templates created, where all you need to do is click and specify targets.
Even a novice would find maneuvering through the interface relatively easy.
Greenbone Vulnerability Manager
Like Nessus, GVM has a web interface with menu options for easy navigation.
The look isnβt as polished as Nessus. While a somewhat dated aesthetic is hardly a concern on its own, GVM does lack intuitive navigation. You would think that starting a new scan would be a very obvious icon, and yet it almost appears intentionally hidden.
Despite being a graphical interface, the design choices will result in a learning curve for those new to the scanner.
Winner: Nessus
Nessus is well organized and intuitive. You can easily find the types of scans youβre looking for, sort the results, and get additional information on the vulnerabilities with a few clicks.
Ease of Use
A good vulnerability scanner should make your life easier, not complicate things. Weβll look at how easy it is to set up your first scan on each program.
NMap
As we said above, to use Nmap you need to learn the command line flags.
To run a complete scan with Nmap, we used the following
nmap -p- -A --script vuln <target_ip>
Letβs break this down.
The -p-
flag tells Nmap to scan all ports.
Using -A
has Nmap look for the operating system, version detection, script scanning, and traceroute.
The --script vuln
flag told Nmap to use all vulnerability scanning scripts
Finally, we close with the IP address of our target.
This can seem complex to beginners, but we promise you will pick it up very quickly.
Nessus
Once you select your scan type, there are several options you can click through, setting your target, what ports to scan, the type of scan, and the complexity of the scan (common vulnerabilities vs all vulnerabilities in the database).
The multiple steps slows down the process compared to Nmap, but it is well thought out in how itβs organized and is very clear in its description.
Greenbone Vulnerability Manager
There are multiple steps to setting up a scan in GVM. First, you must create a target; this is done under the configuration tab.
After doing so, you can select the target from the βScan Targetsβ drop-down menu when setting up your scan (under the Scan > Tasks menu).
This can save you time if you are frequently auditing the same system, but will seem an odd extra step to those who rarely return to previous targets, such as pentesters.
You are limited to two scan types, OpenVAS Default and CVE. The default scan is active, gathering information on the network. The CVE scan uses the data collected from the default scan to check for CVEs. To get a complete picture you must run both.
The benefit here is that you can check for new vulnerabilities without having to scan the network again, as the CVE scan is checking the information compiled from the default scan and is not interacting with the network again - it simply checks if new vulnerabilities have been discovered that affect the existing system.
Winner: Nmap
Yes, Nmap has a learning curve, though it is actually quite small after some practice. Once you know the most common commands, youβll be able to scan more quickly and with more customization than the other scanners.
Cost
While you can start with any of these scanners for free today, some do more than others until you grab your credit card.
Nmap
There is no cost associated with Nmap. Even the GUI version, Zenmap, does not come with any price tag attached. A tool this useful and powerful being offered free of charge is truly amazing.
Nessus
The free version of Nessus is limited to 16 targets at a time and only works on internal IP addresses. Nessus professional costs $3390 USD per year.
Greenbone Vulnerability Manager
Greenbone Community Edition is free but has a more complicated installation and requires you manually download updates and feeds, and handle your own configuration.
The paid version is designed for enterprises to use on their infrastructure as part of their internal security, not necessarily for pentesters. A paid version varies on the size of the infrastructure but can be around $3400 for a small business.
Winner: Nmap
Nmap provides full functionality at no cost.
Features
What unique features do each of these scanners bring to the table? Letβs take a look.
Nmap
Nmap doesnβt contain a lot of fancy features. Yes, it has the ability to do banner grabbing, IPv6 scanning, and some basic IDS evasion, but this isnβt unique to Nmap alone.
Nmap also has the ability to output its findings into different formats, including normal output, a graphical web-based XML (see image below), and a grepable format. The other scanners on this list can export into various formats as well.
Nmapβs biggest feature is its speed and simplicity. Yes, the flags will take time to learn, but once you do you can craft your scans any way you wish.
Nessus
Nessus has several interesting options available. Firstly, it can export a professional-looking report in multiple formats including web and pdf. This report will do a full breakdown of all findings organized for the client.
Nessus saves previous scans so you can re-run them at any time. You also have the ability to schedule scans to start at a particular time (say, at the agreed beginning of a penetration test) or on a schedule as a regular audit.
Greenbone Vulnerability Manager
GVM can save targets, allowing for quicker rescans of a network or individual machine. You also have the ability to schedule regular scans. GVM provides a newsfeed of new vulnerabilities and security bulletins.
Winner: Nessus
Between its different report options, export features, and scheduling, Nessus brings more to the table in terms of extra features.
Scanners in Action
We ran all three scanners against a vulnerable VM called SkyTower. These are the results.
Nmap
Nmap completed a full scan in less than one minute.
It discovered three open ports; SSH on 22, an Apache web server on port 80, and Squid http proxy on port 3128.
It discovered what it thinks might be an admin folder and a possible cross-site request forgery vulnerability. It lists 65 discovered common vulnerabilities with links for more information and flags 18 as having exploits available, including a specific Metasploit module.
See our article βHow to Scan Vulnerabilities With Nmapβ for a detailed walkthrough on how to get the best results.
Nessus
We selected the basic network scan option. There were several menus to navigate through, but we were able to select to scan all ports for all known vulnerabilities.
The scan took nine minutes to complete. In total it found 65 vulnerabilities, the same as Nmap. Nessus breaks these down as Critical, High, Medium, Low, and Informational.
Vulnerabilities are grouped together by category, but can be expanded to see the complete list. Clicking on each reveals detailed information on the particular vulnerability.
This is excellent in that a fair amount of research has been done for you, including if there is an exploit available and possible mitigations - something you will need to present to your client. However, you must click through each one to get this information, which can slow the process down.
Greenbone Vulnerability Manager
GVM took roughly nine minutes to complete its scan. It found 76 vulnerabilities, breaking them down as 26 high severity, 47 medium severity, and three low severity.
As with Nessus, you can click a vulnerability to learn more about it, though the information provided does not seem to be as detailed.
Winner: Draw - Nmap and Nessus
Nmap and Nessus both have strong reasons to take this category.
For Nmap, the results were much faster. The fact that everything is immediately visible in a list, showing not only the CVE number but if there is an available exploit will help you choose an attack path more quickly. Finally, the fact that the vulnerabilities are organized by port number lets you prioritize better, choosing what tends to be more likely targets.
Nessus, on the other hand, provides greater detail and remediation for each CVE, though they do take longer to go through. The ability to export a full report for your client is also a time saver.
Both scanners have their unique benefits. Nmap is better for initial reconnaissance, while Nessus is better for creating a complete picture for you and your client in the long term.
Final Thoughts
Choosing the best scanner doesnβt just mean whichever has the fanciest abilities or gimmicks. Even though they all fundamentally do the same thing, the three scanners we examined are designed for different things.
If you are an ethical hacker or penetration tester, Nmap is likely the one tool you could never do without. Nessus, however, can help in creating a detailed audit for your client and suggest how to mitigate the vulnerabilities you were able to exploit.
For hands-on training in scanning and exploiting vulnerabilities, take a look at these courses available in our Member Section.
Odd that Nmap is included but not Nikto. And GVM’s installation isn’t complicated; it’s broken.