OpenVAS vs Tenable Nessus

Filed under Hacks
Tagged as , , , ,

 

When selecting a vulnerability scanner, I truly believe that Nessus is the only way to go. It has been one of the top performers for several years, has great support, is constantly updated, and costs $1,200 per license. Back in October 2005 Tenable decided version 3 would be closed source. At that point OpenVAS forked off to continue to grow the open source version.

Back in 2009 I had some severe issues when evaluating OpenVAS. The problem was OpenVAS legally could not use some portions of the Nessus code, specifically the SMB libraries. This caused a huge divide between the findings in OpenVAS and Nessus. Since then, things have gotten better and a new SMB library has been developed for the OpenVAS project.

I wanted to compare OpenVAS to Nessus specifically because it is included in the Backtrack distribution.

OpenVashttp://www.openvas.org/install-packages.html

Nessus: http://www.tenable.com/products/nessus

2009

Plug-ins

Nessus Plug-in Count: ~30,000

OpenVAS Plug-in Count: ~13,000 (43% of Nessus)

Unfortunately I did not have the time to do a full in depth analysis at that time.

2011

Plug-ins

Nessus Plug-in Count: 42,493

OpenVAS Plug-in Count: 20,961  (49% of Nessus)

Interesting to see that Nessus is by far still dominant in plug-ins, but OpenVAS has slightly caught up.

Although the plug-in engine in OpenVAS is Nessus v2, the plug-ins do utilize a different numbering convention.

Testing

For all of the following tests, the plug-ins were installed and updated on 4/10/2011.  I wanted to do two types of scans, one with credentials and one without.  There is an important distinction when doing these two types of tests, as a credentialed scan may find client side vulnerabilities, and be able to detect false positives that a non-credentialed scan would report.  During my testing, all 3 targets were reverted to an original state after each phase (VA scan, Exploitation) to alleviate the possibility of a service not responding correctly, and to keep all tests on at a even and level state.

Unauthenticated Network Scan

Nessus w/o Credentials
OS High Medium Low
Win XP sp0 12 3 37
Win 2000 sp0 13 2 31
Metasploitable 5 8 56
OpenVAS w/o Credentials
OS High Medium Low
Win XP sp0 2 2 21
Win 2000 sp0 1 2 14
Metasploitable 18 28 41

These numbers mean almost nothing, as their grading of High/Medium/Low can be set arbitrarily by the vendor.  What I think is most important, is directly relating these to successful exploitation.  To do this, I used the db_autopwn feature of Metasploit.  The results of the scans were separately imported into their own databases, then db_autopwn was run.

Directly Exploited
OS Nessus OpenVAS
Attempts 16 1
Win XP sp0 3 0
Win 2000 sp0 3 0
Metasploitable 2 0
msf > sessions -v

Active sessions
===============

  Id  Type                   Information                      Connection                                  Via
  --  ----                   -----------                      ----------                                  ---
  2   shell php                                               bt4r2:55630 -> metasploitable:9986   exploit/unix/webapp/tikiwiki_graph_formula_exec
  3   shell php                                               bt4r2:37668 -> metasploitable:13835  exploit/unix/webapp/tikiwiki_graph_formula_exec
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:58426 -> win2000:21905         exploit/windows/smb/ms05_039_pnp
  5   meterpreter x86/win32                                   bt4r2:38657 -> win2000:37922         exploit/windows/smb/ms06_040_netapi
  6   meterpreter x86/win32                                   bt4r2:46541 -> winXP:21044           exploit/windows/smb/ms06_040_netapi
  7   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:56316 -> winXP:4213            exploit/windows/smb/ms04_011_lsass
  8   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:40733 -> win2000:26377         exploit/windows/smb/ms04_011_lsass
  9   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:51873 -> winXP:8053            exploit/windows/smb/ms08_067_netapi

It is very interesting to see that OpenVAS only ran a single exploit, to which it failed.  Initially I assumed a data import issue with Metasploit, in which it was not correctly matching a vulnerability with the exploit.  Upon further investigation, I found that OpenVAS had missed several vulnerabilities which were exploited by Nessus: MS08-067, MS06-040, MS04-011.  OpenVAS did, on the other hand, identify a missing MS10-12, which Nessus missed.

Authenticated Network Scan

There seemed to be an issue with getting both scanners to use credentials against Win XP sp0.  I was able to connect locally to the \admin$ share, but remotely it was denied.  I tried sharing out the C:\ root, which seemed to help, but the scanners were still unhappy about not being able to connect to \admin$.  Due to this, the Windows XP sp0 target should be considered the same as above: unauthenticated.

Nessus w/ Credentials
OS High Medium Low
Win XP sp0* 11 1 33
Win 2000 sp0 204 21 47
Metasploitable 18 21 99
OpenVAS w/ Credentials
OS High Medium Low
Win XP sp0* 2 2 15
Win 2000 sp0 104 16 17
Metasploitable 167 56 244

*Win XP \admin$ share problem.  See note above.

Directly Exploited
OS Nessus OpenVAS
Attempts 26 5
Win XP sp0 3 0
Win 2000 sp0 3 0
Metasploitable 1 0
msf > sessions -v

Active sessions
===============

  Id  Type                   Information                      Connection                                  Via
  --  ----                   -----------                      ----------                                  ---
  10  shell php                                               bt4r2:41408 -> metasploitable:13219  exploit/unix/webapp/tikiwiki_graph_formula_exec
  11  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:47436 -> win2000:7946          exploit/windows/smb/ms05_039_pnp
  12  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:52679 -> win2000:31947         exploit/windows/smb/ms08_067_netapi
  13  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:44952 -> winxp:14949           exploit/windows/smb/ms06_040_netapi
  14  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:50364 -> winxp:25423           exploit/windows/smb/ms04_011_lsass
  15  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:51304 -> win2000:37988         exploit/windows/smb/ms04_011_lsass
  16  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:45143 -> winxp:30756           exploit/windows/smb/ms08_067_netapi
 

Image: http://3.bp.blogspot.com/_SQnxJmIEEEk/SNufucEYpGI/AAAAAAAAACA/gvdHZvtAXZY/s320/the-night-flier-dark-figure.jpg

Speaking of Metasploit, I feel it is only right to try out NeXpose.  NeXpose is a vulnerability scanner by Rapid7, who purchased Metasploit in Oct 2009.  For this scan, I am utilizing NeXpose Community edition as it is free and as such is the closest comparison to the other scanners.  The plugins were updated on 4/12/2011.

NeXpose: http://www.rapid7.com/

Unauthenticated Network Scan

Nessus w/o Credentials
OS High Medium Low
Win XP sp0 12 3 37
Win 2000 sp0 13 2 31
Metasploitable 5 8 56
NeXpose w/o Credentials
OS High Medium Low
Win XP sp0 8 3 2
Win 2000 sp0 8 4 2
Metasploitable 32 73 10

 

Directly Exploited
OS Nessus NeXpose
Attempts 16 19
Win XP sp0 3 2
Win 2000 sp0 3 3
Metasploitable 2 1
msf > sessions -v

Active sessions
===============
  Id  Type                   Information                      Connection                                  Via
  --  ----                   -----------                      ----------                                  ---
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:29811 -> winxp:1040           exploit/windows/smb/ms04_011_lsass
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:30877 -> winxp:1041           exploit/windows/smb/ms06_040_netapi
  3   shell unix                                              bt4r2:18803 -> metasploitable:36365 exploit/unix/webapp/tikiwiki_graph_formula_exec
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:28014 -> win2000:1037         exploit/windows/smb/ms05_039_pnp
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:40507 -> win2000:1038         exploit/windows/smb/ms04_011_lsass
  6   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:27663 -> win2000:1039         exploit/windows/smb/ms08_067_netapi

Authenticated Network Scan

There seemed to be an issue with getting both scanners to use credentials against Win XP sp0.  I was able to connect locally to the \admin$ share, but remotely it was denied.  I tried sharing out the C:\ root, which seemed to help, but the scanners were still unhappy about not being able to connect to \admin$.  Due to this, the Windows XP target should be considered the same as above: unauthenticated.

Nessus w/ Credentials
OS High Medium Low
Win XP sp0* 11 1 33
Win 2000 sp0 204 21 47
Metasploitable 18 21 99
NeXpose w/ Credentials
OS High Medium Low
Win XP sp0* 8 3 2
Win 2000 sp0 15 30 4
Metasploitable 33 79 10

*Win XP \admin$ share problem.  See note above.

Directly Exploited
OS Nessus NeXpose
Attempts 26 20
Win XP sp0 3 2
Win 2000 sp0 3 3
Metasploitable 1 0
msf > sessions -v

Active sessions
===============

  Id  Type                   Information                      Connection                                  Via
  --  ----                   -----------                      ----------                                  ---
  6   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:35440 -> win2000:28660  exploit/windows/dcerpc/ms03_026_dcom
  7   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WINXPTEST  bt4r2:38181 -> winxp18128     exploit/windows/dcerpc/ms03_026_dcom
  8   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:55785 -> win2000:20367  exploit/windows/smb/ms06_040_netapi
  9   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:53498 -> win2000:23182  exploit/windows/smb/ms08_067_netapi
  10  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KTEST  bt4r2:48102 -> win2000:31660  exploit/windows/smb/ms08_067_netapi

Conclusion

Nessus was by far the champ, with NeXpose in 2nd place.  Interestingly enough, NeXpose even without credentials did some snooping around.  NeXpose was able to list the database tables in MySQL, the users on the Metasploitable system (as well as Windows 2000).  The graphical display for NeXpose is also much easier to read, and laid out in a more informative way.  NeXpose also includes links to not only the Metasploit exploit, but also the Exploit-DB reference.  In a few years when NeXpose has more time to develop plug-ins and fine tune how it runs, it can definitely be a serious threat to Nessus.

Comments are closed.