Scanners to test security

Tenable Nessus

Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free "registered feed" version in 2008. A limited “Home Feed” is still available, though it is only licensed for home network use. Some people avoid paying by violating the “Home Feed” license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.


McAfee Foundstone CredDigger™ is a tool that attempts to gather data to assist with penetration testing on a corporate network by determining every host on which a given set of user credentials is valid, while also building a database of all user ID’s through various means and protocols.

The intended audience for McAfee Foundstone CredDigger is a penetration tester or network administrator wanting to test his/her security.

Some of the common use cases for the tool are:
System Requirements
Penetration testing a client environment
Network administrator performing a security test on his/her own environments
Microsoft .NET Framework v1.1 or higher
Microsoft Internet Explorer 5.5 or higher
CredDigger has been tested on Windows XP workstation running .NET v2.0, and Windows 2000 server running .NET v1.1.


SNMP Detection Utility

SNScan is a Windows based SNMP detection utility that can quickly and accurately identify SNMP enabled devices on a network. This utility can effectively indicate devices that are potentially vulnerable to SNMP related security threats, such as those released on February 12, 2002 and the Cisco IPv4 Remote Denial of Service vulnerability from July 17, 2003.

SNScan allows for the scanning of SNMP specific ports (e.g. UDP 161, 193, 391 and 1993) and the use of standard (i.e. "public") as well as user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP enabled devices in more complex networks.

SNScan is intended for use by system and network administrators as a fast and reliable utility for information gathering. While not indicating whether SNMP enabled devices are vulnerable to specific threats, SNScan can quickly and accurately identify potential areas of exposure to SNMP related vulnerabilities.


Cert grabber for DOCSIS modems. Not sure how up to date it is but I know it makes getting certs for modded modems much easier.

This is a variation of FastSnmp, it scans for modems with factory mode enabled and when it finds one it retrieves the serial, the model, the mac, and all the certs it can and saves it to a file.

It retrieves HFC, Downstream and upstream rates, Ethernet and USB macs along with serial and cmFactoryBigRSAPublicKey, cmFactoryBigRSAPrivateKey, cmFactoryCMCertificate, cmFactoryManCertificate, cmFactoryRootCertificate certificates.
This is the compiled for windows version of FastCert, ive included the perl script as well


NetBIOS Enumeration Utility (NBTEnum) is a utility for Windows that can be used to enumerate NetBIOS information from one host or a range of hosts. The enumerated information includes the network transports, NetBIOS name, account lockout threshold, logged on users, local groups and users, global groups and users, and shares.

If run under the context of a valid user account additional information is enumerated including operating system information, services, installed programs, Auto Admin Logon information and encrypted WinVNC/RealVNC passwords. This utility will also perform password checking with the use of a dictionary file. Runs on Windows NT 4.0/2000/XP/2003. PERL source included.

Examples :

* nbtenum -q - Enumerates NetBIOS information on host as the null user.
* nbtenum -q johndoe "" - Enumerates NetBIOS information on host as user "johndoe" with a blank password.
* nbtenum -a iprange.txt - Enumerates NetBIOS information on all hosts specified in the iprange.txt input file as the null user and checks each user account for blank passwords and passwords the same as the username in lower case.
* nbtenum -s iprange.txt dict.txt - Enumerates NetBIOS information on all hosts specified in the iprange.txt
input file as the null user and checks each user account for blank passwords and passwords the same as the username in lower case and all passwords specified in dict.txt if the account lockout threshold is 0.

Startup Monitor

StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents annoying programs from registering themselves behind your back.

StartupMonitor does not require Startup Control Panel, but it complements it nicely. When you choose not to allow a program to register itself, the program's entry becomes disabled in Startup Control Panel, so you can go back and enable it later if necessary. StartupMonitor watches the Start Menu's Startup folders and the Run entries in the registry.

StartupMonitor works on all modern versions of Windows through XP. I hasn't been tested on Windows Vista yet.


SecureCentral(tm) have released ScanFi, an automated vulnerability scanner. Both commercial and free versions are available.

ScanFi has been designed to carry out the following:

Non-intrusively scans your enterprise network.

Provides a detailed inventory of your network assets.

Identifies network devices that are, (possibly), open to known vulnerabilities.

The ability to remedy vulnerable systems by deploying missing patches and service packs.

Provides detailed reports of the scan.

Schedule scans as and when required.

Inter-platform scanning i.e. Microsoft Windows and Linux.

Note:- The first point I may argue as it employs nmap for its port scan and other scanning techniques to gather results.

ScanFi is web-based with a mysql server backend for saving and producing the report format together with allowing full queries to be carried out against the on-board patch and vulnerability database.

ScanFi supports vulnerability assessments for the following systems and services which can be individually scanned against:

Web Servers
Database Servers
Application Servers
RPC Services
CGI Scripts
Proxy Servers
User Accounts
Dos Vulnerabilities
SQL Injection vulnerabilities
Trojans and Viruses


OVAL's reference interpreter shows how: information can be collected from a computer; definitions can be used to test the system for computer vulnerabilities, configuration issues, programs, and patches; and results of the tests can be presented.

OVAL is an international, information security/community standard that has been designed to:

Promote open and publicly available security content,

Standardise the transfer of this information across the entire spectrum of security tools and services.

OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardises the three main steps of the assessment process:

Representing configuration information of systems for testing;

Analysing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.);

Reporting the results of this assessment.

One of the minor drawbacks of using the Mitre OVAL framework is that it is command-line based, which can prove time consuming when scans and updates to the framework need to be performed. SSA has been designed to add a graphical front-end to this process and also provides a great deal more extensibility when utilising the framework in conjunctions with their tool.


The NeXpose Community Edition is a free vulnerability scanner, a single-user version of Rapid7s' NeXpose Enterprise solution. Powered by the same scan engine the NeXpose Community Edition provides users with:

* Vulnerability scanning for up to 32 IPs
* Regular vulnerability updates
* Accurate scan results
* Prioritized risk assessment
* Remediation guidance
* Metasploit integration
* Community support at
* Simple deployment
* No cost start-up security solution


An unusually fast stateless network service and topology discovery system
Scanrand is a stateless host-discovery and port-scanner similar in design to Unicornscan. It trades off reliability for amazingly fast speeds and uses cryptographic techniques to prevent attackers from manipulating scan results. This utility is a part of a software package called Paketto Keiretsu, which was written by Dan Kaminsky. Scanrand and Paketto are no longer actively maintained, but the latest released version can still be found at DoxPara.Com.

Syndicate content