Vulnerability scanners

Image of a gate with a chain and lock, related to tools used for vulnerability scanning on Linux

Introduction

Vulnerability scanners typically come in two variants: local or remote. With the first group, the scanning itself happens on the related device itself. While this requires direct access to the system or device, it often results in a more extensive scan. Remote scanning is commonly used, where the scan happens on a central system. Some vulnerability scanners may be configured to do a hybrid: network-based scanning combined with an authenticated scan to obtain more details.

Usage

Vulnerability scanners are typically used for vulnerability management and vulnerability scanning.

Users for these tools include pentesters, security professionals, system administrators.

Tools

arch-audit (detection of vulnerable packages on Arch Linux)

software management, vulnerability scanning

Arch-audit is a small utility that scans the system for known vulnerabilities on Arch Linux. It can be used by users of the Linux distribution to know when to update and what packages have weaknesses. With Arch Linux being a rolling distribution, this may improve the interval or timing of software patching.

Archery (vulnerability assessment and management)

penetration testing, vulnerability management, vulnerability scanning, vulnerability testing

Archery is a tool that helps to collect data about vulnerabilities within an environment. Instead of focusing on the actual scanning, it allows managing findings in a web-based interface. This includes options like reporting, searching, and dashboards. It can interact with other tools, including the well-known vulnerability scanners.

Bash Scanner (vulnerable package detection for Linux)

security assessment, security monitoring

Bash Scanner is a security tool that does a quick scan to see if there are vulnerable packages. It uses an external service to validate.

BDA (vulnerability scan for Hadoop and Spark)

application testing, vulnerability scanning, vulnerability testing

BDA is a vulnerability scanner for big data tools like Hadoop and Spark. It searches for configuration weaknesses and reports them. Hadoop and Spark are one of the few applications that encounter a lot of data. So by securing these applications, a big leap can be made as it covers a lot of data.

CMSmap (reconnaissance tool for popular CMS frameworks)

application testing, information gathering, vulnerability scanning, web application analysis

CMSmap helps saving time in the process of detecting what CMS is used for a given web application. It performs reconnaissance and can do additional vulnerability scanning.

Dagda (vulnerability scanner for Docker containers)

malware detection, malware scanning, vulnerability management, vulnerability scanning

The main reasons to use Dagda is the detection of vulnerable or malicious components within your containerized environment.

flunym0us (vulnerability scanner for WordPress and Moodle)

vulnerability scanning, web application analysis

Flunym0us is a security scanner for WordPress and Moodle installations. The tool tests the security of the installation by performing enumeration attempts.

Intrigue Core (attack surface discovery)

asset discovery, attack surface measurement, intelligence gathering, OSINT research, penetration testing, security assessment

Intrigue Core provides a framework to measure the attack surface of an environment. This includes discovering infrastructure and applications, performing security research, and doing vulnerability discovery.

Intrigue also allows enriching available data and perform OSINT research (open source intelligence). The related scans include DNS subdomain brute-forcing, email harvesting, IP geolocation, port scanning, and using public search engines like Censys, Shodan, and Bing.

JexBoss (JBoss verify and exploitation tool)

application security, application testing, penetration testing, vulnerability scanning

JexBoss is a security tool to verify and exploit vulnerabilities in JBoss applications. It can be used for security assignments and pentests.

Lynis (security scanner and compliance auditing tool)

IT audit, penetration testing, security assessment, system hardening, vulnerability scanning

Lynis can detect vulnerabilities and configuration flaws. Where a typical vulnerability scanner will just point out vulnerabilities, Lynis aims for continuous improvement. For this reason, it requires to be executed on the host system itself and providing more details than the average vulnerability scanner.

Nmap (network and vulnerability scanner)

network scanning, vulnerability scanning

Nmap is a security scanner that can perform a port scan, network exploration, and determine vulnerabilities

OpenVAS (vulnerability scanner)

penetration testing, security assessment, vulnerability scanning

OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.

Prowler (vuln) (distributed vulnerability scanner)

security assessment, vulnerability scanning, vulnerability testing

A vulnerability scanner like Prowler can be used to scan the network for vulnerabilities. Prowler can perform active network scanning and uses fingerprinting. Part of the process it to test for default or weak credentials.

Safety (vulnerability scanner for software dependencies)

penetration testing, security assessment, security monitoring, vulnerability scanning

When having applications deployed in your environment, not all of those may be installed via a package manager. When your infrastructure grows, it becomes even harder to know which tools are properly patched and which ones are not. For Python applications, this is where Safety comes in that can help scan installed software components via pip. It will also look at any of the dependencies that are installed.

salt-scanner (Linux vulnerability scanner)

penetration testing, security assessment, vulnerability scanning

Salt-scanner is Linux vulnerability scanner based on Salt Open and Vulners audit API. It has Slack notifications and JIRA integration.

Tulpar (web vulnerability scanner)

application security, application testing, web application analysis

Tulpar is a vulnerability scanner that can be used to test new or existing web applications. In the former case, it could be helpful to test a new project before it is deployed into production. This could be done by the developer or a security professional. If some web application is already in production, then it might be a good tool to perform regular testing on known vulnerabilities. In this case, it is typically a pentester or security specialist that does the testing.

Vane (WordPress vulnerability scanner)

application security, web application analysis

Vane is a forked project of the now non-free popular WordPress vulnerability scanner WPScan.

VScan (vulnerability scanner with Nmap and NSE)

backdoor detection, vulnerability scanning

Vscan is a security tool to perform vulnerability scanning with Nmap. It leverages NSE scripts to provide some flexibility in terms of vulnerability detection and exploitation.

Vuls (agentless vulnerability scanner)

system hardening, vulnerability scanning

Vuls is a vulnerability scanner for Linux and FreeBSD. It is written in Go, agentless, and can use a remote login to find any software vulnerabilities. It has multiple levels of scanning, from a fast scan up to a deep scan with extensive analysis.

vulscan (vulnerability scanning with Nmap)

penetration testing, security assessment, vulnerability scanning, vulnerability testing

Vulscan is a vulnerability scanner which uses the well-known Nmap tool. By enhancing it with offline data from VulDB, it allows for detecting vulnerabilities. The database itself based on information from multiple sources.

w3af (web application attack and audit framework)

application security, application testing, penetration testing, vulnerability scanning, web application analysis

W3af is an open source web application attack and audit framework and helps in scanning for vulnerabilities. The tool comes with both a graphical user interface (GUI) and command line utility. Some of the project files include a copyright line of 2006. That gives a good idea on the maturity of the project, and it is one of the rare tools that is still maintained after so many years.

Wapiti (vulnerability scanner for web applications)

application fuzzing, vulnerability scanning, web application analysis

Wapiti is typically used to audit web applications.

Whitewidow (SQL vulnerability scanner)

application security, penetration testing, vulnerability scanning

Whitewidow is a security tool to perform automated SQL vulnerability scans. It can be used during penetration tests or for security assessments.

Yasuo (vulnerability scanner for web applications)

penetration testing, vulnerability scanning, web application analysis

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications. There are many remotely exploitable vulnerabilities for web applications and their front-end components. Yasuo helps to make it easier to scan for the weaknesses like remote code execution (RCE), SQL injections, and file inclusions.

Highlighted tools based on their strenghts

Some of the vulnerability scanners have features that make them stand out among the others. If one of these characteristics are important to you, have a look at these selected tools first.

» All-rounder = OpenVAS
» Easy to use = Lynis
» Low on requirements = Lynis

Other related category: Linux vulnerability scanning tools

Missing a favorite tool in this list? Share a tool suggestion and we will review it.