Friday, April 11, 2014

NMAP over Proprietary Heartbleed Scanners

We're a couple days into Heartbleed at this point and there are now a number of different scanners and tools available. I've detailed how to get NMAP to scan for Heartbleed here.

I've looked at a few of them, and I recommend using NMAP as a scanner for a number of reasons.

1. NMAP will allow you to scan interal network resources that are not available to the internet. Web based scanners can only look at what you expose to the greater internet.

2. Scanning with NMAP gives you access to all of NMAP's features for specifying IP ranges, ports and port ranges, scan speeds, host detection, etc. The proprietary scanners I've looked at usually have fewer features.

3. Most proprietary scanners are black boxes. You put in an IP, they tell you if it's "vulnerable" with no context for what they looked at or how they determined their results. NMAP is not a black box, you can dig in and read the NSE file to know exactly what NMAP is doing.

4. A lot of proprietary scanners will try to send your scan data back to their owning company for their own purposes. While not directly harmful if you are even somewhat concerned about being added to a report, NMAP might be a better option.