Ethical Hacker Community Forums

Huh? I had to read this a few times, and I'm still not sure I get it all based solely on this press release. Bottom line is that it is no longer free for companies. Free options still there for homes and non-profits. How many of you out there will suddenly have complex home networks, so you can get your plugin updates at "no charge and with no delay?"

Either way, this is how their site spins it:


What do you think of this new $1200 per year model?

Don

I knew it was just a matter of time. Hmmm, yes my network at home just got a little bigger. As far as the $1200 a year, I would rather go with GFIlanguard if I am going to have to pay. I feel its  more complete and way more options for tweaking your scans.

I think the companies that depend/use Nessus mostly will have to suck it up (resulting in higher fees to their clients possibly) or look for a new product as previously mentioned. 

i'll be looking into openVAS

We are dealing with this issue. Nessus along with a few other tools have been part of our kit for a while. Now there is a work around form what here that does not involve a more complex home network. there is supposedly a company that will be publishing plug ins for nessus for free becasue they are upset with Tennable.

Kev,

I just got done playing with LANguard and I felt that it left things unfound and had a few too many false possitives for us. Namely, it was telling me in our lab that on one of the machines that ports 21, 25, and 110 weree open. After checking both the machine itself and using nmap, the ports were all closed. It also missed bo2k. With that said, I would be careful with whatever tool you decide to use.

Mike

I am sticking with Nessus for a while.   I don't think GFI LanGuard is a legit product replacement for Nessus.   I will also be watching OpenVAS, like Chris.   Nessus is still free for "home" users for now.   It's accuracy has picked up in the last couple of releases and it seems dependable.   

At the same time, I see no reason to switch, even if there is a $1200 fee.   If you look at SAINT, Retina, Qualsys, etc, they are about the same on the accuracy scale.   I don't think that they have anything on Nessus.  I may just spend the $1200 a year if OpenVAS doesn't pan out.   

Anyone think that CANVAS is worth the investment?   Or is Metasploit plenty?

Ketchup

not to totally hijack the thread but what do you need canvas for?  its hard to answer your question otherwise. 

its a decent tool, but any time you have to pay you really need to take a look at why. 

I was just looking at CANVAS as an additional exploit engine.   They seem to have some of the exploits that Metasploit doesn't.   At $1400 or so, it's not a bad investment to compliment Metasploit, maybe?

yes its a good supplement, the mosdef stuff is pretty nice from a post exploitation perspective, newer exploits, etc.

documentation is lacking so be for-warned on that one.

The real key to making metasploit a contender is understanding how to add your own exploits to the database. My feeling is you should first learn metasploit inside and out and then learn how to add new exploits to it, see how far this gets you.  Even if you have someone else paying for an expensive tool, its good to be familiar with well known tools that are often used in the wild.

yeah but if people dont have the ability to write their own exploits then canvas is the  next cheapest option.