One of the requirements to become compliant with known standards and laws in cybersecurity is to have a vulnerability scanner. Nessus is one of the most popular ones among all ...
Nessus and Nmap are some of the most popular tools used by both penetration tester and network administrators. Therefore, whenever I do a beginner penetration test, my students always ask me are Nmap and Nessus are the same?
Nmap and Nessus are not the same. Nmap is an open-source tool, designed to serve as a network scanner with very limited capabilities in vulnerability scanning. Nessus is a more complete tool compared to Nmap with multiple types of vulnerability scanning, ranging from simple network discovery to a configuration vulnerability scan.
A lot of people think that Nmap can replace Nessus and that Nessus itself is based on Nmap to perform its job. However, nothing of all that is real and I will explain in detail why. Moreover, in this blog post, I will give you some realistic scenarios where Nmap cannot perform the job as well as Nessus. So if you are interested to know more about this subject just keep reading.
As I said Nmap and Nessus are very different as each of them was first developed for a specific task. Nmap for example was mainly developed to perform so many types of network scanning to try to bypass firewalls and security systems to get as much information as possible.
On the other hand, Nessus was not developed to do that, it assumes that the tool was implemented in the local network and no firewall was implemented.
In this section I will give you a summary of the main differences between Nmap and Nessus:
|Advanced port scanning|
|Network vulnerability scanning|
|Web application scan|
|Mobile vulnerability scanning|
|Results database storage|
|Data export format||XML||CSV, PDF, HTML, Nessus DB|
Nmap (Network Mapper) is a network scanner designed to collect as much information as possible about the targeted network. The tool was designed to implement the most advanced network scanning technique. Moreover, many other firewall bypass techniques were implemented in this tool to help optimize the number of collected information even with the existence of a firewall or an IDS.
Here is a list of some advanced scanning features:
For more details about those scans, you can take a look at the following URL
Using the –scanflags feature, Nmap also gives experienced people the ability to design their own scanning system by setting up the TCP flags they want.
Nmap is an open-source tool which means you can check its source code and perform the modification you need to make it work the way you want. Moreover, Nmap offers the ability to create a scanning script to automate some tasks, this system is called NSE (Nmap Scripting Engine). Those NSE scripts are executed in parallels which offers the same speed you can expect from Nmap itself.
Nmap also offers a small vulnerability scanner based on open-source NSE scripts developed to scan for a specific vulnerability. Those scripts make Nmap very flexible and can be enhanced to do more tasks than what was initially made for.
Unfortunately, Nmap does not save the scans it does in a database for further analysis or reporting dashboard. However, this tool offers the ability to dump the scan results into an XML file, which then can be parsed to import those results in a separate personal database.
Nessus is one of the most popular vulnerability scanners in the market. This tool has a very big knowledge database, which gets used by its engine to scan for vulnerabilities in the network. Nessus also offers the ability to map the network by performing a network scan. However, this scan stays very limited compared to Nmap as it is designed to not be installed behind a firewall.
Unfortunately, Nessus does not offer any firewall bypass feature in its scan which may give you so many false-positive results.
However, Nessus offers multiple types of scans like:
In addition, Nessus also offers the ability to perform an authenticated vulnerability scan to check system-based vulnerabilities. This type of vulnerability scan is the most accurate type of scan, as it does not require version guessing. By giving Nessus the credential to log into a system, this one tries to look for a standard configuration file to see the exact version of the installed application or service.
The best thing about Nessus is the reporting capabilities that it offers. Compared to Nmap, Nessus offer so many types of reports that suit different standards and laws.
Both tools can be used to perform a Cloud vulnerability and network scan. However, Nessus has made a specific plugin for that which makes it easier.
If we compare Nessus and Nmap network scanning capabilities you can easily notice the huge differences in terms of advanced capacities. Moreover, creating a port scanner from scratch does not take too much time to be done and also does not require advanced skills in software development.
Therefore, in my opinion, Nessus does not use Nmap to perform its scans. Tenable the vendor of Nessus also responded to this question and denied the use of Nmap. You can check their response here if you want.
However, according to the Nessus vendor, small portions of the Nmap scanner were used in an earlier version of this tool (before 2.2.0) but nothing in the recent versions.
If you are looking to perform a very deep port scanning behind a firewall, and you care more about getting detected and getting more accurate network scan results, then using Nmap is the right thing to do. However, if you want to perform a more advanced vulnerability scan with very few false-positive rates in terms of detected vulnerabilities, then using Nessus is the best thing to do.
In my opinion, Nessus and Nmap should never be compared to each other as each of them was first designed to perform a different task. Moreover, when performing a penetration test, it is very, recommended to use both of them, as in some situations you may face a dorsal firewall that will block Nessus scans.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).