Monday, 5 June 2017

What is the difference between Nessus and OWTF ?

Many of you would be wondering , what is the difference between Nessus and OWTF(Open Web Testing Framework)

First of all Nessus is a Vulnerability Assessment Tool and OWTF is a penetration testing tool.

Secondly Nessus is proprietary to Tenable and OWTF(made by OWASP) is open source and free.

OWTF has both CLI and Web based UI whereas Nessus just has a Web UI, does not have CLI(but it has NASL- Nessus Attack Scripting Language).

Nessus is the world's most popular vulnerability scanner whereas OWTF is relatively new.

Nessus has more than 15000+ plugins whereas OWTF has more than 100+ plugins.

Nessus is available for Windows,MAC,Linux but OWTF is only available for Linux especially OWTF is designed by keeping in mind Kali Lnux.

OWTF runs tools like the Harvester,Nikto,W3AF , Arachini,etc. 

Nessus rates the vulnerability as Critical, High , Medium, Low or Info by using the CVSS score whereas in OWTF the user has to manually rate the vulnerabilites.

Nessus can also be used for auditing purposes whereas OWTF cannot.
Now, to understand this we must first understand that Vulnerability assessment is a part of penetration testing,so what nessus does is find the vulnerabilities of a host whereas OWTF is a tool which is present to automate the task of penetration testing as it will use a number of tools which the penetration tester would have to do manually.

For example, a pen tester would do port scanning to find the open ports in a host using a tool like NMAP and then find the version of the services running in that host , then he vulnerabilities in that service version, then he would try to exploit those vulnerablities using a tool like Metasploit, so what we see here is that the penetration tester is getting output from one tool which he is using as input to other tool.

OWTF does this automatically , runs a tool to get a output , uses that output as input to other tool to move forward in the penetration testing process.

The OWASP OWTF is made in terms of OWASP Pen Testing Guide, Penetration Testing Execution Standard and National Institute of Standards and Technology.

No comments:

Post a comment


Related Posts Plugin for WordPress, Blogger...