OpenVAS: Network Vulnerability Assessment

OpenVAS performs comprehensive network-wide vulnerability detection across multiple hosts and services. Under the hood, OpenVAS performs a port scan (using nmap) using the open reports to detect running services on the server. Based on those services, OpenVAS will run Network Vulnerability Tests (NVTs) to determine weaknesses and potential CVEs. Scan times are heavily dependent on a couple of factors: the number of targets scanned, the number and type of services running on each target, and the speed of the network and performance of the target being scanned.

Typical Scan Times:

  • Small network (1-10 hosts): 1-4 hours
  • Medium network (10-50 hosts): 4-24 hours
  • Large networks: 24-48+ hours

OWASP ZAP: Web Application Security

ZAP focuses on web application vulnerabilities, making it faster than comprehensive network scanners. It does so by visiting the target website, looking at the response and then crawling links to the rest of the website. The passive ZAP scan will only crawl the website, analyzing the responses for issues. The active ZAP scan will both crawl the website, and depending on the forms, parameters, and inputs, attempt to fuzz the website for issues like SQL injection, or Cross Site Scripting. 

In terms of timing, the passive scan is dependent on the number of pages to crawl. The active scan is dependent upon both the number of pages and potential inputs that will need to be tested. It's typical for the active scan to take significantly longer than the passive scan.

Typical Scan Times:

  • Small web app (10-50 pages): 30 minutes - 4 hours
  • Medium web app (50-200 pages): 2-8 hours
  • Large web app (200+ pages): 6-24 hours

Nmap: Network Discovery and Port Scanning

Nmap excels at network reconnaissance and service detection, typically completing much faster than vulnerability-specific tools. HostedScan runs Nmap in a way to test all TCP ports, and the top 1000 UDP port. Nmap scan time is highly dependent on network speeds, firewall settings and server response time.

Typical Scan Times:

  • Single host: 5 minutes-2 hours (highly dependent on the server, firewall, and network configuration)
  • Small network (1-10 hosts): 1-6 hours
  • Medium network (/24 subnet): 4 hours - 12 hours depending on active hosts.

SSLyze: Encryption Scanning

SSLyze makes a few requests to a given website, looks at the SSL configuration and the TLS certificate of the website.

Typical Scan Times:

  • Single host: 1-5 minutes.