Ever find yourself needing to do a quick security scan but are on a computer that doesn’t have the right tools? This happens to me periodically when we need a quick scan done from “outside.” Out of curiosity I searched around and found a few good options that I thought you may find useful.
Nmap-Online.com: Administered by MatouSec.com, a project started in 2006 run by a group of security experts concerned about user desktop security, this service offers almost the full capability of Nmap through a website! The earliest reference I could find was in November of 2006 so they’ve been around for awhile.
To use the service just pick between “Quick Scan” and “Full Scan” that scans your own detected IP address or a “Custom Scan” that gives you almost full access to Nmap’s set of options (including scanning a range of IPs). Finally, agree to their ToS and hit Scan. You have the option of waiting for the results in the browser or entering an email and password to have them emailed to you. Keep the email and password handy as you can use these credentials to retrieve all your recent scans. Note that no registration is required though. It seems to track users with just your specific email and password combination.
Unfortunately, limitations there are… You can only scan IP addresses and ranges within your externally detected class C address space. Additionally, they have rules controlling the amount of scans you are permitted to perform within various time periods (e.g., a max of 8 scan requests from one IP per 24 hours). See their ToS for all the restrictions.
Check out Nmap-Online here.
Update 3/22/13: The Nmap-Online domain has been made a sub-domain of Online-Domain-Tools.com. Some other interesting sub-domained tools include Hash Functions, Symmetric Ciphers, and Reverse Hash Lookup. They also offer your standard range of tools for encoding/decoding content and analyzing domains.
HackerTarget.com (note – no longer free): This is another service that I came across that offers several free online scanners. Currently, they provide 10 scans that include the likes of Nmap, OpenVas, Nikto, and WordPress Security Scan. Just checking out their Nmap service … it only performs a “Fast Scan with Service Identification” (i.e., nmap -sV -F your.ip.address.com). Most of their other services didn’t have any customizable options so I assume it’s just the default scans. For specifics you’d have to research the default scans for these tools. The WordPress scan however mentions 13 specific checks.
Just like Nmap-Online.com there are limitations… You only get four scans per day and can’t use free web email accounts to get the results. Additionally, you can’t scan IP ranges … just individual IPs. HackerTarget does offer a membership program that lifts these restrictions. Prices for individuals are $5 on a month-to-month basis or $30 a year. Corporations are $50 per month or $400 a year. Regardless if you use the free or paid versions, there doesn’t seem to be a way to view sessions online; you must enter an email for them to send results to.
Check out the HackerTarget.com Online Security Scan page here.
Update 3/22/13: HackerTarget.com no longer offers a free version. Thanks to Jamie (see comments) for pointing this out. Plans include a one-time $19 fee for personal use, $89/year for additional scanners, and $249/year to increase the number of scans per day.
Do you know of any other online security scanner for quick one-off assessments? Let us know in the comments below. Today’s post image is from AttackResearch.com.