Friday, 1 April 2011

Angry IP vs nmap

I recently got an interesting question via email:

Hi Abraham,
I was just wondering if you’ve ever used a tool called Angry IP scanner?
Is it safe to use?
Is there any risk of it crashing a host you are scanning?

Short answer:
Q: I was just wondering if you’ve ever used a tool called Angry IP scanner?
A: No, I use nmap for port scanning.
Q: Is it safe to use?
A: I would say yes from some quick research I did, see long answer
Q: Is there any risk of it crashing a host you are scanning?
A: There is always that risk with any -port-scanner but I would say if the host you are scanning crashes you have bigger problems: the system is then probably not up-to-date and definitely proven to be vulnerable to DoS without even trying!- :).
Normally only a few printers and other small embedded systems might crash when you scan them on certain ports. It is rare for a crash to happen but it can happen, there is always that risk.
I know nmap will avoid "risky" ports in its default configuration, this makes crashes less likely although they are always possible, of course.
Long answer:
First things first: From what I have researched about it Angry IP seems like a legit open source tool so at least it does not seem to be a trojan horse (an application that would perform nefarious activities like compromising your machine in the background) or anything. However, like many "hacking tools" it is definitely likely that many antivirus programs will pick on it (they will flag it as a "hacking tool").
When I got this email I recalled Angry IP as one of the tools mentioned in the CEH training materials and only mentioned by one guy (security justice? or was it securabit?), perhaps showing his age :) in the many security podcasts I have listened to over the years (since 2005 roughly), this means this tool is not particularly popular among security professionals (you see nmap mentioned often for port scanning but you will rarely see Angry IP mentioned).
It is worth noting here that the CEH has been criticised by many for being too much tool-oriented and making you learn "obsolete" tools, a full discusion on the CEH however, which I got a few years ago (full disclosure), is out of scope for this post.
The fact is however, that Angry IP seems to have been last updated in 2009 at the time of writing (last code update seems to be 2009-03-24 - Angry IP Scanner: 3.0-beta4 released on what appears to be the official website), that is exactly 2 years ago which is a big difference compared with nmap development, which was last updated this week (2011-03-31).
I wanted to do my own testing to compare the tools but it looks like somebody probably much more capable than me already did that some time ago, I think that research can be summarised in two lines from the review itself:
"Nmap is usually *at least* twice as fast as the IP Scanner. The IP Scanner hasn't been able to
beat Nmap in accuracy or speed in any tests I've tried"
So, the facts are that Angry IP:
- Seems to be a legit open source tool (nmap is legit too :))
- It is less known and less used than nmap in the security community
- The last update was in 2009 and it was a beta! (nmap was last updated this week!)
Because of those facts, I personally do not see any reason to use a tool like that except for recreational or research purposes.
Finally, I would like to mention that nmap has recently been significantly improved with the Nmap Scripting Engine (NSE), which allows people to extend nmap with additional checks, in a similar fashion to checks that a vulnerability scanner like Nessus would do. Obviously Nmap is still far from a full blown vulnerability scanner like Nessus but the point here is that Nmap is now capable of performing some basic vulnerability scanner tasks, which makes it even more powerful than it already was.
When you read through the lastest stable release for nmap this year you will clearly see why this tool is the best port scanner ever, it has an active development community, has been chosen by Google for its summer of code program several times and the NSE scripts have just taken this tool to the next level.
I hope this helps.