Best free network scanners for security teams

|
Updated

Knowing what’s connected to a network is important for securing your organization. There are a fair amount of free and commercial options out there. We see security teams using a mix of runZero, Nmap (sometimes with Zenmap), Angry IP and Masscan.

In this article, we compare and contrast several free tools and provide our take on why we believe runZero is best suited for corporate security teams – particularly teams that are looking to gain continuous visibility into their asset inventory for risk management, incident response, and penetration testing purposes.

Free network scanner comparison #

runZero
(Recommended)
Nmap & Zenmap Angry IP Masscan
Best for Continuous and scalable cyber asset management Ad-hoc network discovery and security auditing Scanning local network for active IPs Research scans of the entire Internet
Graphical user interface
Internal database
Scalable deployment (distributed architecture)
Scan by IP range (internal & external)
Scan by domain
Scan by ASN
Identifies hardware platform
Covers managed on-premise assets
Covers unmanaged / IoT assets
Safely scans OT assets
Covers cloud assets
Covers remote assets
On-premise deployment
SaaS deployment
Free option available
Paid option available
Supported platforms Windows, Linux,
macOS, BSD
Windows, Linux, macOS, BSD JVM Windows, Linux, macOS, BSD
Programming language Go C Java C

runZero #

runZero UI

runZero was founded in 2018 by HD Moore, the creator of Metasploit, to help solve the problem of discovering both managed and unmanaged devices on the network. The product has grown to a full attack surface management solution that covers managed and unmanaged IT/IoT, OT environments, cloud assets, and remote devices. runZero offers a fully-featured 21 day trial that downgrades to a free Community Edition, which is used by more than 20,000 individuals and organizations.

runZero is enterprise grade in terms of its user interface, query language, and ability to collect an inventory even in highly distributed environments without having to write scripts or maintain a custom database. Like all of the other scanners in this article, its scans are unauthenticated but yield a surprising amount of depth of information, such as fully searchable attributes for all services, hardware and firmware details, as well as layer 2 and 3 network topologies. In addition, the solution can use SNMP credentials as well as integrations with vulnerability scanners, EDR, MDM, directories and other solutions to provide deeper insights into cyber assets and their security posture. runZero also provides integrations with CMDB and SIEM solutions to enrich asset inventory on other platforms.

runZero’s scanning technology is safe to use in many OT environments, making it an ideal passive discovery option for critical infrastructure OT environments.

Best for
  • Continuous and scalable cyber asset management
Advantages
  • Easy to deploy and scalable for larger organizations
  • Free Starter Edition for up to 256 assets (including commercial use)
  • Safe to use on fragile OT & IoT devices
  • Accurate OS & hardware fingerprinting
  • Paid editions offers integrations with security and IT infrastructure as well as coverage of cloud & remote assets in addition to on-premise devices
Drawbacks
  • Use above 256 assets requires paid license (free trial available)

Nmap and Zenmap #

Nmap interface

Nmap has been around for 25 years and is the gold standard for ad-hoc network scanning. The free and open source utility is most often used for network discovery and security auditing. It integrates with many other security auditing tools, such as Metasploit.

Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap). The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write simple scripts for network discovery, more sophisticated version detection, and vulnerability detection. NSE can even be used for vulnerability exploitation.

Best for
  • Ad-hoc network discovery and security auditing
  • Security researchers that want to write nmap scripts for custom projects
Advantages
  • Very well known and documented
  • Most flexible option of all tools due to configurability
  • Extensible through the Network Scanning Engine
  • Free for private and commercial use
Drawbacks
  • Command line can be complex to use
  • Can disrupt fragile OT/IoT devices
  • Paid license required for hardware and software vendors that wish to distribute Nmap with their solution
  • Must be scripted for continuous use

Angry IP #

Angry IP interface

Angry IP Scanner is an open-source network scanner designed to be fast and simple to use. It scans IP addresses and ports. It is widely used by network administrators.

Angry IP is a good solution for teams that are looking for the fastest and easiest way to see which IPs are in use on a network. However the solution doesn’t provide a lot of information about each device, limited to IP, ping time, hostname, ports, TTL, MAC address, filtered ports, NetBIOS.

Best for
  • Easy scan of a local network to see which IPs are up
Advantages
  • Very quick and easy to get going for an an ad-hoc scan
Drawbacks
  • Little information about each asset
  • Not scalable for larger or distributed environments
  • Can disrupt fragile OT/IoT devices

Masscan #

Masscan interface

Masscan is a port scanner that can cover the entire Internet in under 5 minutes by using asynchronous transmission, sending 10 million packets per second from a single machine. It is purely a command-line tool and its usage is similar to Nmap. While Nmap is more often used to scan individual machines and smaller IP ranges, Masscan is primarily used for very large IP ranges.

Best for
  • Research scans of the entire Internet on a small handful of ports
Advantages
  • Lightning-fast scans of large IP ranges
Drawbacks
  • Command-line only
  • Very little information on each asset
  • Not suitable for internal asset inventory
  • Can disrupt fragile OT/IoT devices
  • Must be scripted for continuous use

Most free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites. Out of the mix of tools, only runZero comes with a central repository and a distributed system of Explorers to scan all parts of a network, from inside and outside the firewall.

While all of the scanners we looked at are robust and suitable for their specific use cases, runZero is the best option for corporate security teams. runZero wins on flexibility of deployment, ease of use, and scalability for larger organizations. If your security team consists of more than one person or your organization operates at more than one physical location, runZero is for you.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved