Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

scan/plugins question

from [Jared M Breland] Network Security [Permanent Link]
Subject: scan/plugins question
Date: Wed, 15 Sep 2004 14:40:47 -0500 
Actually, I have several related questions, but I figured I'd put them all
in one e-mail to avoid flooding the list.

I've been working on a custom .nessusrc file to optimize the test for my
environment.  One of the things I want to do is use Nmap for port scanning
rather than Nessus, and I'd like Nmap to perform a SYN scan.  Here's my
current config for this, with just the relevant parts:

begin(SCANNER_SET)
 10180 = no #nessus ping
 10335 = no #nessus TCP port scan
 10336 = yes #nmap port scan
 10796 = no #LaBrea tarpitted scan
 11219 = no #nessus SYN port scan
end(SCANNER_SET)

begin(SERVER_PREFS)
 port_range = default
end(SERVER_PREFS)

begin(PLUGINS_PREFS)
 Nmap[checkbox]:Identify the remote OS = yes
 Nmap[checkbox]:Ping the remote host = yes
 Nmap[radio]:Port range = Default range
 Nmap[checkbox]:RPC port scan = no
 Nmap[entry]:Source port : = any
 Nmap[radio]:Timing policy : = Normal
 Nmap[radio]:TCP scanning technique : = SYN scan
 Nmap[checkbox]:UDP port scan = no
 Nmap[checkbox]:Use hidden option to identify the remote OS = no
 Ping the remote host[checkbox]:Do a TCP ping = no
 Ping the remote host[checkbox]:Do an ICMP ping = no
 Ping the remote host[checkbox]:Log live hosts in the report = no
 Ping the remote host[checkbox]:Make the dead hosts appear in the report =
no
 Ping the remote host[entry]:Number of retries (ICMP) : = 10
 Ping the remote host[entry]:TCP ping destination port(s) : = built-in
end(PLUGINS_PREFS)

Ok, so according to my interpretation of this, Nessus built-in scanning and
pinging should be disabled, and Nmap pinging and scanning should be
enabled, with Nmap doing a SYN scan (eg., -sS).  However, scans take nearly
an hour to complete now (up from about 20 minutes previously).  I enabled
full reporting in the logs, and saw this information:

[Wed Sep 15 10:38:06 2004][21035] connection from 127.0.0.1
<SNIP>
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching
global_settings.nasl against w02ajbrela21408.ipaper.com [21136]
[Wed Sep 15 10:38:18 2004][21135] global_settings.nasl (process 21136)
finished its job in 0.009 seconds
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching labrea.nasl
against w02ajbrela21408.ipaper.com [21137]
[Wed Sep 15 10:38:24 2004][21135] labrea.nasl (process 21137) finished its
job in 6.188 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching ping_host.nasl
against w02ajbrela21408.ipaper.com [21138]
[Wed Sep 15 10:38:24 2004][21135] ping_host.nasl (process 21138) finished
its job in 0.008 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching TLD_wildcard.nasl
against w02ajbrela21408.ipaper.com [21139]
[Wed Sep 15 10:38:24 2004][21135] TLD_wildcard.nasl (process 21139)
finished its job in 0.007 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching synscan.nes
against w02ajbrela21408.ipaper.com [21140]
[Wed Sep 15 10:41:56 2004][21135] synscan.nes (process 21140) finished its
job in 212.201 seconds
[Wed Sep 15 10:41:56 2004][21135] user nessus : launching nmap_wrapper.nes
against w02ajbrela21408.ipaper.com [21145]
[Wed Sep 15 10:43:14 2004][21135] nmap_wrapper.nes (process 21145) finished
its job in 77.404 seconds
[Wed Sep 15 10:43:14 2004][21135] user nessus : launching
nmap_tcp_connect.nes against w02ajbrela21408.ipaper.com [21148]
[Wed Sep 15 11:25:03 2004][21135] nmap_tcp_connect.nes (process 21148)
finished its job in 2509.705 seconds
<SNIP>

Ok, so here are my questions:

It looks like Nessus is using its built-in pinger rather than Nmap for
pinging (ping_host.nasl).  Is this correct, or am I reading it wrong?  If
so, how do I force it to use Nmap instead?

As with pinging, it also looks like Nessus is running a SYN scan with its
built-in scanner, rather than calling Nmap (synscan.nes).  Again, is this
correct?

After running the SYN scan (which finishes in just 3 1/2 minutes), it then
kicks off another port scan (nmap_tcp_connect.nes), which takes a
ridiculously long 42 minutes to complete.  First, why is it running two
port scans?  Second, this appears to be a connect() scan, but as I said I
want a SYN scan.  How do I set this up correctly?

And my last question, somewhat related - why is the labrea.nasl plugin
being run?  I have that disabled in the SCANNER_SET options (10796).  Did I
do something wrong there?


Sorry for the long e-mail, but as I said, I thought it'd be easiest to get
this all out at once.  Thanks!

--
Jared


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: debian plugins, George Theall
Next by Date:  Re: debian plugins, Michel Arboi
Previous by Thread:  debian plugins, c . houle
Next by Thread:  Re: scan/plugins question, Jay Jacobson
Indexes:  [Date] [Thread] [Top] [All Lists]