Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: scan/plugins question

from [Jay Jacobson] Network Security [Permanent Link]
Subject: Re: scan/plugins question
Date: Wed, 15 Sep 2004 13:10:29 -0700 (MST)


Hi Jared. You may have the same problem for all of your questions. It is possible for the "SCANNER SET" plugins to be listed twice in the .nessusrc file. You may have them disabled in the SCANNER_SET, but still enabled in the plugins list. What do you get if you grep your .nessusrc file for those plugin IDs (10180, 10335, 10336, 10796, and 11219)? Do they show up multiple times?

Also remember that the .nessusrc file gets modified by the client at run-time. Try launching a scan, wait a few minutes for it to fully connect to the Nesuss server and get going, then ctrl-c the client and grep the .nessusrc file. Do they show up multiple times?

~Jay


On Wed, 15 Sep 2004, Jared M Breland wrote:

Actually, I have several related questions, but I figured I'd put them all
in one e-mail to avoid flooding the list.

I've been working on a custom .nessusrc file to optimize the test for my
environment.  One of the things I want to do is use Nmap for port scanning
rather than Nessus, and I'd like Nmap to perform a SYN scan.  Here's my
current config for this, with just the relevant parts:

begin(SCANNER_SET)
10180 = no #nessus ping
10335 = no #nessus TCP port scan
10336 = yes #nmap port scan
10796 = no #LaBrea tarpitted scan
11219 = no #nessus SYN port scan
end(SCANNER_SET)

begin(SERVER_PREFS)
port_range = default
end(SERVER_PREFS)

begin(PLUGINS_PREFS)
Nmap[checkbox]:Identify the remote OS = yes
Nmap[checkbox]:Ping the remote host = yes
Nmap[radio]:Port range = Default range
Nmap[checkbox]:RPC port scan = no
Nmap[entry]:Source port : = any
Nmap[radio]:Timing policy : = Normal
Nmap[radio]:TCP scanning technique : = SYN scan
Nmap[checkbox]:UDP port scan = no
Nmap[checkbox]:Use hidden option to identify the remote OS = no
Ping the remote host[checkbox]:Do a TCP ping = no
Ping the remote host[checkbox]:Do an ICMP ping = no
Ping the remote host[checkbox]:Log live hosts in the report = no
Ping the remote host[checkbox]:Make the dead hosts appear in the report =
no
Ping the remote host[entry]:Number of retries (ICMP) : = 10
Ping the remote host[entry]:TCP ping destination port(s) : = built-in
end(PLUGINS_PREFS)

Ok, so according to my interpretation of this, Nessus built-in scanning and
pinging should be disabled, and Nmap pinging and scanning should be
enabled, with Nmap doing a SYN scan (eg., -sS).  However, scans take nearly
an hour to complete now (up from about 20 minutes previously).  I enabled
full reporting in the logs, and saw this information:

[Wed Sep 15 10:38:06 2004][21035] connection from 127.0.0.1
<SNIP>
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching
global_settings.nasl against w02ajbrela21408.ipaper.com [21136]
[Wed Sep 15 10:38:18 2004][21135] global_settings.nasl (process 21136)
finished its job in 0.009 seconds
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching labrea.nasl
against w02ajbrela21408.ipaper.com [21137]
[Wed Sep 15 10:38:24 2004][21135] labrea.nasl (process 21137) finished its
job in 6.188 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching ping_host.nasl
against w02ajbrela21408.ipaper.com [21138]
[Wed Sep 15 10:38:24 2004][21135] ping_host.nasl (process 21138) finished
its job in 0.008 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching TLD_wildcard.nasl
against w02ajbrela21408.ipaper.com [21139]
[Wed Sep 15 10:38:24 2004][21135] TLD_wildcard.nasl (process 21139)
finished its job in 0.007 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching synscan.nes
against w02ajbrela21408.ipaper.com [21140]
[Wed Sep 15 10:41:56 2004][21135] synscan.nes (process 21140) finished its
job in 212.201 seconds
[Wed Sep 15 10:41:56 2004][21135] user nessus : launching nmap_wrapper.nes
against w02ajbrela21408.ipaper.com [21145]
[Wed Sep 15 10:43:14 2004][21135] nmap_wrapper.nes (process 21145) finished
its job in 77.404 seconds
[Wed Sep 15 10:43:14 2004][21135] user nessus : launching
nmap_tcp_connect.nes against w02ajbrela21408.ipaper.com [21148]
[Wed Sep 15 11:25:03 2004][21135] nmap_tcp_connect.nes (process 21148)
finished its job in 2509.705 seconds
<SNIP>

Ok, so here are my questions:

It looks like Nessus is using its built-in pinger rather than Nmap for
pinging (ping_host.nasl).  Is this correct, or am I reading it wrong?  If
so, how do I force it to use Nmap instead?

As with pinging, it also looks like Nessus is running a SYN scan with its
built-in scanner, rather than calling Nmap (synscan.nes).  Again, is this
correct?

After running the SYN scan (which finishes in just 3 1/2 minutes), it then
kicks off another port scan (nmap_tcp_connect.nes), which takes a
ridiculously long 42 minutes to complete.  First, why is it running two
port scans?  Second, this appears to be a connect() scan, but as I said I
want a SYN scan.  How do I set this up correctly?

And my last question, somewhat related - why is the labrea.nasl plugin
being run?  I have that disabled in the SCANNER_SET options (10796).  Did I
do something wrong there?


Sorry for the long e-mail, but as I said, I thought it'd be easiest to get
this all out at once.  Thanks!

--
Jared


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus


--
..
..  Jay Jacobson
..  Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com
..
..  Network Security Auditing and
..  Vulnerability Assessment Managed Services
..

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  nessus server lock up, Puren, Steve
Next by Date:  Re: Promiscuous Mode detection, Hugo van der Kooij
Previous by Thread:  scan/plugins question, Jared M Breland
Next by Thread:  Re: scan/plugins question, Jared M Breland
Indexes:  [Date] [Thread] [Top] [All Lists]