Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: scan/plugins question

from [Jared M Breland] Network Security [Permanent Link]
Subject: Re: scan/plugins question
Date: Fri, 17 Sep 2004 08:34:06 -0500 

Thanks for the response, Jay.

I double-checked my .nessusrc file at your suggestion, and I only have one
entry for each of the plugins you listed below.  I actually checked a
little more thoroughly, and couldn't find any duplicate entries at all.

So, I still can't figure out why two port scans are running, nor am I
entirely clear on what's actually running.  I'm I correct in thinking that
synscan.nes is the built-in Nessus scanner, and that nmap_tcp_connect.nes
is a connect() scan through Nmap?  Any others suggestions or ideas on how I
can get this to work properly?

Thanks.

--
Jared Breland                 International Paper
jared.breland@ipaper.com      Information Security
901-419-5077                  http://irm.ipaper.com/



                                                                           
             "Jay Jacobson"                                                
             <jay@edgeos.com>                                              
             Sent by:                                                   To 
             nessus-bounces@li         "Jared M Breland"                   
             st.nessus.org             <Jared.Breland@ipaper.com>          
                                                                        cc 
                                       nessus@list.nessus.org              
             09/15/2004 03:10                                      Subject 
             PM                        Re: scan/plugins question           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           






Hi Jared. You may have the same problem for all of your questions. It is
possible for the "SCANNER SET" plugins to be listed twice in the .nessusrc
file. You may have them disabled in the SCANNER_SET, but still enabled in
the plugins list. What do you get if you grep your .nessusrc file for
those plugin IDs (10180, 10335, 10336, 10796, and 11219)? Do they show up
multiple times?

Also remember that the .nessusrc file gets modified by the client at
run-time. Try launching a scan, wait a few minutes for it to fully connect
to the Nesuss server and get going, then ctrl-c the client and grep the
.nessusrc file. Do they show up multiple times?

~Jay


On Wed, 15 Sep 2004, Jared M Breland wrote:


Actually, I have several related questions, but I figured I'd put them

all

in one e-mail to avoid flooding the list.

I've been working on a custom .nessusrc file to optimize the test for my
environment.  One of the things I want to do is use Nmap for port

scanning

rather than Nessus, and I'd like Nmap to perform a SYN scan.  Here's my
current config for this, with just the relevant parts:

begin(SCANNER_SET)
10180 = no #nessus ping
10335 = no #nessus TCP port scan
10336 = yes #nmap port scan
10796 = no #LaBrea tarpitted scan
11219 = no #nessus SYN port scan
end(SCANNER_SET)

begin(SERVER_PREFS)
port_range = default
end(SERVER_PREFS)

begin(PLUGINS_PREFS)
Nmap[checkbox]:Identify the remote OS = yes
Nmap[checkbox]:Ping the remote host = yes
Nmap[radio]:Port range = Default range
Nmap[checkbox]:RPC port scan = no
Nmap[entry]:Source port : = any
Nmap[radio]:Timing policy : = Normal
Nmap[radio]:TCP scanning technique : = SYN scan
Nmap[checkbox]:UDP port scan = no
Nmap[checkbox]:Use hidden option to identify the remote OS = no
Ping the remote host[checkbox]:Do a TCP ping = no
Ping the remote host[checkbox]:Do an ICMP ping = no
Ping the remote host[checkbox]:Log live hosts in the report = no
Ping the remote host[checkbox]:Make the dead hosts appear in the report =
no
Ping the remote host[entry]:Number of retries (ICMP) : = 10
Ping the remote host[entry]:TCP ping destination port(s) : = built-in
end(PLUGINS_PREFS)

Ok, so according to my interpretation of this, Nessus built-in scanning

and

pinging should be disabled, and Nmap pinging and scanning should be
enabled, with Nmap doing a SYN scan (eg., -sS).  However, scans take

nearly

an hour to complete now (up from about 20 minutes previously).  I enabled
full reporting in the logs, and saw this information:

[Wed Sep 15 10:38:06 2004][21035] connection from 127.0.0.1
<SNIP>
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching
global_settings.nasl against w02ajbrela21408.ipaper.com [21136]
[Wed Sep 15 10:38:18 2004][21135] global_settings.nasl (process 21136)
finished its job in 0.009 seconds
[Wed Sep 15 10:38:18 2004][21135] user nessus : launching labrea.nasl
against w02ajbrela21408.ipaper.com [21137]
[Wed Sep 15 10:38:24 2004][21135] labrea.nasl (process 21137) finished

its

job in 6.188 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching ping_host.nasl
against w02ajbrela21408.ipaper.com [21138]
[Wed Sep 15 10:38:24 2004][21135] ping_host.nasl (process 21138) finished
its job in 0.008 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching

TLD_wildcard.nasl

against w02ajbrela21408.ipaper.com [21139]
[Wed Sep 15 10:38:24 2004][21135] TLD_wildcard.nasl (process 21139)
finished its job in 0.007 seconds
[Wed Sep 15 10:38:24 2004][21135] user nessus : launching synscan.nes
against w02ajbrela21408.ipaper.com [21140]
[Wed Sep 15 10:41:56 2004][21135] synscan.nes (process 21140) finished

its

job in 212.201 seconds
[Wed Sep 15 10:41:56 2004][21135] user nessus : launching

nmap_wrapper.nes

against w02ajbrela21408.ipaper.com [21145]
[Wed Sep 15 10:43:14 2004][21135] nmap_wrapper.nes (process 21145)

finished

its job in 77.404 seconds
[Wed Sep 15 10:43:14 2004][21135] user nessus : launching
nmap_tcp_connect.nes against w02ajbrela21408.ipaper.com [21148]
[Wed Sep 15 11:25:03 2004][21135] nmap_tcp_connect.nes (process 21148)
finished its job in 2509.705 seconds
<SNIP>

Ok, so here are my questions:

It looks like Nessus is using its built-in pinger rather than Nmap for
pinging (ping_host.nasl).  Is this correct, or am I reading it wrong?  If
so, how do I force it to use Nmap instead?

As with pinging, it also looks like Nessus is running a SYN scan with its
built-in scanner, rather than calling Nmap (synscan.nes).  Again, is this
correct?

After running the SYN scan (which finishes in just 3 1/2 minutes), it

then

kicks off another port scan (nmap_tcp_connect.nes), which takes a
ridiculously long 42 minutes to complete.  First, why is it running two
port scans?  Second, this appears to be a connect() scan, but as I said I
want a SYN scan.  How do I set this up correctly?

And my last question, somewhat related - why is the labrea.nasl plugin
being run?  I have that disabled in the SCANNER_SET options (10796).  Did

I

do something wrong there?


Sorry for the long e-mail, but as I said, I thought it'd be easiest to

get

this all out at once.  Thanks!

--
Jared


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



--
..
..  Jay Jacobson
..  Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com
..
..  Network Security Auditing and
..  Vulnerability Assessment Managed Services
..

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus




_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Promiscuous Mode detection, Marc
Next by Date:  RE: Promiscuous Mode detection, DePriest, Jason R.
Previous by Thread:  Re: scan/plugins question, Jay Jacobson
Next by Thread:  Re: scan/plugins question, Jay Jacobson
Indexes:  [Date] [Thread] [Top] [All Lists]