On Mon Sep 18 2006 at 14:46, Kostadin Kostadinov wrote:
I am planning to scan with Nessus 3.0.3 from command line using Nmap
port scan results but not portscanner of Nessus itself.
I'd like to know why so many people still prefer Nmap to the embedded
scanners.
Some people want to scan UDP ports. However, UDP scanning is
unreliable, dangerous against broken IP stacks [1] and can be terribly
slow [2]. If you really need that, you should consider giving Nessus
proper credentials to access the remote machine and use the SNMP or
netstat "scanners". They are quick, reliable and not intrusive.
Plus, keep in mind that Nessus will not use the result from the UDP
scanner to perform some kind of "find_service". Such a feature is slow
and dangerous -- most software which implement a UDP-based protocol
either drop packets that they cannot decode or do sepuku. [3]
As far as TCP scan is concerned...
We've tried to achieve a reasonable compromise between speed and
accuracy.
Until now, nessus_tcp_scanner is quicker than Nmap is most situations.
The only case I saw where Nmap could be quicker is with an
un-firewalled machine on the LAN. nessus_tcp_scanner will take 5 to 10
seconds to scan 64k ports and Nmap may run in 4. Great. In fact,
nessus_tcp_scanner also tries to grab banners (for later service
identification): 5 s + 5 s read timeout = 10 s if you are unlucky.
But against a firewalled machine, nessus_tcp_scanner is quicker.
Against a BSD, it is quicker again.
In some pathological cases [4], we've seen nessus_tcp_scanner run for
half an hour whereas Nmap would take days.
You may play with the -T options: Nmap will start like a rocket, and
then slow down as soon as it starts losing packets. [5]
Why not choose the quicker scanner?
[1] Well... More dangerous than plain TCP scanning. Scanning a machine
is always dangerous if it runs broken software. There is no "safe"
scanner.
[2] Some OS like Solaris limit ICMP rate to 2 messages per second.
You'd need more than 9 hours in the *best* case to scan such a
machine. In fact, you'll probably need more than one day.
[3] e.g., amap option "-H" which skips potential harmful triggers
disables all UDP probes.
[4] for example, some vicious IPS, or an IP filter returning ICMP on
TCP filtered ports (with ICMP rate limitation of course, otherwise,
everything would work fine!).
[5] "nmap -T insane" is quick in all situations, but stresses the
remote target and may miss some ports. It is not designed to scan a
slow target.
--
http://arboi.da.ru/ http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
