On Jun 23, 2008, at 3:21 PM, Roman Medina-Heigl Hernandez wrote:
I'm trying to scan a host with the default policy. The host is alive
and
responding to pings. I got no results when scanning with Nessus 3.2.0
(Windows). Looking at scan.log (in he "logs" dir), I can see a
"remote host
is dead". But my question is why? If I run nmap against the host, I
can see
unprivileged ports open (>1024) and of course it's responding to
ping. I
also entered 1-65535 in "port scanner range".
Hi Roman.
Is the remote host a printer or some type of multifunction device? By
default, Nessus will try to identify hosts that are and mark them as
dead because many such devices don't react very well to scanning, even
a basic port scan. If so, you can edit the scan policy and check "Scan
Network Printers" (look on the "Advanced" tab, under "Do not scan
fragile devices").
Also, Nessus doesn't use ICMP pings by default but instead sends TCP
pings to a limited number of ports. You could either choose to do an
ICMP ping or make sure that one of the TCP ports you know to be open
is included in the list of TCP ports to be pinged (look under the
"Advanced" tab, under "Ping the remote host", "TCP ping destination
port(s)"). Or you can disable the Ping port scan altogether.
Another question, how could I debug this? If I enable the option to
"save a
packet capture of the scan", I couldn't find any new log on logs dir
(where
should it be placed?)
Unfortunately, Nessus Windows does not have support for saving packet
captures. I suppose the alternate approach would be to use Wireshark
alongside Nessus to see what's being sent and what's coming back. If
my comments above don't help, that is.
Hope this helps,
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
