George A. Theall escribió:
On Jun 23, 2008, at 3:21 PM, Roman Medina-Heigl Hernandez wrote:
I'm trying to scan a host with the default policy. The host is alive
and
responding to pings. I got no results when scanning with Nessus 3.2.0
(Windows). Looking at scan.log (in he "logs" dir), I can see a
"remote host
is dead". But my question is why? If I run nmap against the host, I
can see
unprivileged ports open (>1024) and of course it's responding to
ping. I
also entered 1-65535 in "port scanner range".
Hi Roman.
Hello,
Is the remote host a printer or some type of multifunction device? By
default, Nessus will try to identify hosts that are and mark them as
dead because many such devices don't react very well to scanning, even
a basic port scan. If so, you can edit the scan policy and check "Scan
Network Printers" (look on the "Advanced" tab, under "Do not scan
fragile devices").
No, it's not a multifunction device. Anyway, I had also thought of that
possibility, and had done the following: I created a new policy and marked
the two checks: scan network printer and novell netware hosts. I chose the
new policy and rescanned, with no luck. Btw, the "do not scan fragile
devices" will only appear if you create a new policy. Why doesn't it appear
when editing default scan policy?
Also, Nessus doesn't use ICMP pings by default but instead sends TCP
pings to a limited number of ports. You could either choose to do an
ICMP ping or make sure that one of the TCP ports you know to be open
is included in the list of TCP ports to be pinged (look under the
"Advanced" tab, under "Ping the remote host", "TCP ping destination
port(s)"). Or you can disable the Ping port scan altogether.
I disabled the ping scan and it didn't work either. But... I reenabled ping
and check icmp ping in advanced options, and now it worked!! I suppose that
Nessus marks a host as dead if all tests failed, and now that icmp ping is
being checked, the host is no longer mark as dead... is it right?
Anyway, I'm still a bit confused because letting only marked the "Nessus
TCP scanner" option (thus ping scanner disabled), and changing "port
scanner range" from "default" to 1-65535, the host is still being marked as
dead. What's the exact algorithm to mark a host as dead? And why are those
ports not being used by TCP scanner?
Another question, how could I debug this? If I enable the option to
"save a
packet capture of the scan", I couldn't find any new log on logs dir
(where
should it be placed?)
Unfortunately, Nessus Windows does not have support for saving packet
captures. I suppose the alternate approach would be to use Wireshark
alongside Nessus to see what's being sent and what's coming back. If
my comments above don't help, that is.
Ok, I'll try it. Thanks for your comments, they are helpful.
Hope this helps,
George
--
Saludos,
-Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
