Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: users

kind of target's profile

  

 
Nessus users RSS feed   Index | Next | Previous | View Threaded


bfavre at ib-group

Aug 24, 2001, 7:18 AM

Post #1 of 6 (268 views)
Permalink
kind of target's profile
Is there a way to define a target profile ?
For exemple, when I test a web server, that I know is a microsft one, I
enabled only certain plugins.
But if it is an Apache, I have to enable some others.
So i'd like to define, somewhere (?), the plugins that have to be
enabled for the test of M$ IIs, the ones for Apache, the ones for a ftp
server, and so on ...?

Is it possible ?

I think it could take the form of a .nasl plugin that make calls to the
real plugins ...

Any idea would be appreciate !

Thx
Bruno.


quentyn at fotango

Aug 24, 2001, 10:06 AM

Post #2 of 6 (252 views)
Permalink
Re: kind of target's profile [In reply to]
Bruno FAVRE wrote:
>
> Is there a way to define a target profile ?
> For exemple, when I test a web server, that I know is a microsft one, I
> enabled only certain plugins.
> But if it is an Apache, I have to enable some others.
> So i'd like to define, somewhere (?), the plugins that have to be
> enabled for the test of M$ IIs, the ones for Apache, the ones for a ftp
> server, and so on ...?
>
> Is it possible ?
>
> I think it could take the form of a .nasl plugin that make calls to the
> real plugins ...
>
> Any idea would be appreciate !
>
> Thx
> Bruno.


I was thinking about this was well

it would save time when you are trying to repeatedly test servers after
config changes ( differing types)




--
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
xenaphobia: The fear of being beaten to a pulp by a leather-clad, New
Zealand woman.


reinke at e-softinc

Aug 24, 2001, 10:25 AM

Post #3 of 6 (252 views)
Permalink
Re: kind of target's profile [In reply to]
This has been hashed through the list a number of times. There are any
number of good reasons why this should not be done. The key one is
that you get a limited saving of time by doing this, and you weaken
the vulnerability test, because you cannot ensure that you have
profiled the target properly.

The question you have to ask yourself is: how do I KNOW for a FACT
that the server is a Microsoft server? By it's TCP/IP fingerprint?
That can be faked. By a web server signature? That can be faked.
By what was there last time you ran the audit? That can be changed.

While it is possible, I would avoid going there. It adds little
real value (IMHO), and it introduces the opportunity to miss holes.

So, ultimately: ask yourself what problem you are trying to solve
by doing this, and then ask if the trade-offs are worth it?

Thomas

quentyn [at] fotango wrote:
>
> Bruno FAVRE wrote:
> >
> > Is there a way to define a target profile ?
> > For exemple, when I test a web server, that I know is a microsft one, I
> > enabled only certain plugins.
> > But if it is an Apache, I have to enable some others.
> > So i'd like to define, somewhere (?), the plugins that have to be
> > enabled for the test of M$ IIs, the ones for Apache, the ones for a ftp
> > server, and so on ...?
> >
> > Is it possible ?
> >
> > I think it could take the form of a .nasl plugin that make calls to the
> > real plugins ...
> >
> > Any idea would be appreciate !
> >
> > Thx
> > Bruno.
>
> I was thinking about this was well
>
> it would save time when you are trying to repeatedly test servers after
> config changes ( differing types)
>
> --
> #####################
> Quentyn Taylor
> Sysadmin - Fotango
> #####################
> xenaphobia: The fear of being beaten to a pulp by a leather-clad, New
> Zealand woman.

--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com


arboi at noos

Aug 24, 2001, 10:50 AM

Post #4 of 6 (250 views)
Permalink
Re: kind of target's profile [In reply to]
Thomas Reinke <reinke [at] e-softinc> writes:

> This has been hashed through the list a number of times.

An overbeaten dead horse...

> The question you have to ask yourself is: how do I KNOW for a FACT
> that the server is a Microsoft server?

And even if you know...
1. When a new attack is discovered, it is not very easy to have the
_exhaustive_ list of all the vulnerable systems
2. It is not easy to have the list of the patches that were applied
on an MS system.
3. A hole which was closed may be opened again by a buggy patch
(did I hear "MS" here?)
4. Nessus has already discovered new vulnerabilities. This happened a
couple of times. If the scanner was limited to _known_ bugs, this
would never happen.
5. and last but not least, only paranoids survive.

> While it is possible, I would avoid going there. It adds little
> real value (IMHO), and it introduces the opportunity to miss holes.
> So, ultimately: ask yourself what problem you are trying to solve
> by doing this, and then ask if the trade-offs are worth it?

Excellent question! Nessus is automated. You launch it, and then go
and drink a couple of coffees. Should it be quicker?

A real example: I launched tonigh a scan against 3 machines at work.
1 WNT4, 1 W2000 and an old and slow Linux box.
The tests (port scan & attacks) against the Doz machines are already
finished, but nmap is still working against the Linux.
The CPU speed does not explain this, it should be over already...
The problem is not Nessus here -- and nmap is definitely a good and
quick port scanner.

PS: I think we should write a FAQ...


arboi at noos

Aug 24, 2001, 11:02 AM

Post #5 of 6 (251 views)
Permalink
Re: kind of target's profile [In reply to]
Steve Halligan <agent33 [at] geeksquad> writes:

> I have found a definite pattern to the speed of a scan.
> It depends on whether "closed" port sends a nack or a fin when
> getting scanned, or it they just sit there silently. In the
> second case Nessus (actually nmap) sits and waits for a timeout.
> If it gets a nack or a fin, it moves right on.

Sure, but in my case, there is no IP filter. The TCP scan was very
quick, but the UDP scan is slowwwww, also the machine answers with
"host unreachable / bad port" messages on closed ports.
Very odd...

--
mailto:arboi [at] bigfoot http://www.bigfoot.com/~arboi/
GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
FAQNOPI de fr.comp.securite : http://www.bigfoot.com/~arboi/secu/FAQNOPI/


woody at callisma

Aug 25, 2001, 12:41 PM

Post #6 of 6 (251 views)
Permalink
RE: kind of target's profile [In reply to]
This might be relevant:

NMAP(1) NMAP(1)


Unfortunately UDP scanning is sometimes painfully
slow since most hosts impliment a suggestion in RFC
1812 (section 4.3.2.8) of limiting the ICMP error
message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable
message generation to 80 per 4 seconds, with a 1/4
second penalty if that is exceeded. Solaris has
much more strict limits (about 2 messages per sec-
ond) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accord-
ingly, rather than flood the network with useless
packets that will be ignored by the target machine.

> -----Original Message-----
> From: owner-nessus [at] raccoon
> [mailto:owner-nessus [at] raccoon]On Behalf Of Michel Arboi
> Sent: Friday, August 24, 2001 11:03 AM
> To: nessus [at] list
> Subject: Re: kind of target's profile
>
>
> Steve Halligan <agent33 [at] geeksquad> writes:
>
> > I have found a definite pattern to the speed of a scan.
> > It depends on whether "closed" port sends a nack or a fin when
> > getting scanned, or it they just sit there silently. In the
> > second case Nessus (actually nmap) sits and waits for a timeout.
> > If it gets a nack or a fin, it moves right on.
>
> Sure, but in my case, there is no IP filter. The TCP scan was very
> quick, but the UDP scan is slowwwww, also the machine answers with
> "host unreachable / bad port" messages on closed ports.
> Very odd...
>
> --
> mailto:arboi [at] bigfoot http://www.bigfoot.com/~arboi/
> GPG Public keys: http://www.bigfoot.com/~arboi/pubkey.txt
> FAQNOPI de fr.comp.securite :
> http://www.bigfoot.com/~arboi/secu/FAQNOPI/
>

Nessus users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.