RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket

From: Robert E. Lee (robert@dyadsecurity.com)
Date: Mon Apr 26 2004 - 12:25:01 EDT


You have to do your logistics and control testing before launching any
type of massive tool like nessus. Without doing this type of testing
ahead of time, no matter how many times you run any VA tool, your
results will always be incomplete and invalid.
 
Furthermore, I would not recommend using nessus to enumerate
systems/ports/services for you. I would do all of that through other
means for accuracy and completeness and then feed that reconnaissance
data into Nessus (and at least one additional VA tool).

Breaking that stuff away from Nessus allows for MUCH more thorough and
accurate results. It also allows you to do additional researching while
your VA tools hammer away.

For more details of what I'm talking about, pull down the OSSTMM from
http://www.osstmm.org. You can see the Logistics and Control module
from Section C. You'll also find good enumeration techniques here.

TCP syn scanning is really well done with scanrand2 (you can pull down
pre3 from http://www.doxpara.com). I like sing and xprobe for icmp
scanning.

There just isn't a good udp scanner out there yet (because of the nature
of how UDP works), especially for sites that block icmp on egress. The
best thing I've found to do in those situations is to script specific
queries from the well known set of udp based protocols (snmp, dns,
isakmp, ntp, a list of Trojans, etc, etc, etc). For the more exotic port
scanning techniques out there nmap is pretty flexible, but its speed and
interface make it a better checkup tool rather than an enterprise
scanner.

Happy testing,

Robert

-----Original Message-----
From: Brass, Phil (ISS Atlanta) [mailto:PBrass@iss.net]
Sent: Sunday, April 25, 2004 2:17 PM
To: Paul Johnston; pen-test@securityfocus.com
Subject: RE: Questions: nmap, nessus unreliability, setting up a packet
capture box, using Impacket

> 1) How reliable have people here found nmap and nessus to be? I have
> encountered (rare) cases of nmap not finding ports, and also
> of nessus
> not identifying ports during the find_service stage. We hear
> a lot about
> false positives, but it's much harder to notice false negatives.
> Anything that can be done about this?

Assuming that it's not an actual bug in the scanning product, just run
the scan a few times. Take the superset of all scan results. Three or
four times should usually get to the point of diminishing returns as far
as finding new things, unless you've got poorly configured timeouts or
are using more bandwidth than is available...

Phil

------------------------------------------------------------------------
------
Ethical Hacking is a joke. Anyone who sells "Ethical Hacking" classes
is selling garbage.

Mention this ad and get $545 off any course! All of our class sizes are
guaranteed to be 10 students or less to facilitate one-on-one
interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization.

Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT