From: Renaud Deraison (deraison@nessus.org)
Date: Thu Jun 12 2003 - 15:01:12 EDT
On Thu, Jun 12, 2003 at 11:55:26AM -0400, Clem Skorupka wrote:
> I had a case where an rpc scan using nessus (I forget the particular module or if it was the nmap precursor scan, this was a couple of years ago) against some large range of ports knocked out an allegro-based embedded web server on a network switch. It didn't crash this particular switch (though one had to reboot the switch in order to bring back the web interface).
The bottom line is that as soon as you start to interfere with another
host, you can never predict how it will react to actions that it has
never been designed to handle, so no scan is totally risk-free[1], and
it's often very hard to find the balance between a 99.9% accurate
security audit and a non-intrusive one. Note that this does not only
affects Nessus+Nmap, but any network vulnerability scanner.
Regarding the port scan itself (which is usually what disrupts the most
services), you may want to try using a SYN scan instead of a full TCP
connect() scanner, this way the remote services will not "know" they are
being scanned and are less likely to crash. But then again, some
printers *hate* SYN scans because their IP stack is poorly written, and
they may crash.
When doing a scan with Nessus for the first time, I recommand the
following settings :
- Enter "default" as a port range. This will only scan
~ 1,500 ports on which services are usually bound to
(this is equivalent to nmap -F)
- Use the SYN scanner if you know you're testing a box which
has a decent IP stack (mostly any non-embedded OS should
withstand that)
- Enable the "safe checks" options.
- In Prefs->Services, change the option "Test SSL based
services" from "All" to "Known SSL ports". When "All" is
enabled, Nessus attempts to negociate SSL on every open port, and
a lot of badly written daemons will hate that (mostly because
they receive 8bit data and they're not all designed to cope
with it too well).
If you are scanning an ultra-fragile box, you may also want to :
- Disable find_service.nes ("Misc.->Services"). This plugin
attempts to do a Port<->Service mapping the less intrusively
as possible, but some services may die on that (although it's
quite rare).
- Disable port scanning at all.
But keep in mind that your audit won't be as complete as it could be -
it's all a matter of finding the right balance.
-- Renaud
[1] Which is why we are working on a non-intrusive passive
vulnerability scanner for the networks/host that can not afford
any disruption.
See http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf
-- Renaud Deraison The Nessus Project http://www.nessus.org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT