1

I want to know when scanning using NESSUS, though it is said its non-intrusive by default But what I want to know is how the use / definition or the testing conditions mentioned in the plugin-id effect the outcome of the scan. Does these conditions or tests or checks make the scan more intrusive in some way. I.e sending crafted packets. For e.g When the plugin-id checks for default password does this change its definition of scanning/ enumerating ports alone.

I have a recent example, where the gmond service 8649 was crashed as a results of scanning. It came to knowledge, that the service / port received non service traffic / data as a result its cpu consumption went to 100%. So, if its just non-intrusive port scanner how it resulted into crashing the service of remote host? It certainly is able to generate packets/ data as well.

Actually, is it fair to say that nessus uses NMAP scans / ports scanning results for services, and version of different application to give verdict on its vulnerable state or it make use of plugin-id and others information to conclude, give confidence marks on how vulnerable the particular service may be? (More checks > same results-> higher degree of confidence).

I appreciate if someone can help me understand what actually goes inside nessus core logic when it comes to make judgements / call on such matters. (vulnerable vs not vulnerable)

Saladin
  • 1,547
  • 3
  • 14
  • 23
  • I am not sure what you are asking. Are you asking how Nessus scans, or about what scans may be intrusive? – GdD May 09 '14 at 15:18
  • Asking if plugin properties makes scan intrusive from being just a tcp scanner. – Saladin May 09 '14 at 19:43

2 Answers2

2

Nessus isn't a tcp scanner. Nmap is a scanner which finds open ports, Nessus is a vulnerability assessment tool which first uses a scanner to find open tcp and udp ports then then performs tests on the services found. Some of the tests it can do are intrusive and should only be chosen by looking at the risks.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • Tenable enterprise users can use Nessus scanners to perform TCP and UDP scans. (I am unsure if the free version has this capability) Although it does not have the range of options available with NMAP. – TheJulyPlot Aug 07 '17 at 12:17
  • This question and the answers may be a bit out of date @TheJulyPlot, as they are from 2014. – GdD Aug 07 '17 at 12:19
  • Ahh yes..I did not notice that. – TheJulyPlot Aug 07 '17 at 12:20
0

Basically as @GdD said.

Nessus makes use of portscanners/assementtools (you can configure it to do TCP Ack, Syn, Ack-Syn Scans aswell as UDP or ICMP Scans) to detect which ports on the machine run, and then a family of plugins you configured is tested against recognized services.

The word 'intrusive' is a little wishy-washy, since some very fragile system can be DoS'ed by just scanning with a portscanner.

e.g. i get this warnings on my embedded device when portscanning with nessus:

E:SMI_TCP_GETRMHDR: Unexpected record size!
E:SMI_TCP_GETRMHDR: Unexpected record fragment!

...And i even managed to chrash my device with nessus when it tested if a DoS-Vuln of the FTPS server was persistent (it was^^).

So, calling a scan "intrusive" depends on how you configured it. Some plugins may be more intrusive than others - although on a hardened system none should have any serious effects.

There may be one exception from this: The Nessus HTTP-Fuzzer. Since it fuzzes multiple destinations and tests the methods and some specialy crafted URLs with multiple methods (GET,POST,PUT,DELETE..) it may, if your webserver is configured badly or uses a bad lib, be considered intrusive.

So.. you may want to sanitize your Machine-to-be-scanned prior to letting nessus scan it, in such cases. It may not be the wisest move to have your live-production environment be fuzzed by Nessus..!

greetings, Gewure

Gewure
  • 324
  • 1
  • 11