Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Server Ident (was: New features in Nessus 1.3.0...)
sullo at cirt
Nov 7, 2002, 9:24 AM
Post #1 of 4 (702 views)
Permalink
Quoting Javier Fernández-Sanguino Peña <jfernandez@germinus.com>:

> I'm aware of the problems using banners, there are also issues regarding
> port-redirection, NAT, etc. that might taint the view. However, you
> misinterpreted me. This would not be a test to run others, it would be a
> "do_it_when_all_tests_are_done" and would just try to determine what's
> behind a given IP address. No need for an "ignore host" since I'm not
> talking about a test that uses this information (at the moment :) and if
> there was then this test should not run in the ACT_END phase.

I'm a bit slow, but I'm with you now ;)

That's a decent idea... attempting to ident the remote machine based on the
other test results (it would have to be weighted, I am assuming). We could also
considering adding an xprobe/xprobe2 plugin (it seems to do a good job) along
with the nmap ident.
Re: Server Ident (was: New features in Nessus 1.3.0...) [ In reply to ]
hdm at digitaloffense
Nov 7, 2002, 11:36 AM
Post #2 of 4 (682 views)
Permalink
On Thursday 07 November 2002 10:24 am, sullo@cirt.net wrote:
> That's a decent idea... attempting to ident the remote machine based on
> the other test results (it would have to be weighted, I am assuming).
> We could also considering adding an xprobe/xprobe2 plugin (it seems to
> do a good job) along with the nmap ident.

If anyone cares, thats exactly how we do this :) We added a dozen or so
plugins whose only job is to obtain more data to help with that phase.
The system is implemented outside of Nessus and already has a nice-sized
library of signatures. Matches are done based on probability, with the
highest ranked match being assigned to that host. Since firewalls change
the fingerprint so much, there should probably be a seperate section
which identifies the firewall device itself (result would be: "Windows NT
4.0 via Raptor Firewall" or "OpenBSD via Unknown Packet Filter", etc).

-HD
Re: Server Ident (was: New features in Nessus 1.3.0...) [ In reply to ]
jfernandez at germinus
Nov 7, 2002, 12:55 PM
Post #3 of 4 (678 views)
Permalink
H D Moore wrote:

>On Thursday 07 November 2002 10:24 am, sullo@cirt.net wrote:
>
>>That's a decent idea... attempting to ident the remote machine based on
>>the other test results (it would have to be weighted, I am assuming).
>>We could also considering adding an xprobe/xprobe2 plugin (it seems to
>>do a good job) along with the nmap ident.
>>
>
>If anyone cares, thats exactly how we do this :) We added a dozen or so
>
(...)
And they can be found at..... ?

Javi
Re: Server Ident (was: New features in Nessus 1.3.0...) [ In reply to ]
hdm at digitaloffense
Nov 7, 2002, 2:20 PM
Post #4 of 4 (680 views)
Permalink
On Thursday 07 November 2002 01:55 pm, Javier Fernández-Sanguino Peña
> >If anyone cares, thats exactly how we do this :) We added a dozen or
> > so
> And they can be found at..... ?

$ ssh 127.0.0.1 ;)

Seriously, we haven't provided these plugins to the rest of the community
because we really didn't think anyone else had a use for them. For
example, one of the plugins tries to get the OS name from the Compaq Web
Management agent. They really aren't vulnerabilities per se and require
both our assessment engine and the rules library for them to be any use.
If Nessus goes in this direction, we can start contributing rules and
plugins, but until then they are kind of useless to everyone else.

-HD

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal