Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
port specification
don at n2
Feb 21, 2005, 4:32 PM
Post #1 of 4 (2356 views)
Permalink
I've noticed that when specifying the ports to scan, nessus will accept default, or a list of ports, but will not accept something like "default,1234,2345" which is what I would expect to be able to put in if I wanted to scan all the default ports but wanted to be sure to add a couple of extra ports to the scan. Nessus doesn't like this combination. Does this seem like something nessus should do?

While I'm on the subject of the port specification, I've noticed some strange results (nessus 2.2.2a, so pretty recent). On occasion I've wanted to return to a single port and rescan. So for example the web server is running, so I want to run only the things on 80. (I know that the nasl interpreter allows you to run individual plugins if you can plug the right options in, but that's not convenient to run all CGI Abuse category plugins, for example.) TCP Scanning options is SYN Scan but NMap is selected as the scanner. Optimize checks off, assume other ports closed. So I run the scan, and even though 80 is the only port in the list, and assume other ports closed, 80 doesn't even show up in the results, 53 is the only one that shows up (with some DNS information).

I've had strange results whenever the assume other ports closed was checked, but it was ususally involved in something like netbios where I suppose some other port could have been required to run the test. This one is really blatent, there's no other related port.

Thanks
Re: port specification [ In reply to ]
mikhail at nessus
Feb 26, 2005, 5:58 AM
Post #2 of 4 (2280 views)
Permalink
On Tue Feb 22 2005 at 00:32, Don Kitchen wrote:

> nessus will accept default, or a list of ports, but will not accept
> something like "default,1234,2345"

This make the parsing of the port list more complex and is not very
useful, IMHO.

> So I run the scan, and even though 80 is the only port in the list,
> and assume other ports closed, 80 doesn't even show up in the
> results,

It must have been missed by the port scan.

> 53 is the only one that shows up (with some DNS information).

All UDP services will show up: they do not use results from the scan
Re: port specification [ In reply to ]
don at n2
Feb 26, 2005, 8:51 PM
Post #3 of 4 (2284 views)
Permalink
mail -s "Re: [Nessus-devel] port specification" -c mikhail@nessus.org nessus-devel@list.nessus.org

> > nessus will accept default, or a list of ports, but will not accept
> > something like "default,1234,2345"

> This make the parsing of the port list more complex and is not very
> useful, IMHO.

It seems like straightforward preprocessing string substitution, replace
"default" with "1-1024,blah,blah,blah" but I guess if you don't think it's
useful...

> > So I run the scan, and even though 80 is the only port in the list,
> > and assume other ports closed, 80 doesn't even show up in the
> > results,

> It must have been missed by the port scan.

That is exactly the strange part I'm talking about... With nessus set to only
scan port 80 (with nmap, doesn't seem to happen with SYN scan selected
instead) and assume other ports closed, how could the following sequence
occur THREE TIMES for me:

manually check web server, it's running
nessus scan
manually check web server, still running
port 80 doesn't even show up in report, as if port scanner didn't see it.
uncheck "assume other ports closed", press start button again.
nessus scan runs again
manually check web server, still running
port 80 shows up in report this time

I wonder, are there any debugging options that would allow me to easily see
what is going to and from nmap?

Thanks

PS Nmap options are straightforward, SYN scan, Don't randomize, Aggressive.
Re: port specification [ In reply to ]
mikhail at nessus
Feb 27, 2005, 3:41 AM
Post #4 of 4 (2278 views)
Permalink
On Sun Feb 27 2005 at 04:51, Don Kitchen wrote:

> It seems like straightforward preprocessing string substitution, replace
> "default" with "1-1024,blah,blah,blah" but I guess if you don't think it's
> useful...

If you start adding ports to the "default" list, you'd better give the
full list, no?

> That is exactly the strange part I'm talking about... With nessus set to only
> scan port 80 (with nmap, doesn't seem to happen with SYN scan selected
> instead) and assume other ports closed, how could the following sequence
> occur THREE TIMES for me:

The problem is either with Nmap or the NASL wrapper.
What does nmap gives you if you run it by itself?

> PS Nmap options are straightforward, SYN scan, Don't randomize,
> Aggressive.

Try without Aggressive. Normal or "Auto".

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal