Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
Scanning policy
nexact at gmail
Nov 12, 2008, 12:32 PM
Post #1 of 2 (1659 views)
Permalink
Hello,

We have some machine that is running a database on a non-common port,
however, we are scanning with common port policy.
I would like to know, is there a kind of ways that could allow Nessus to
detect these non-common port ?

My other option is to run an all port scan that will reach database on
non-common port but... how will Nessus handle that ?
Nessus will do a fingerprint on the service and then scan it for known
vulnerability or it will skip it ?

Thanks for your answer !
Re: Scanning policy [ In reply to ]
theall at tenablesecurity
Nov 12, 2008, 7:55 PM
Post #2 of 2 (1553 views)
Permalink
On Nov 12, 2008, at 3:32 PM, nexact wrote:

> We have some machine that is running a database on a non-common
> port, however, we are scanning with common port policy.
> I would like to know, is there a kind of ways that could allow
> Nessus to detect these non-common port ?

The answer depends to some extent on how the database service reacts
and how you're configuring your scan. [.Not to mention of course the
port range that you specify.]

On the one hand, Nessus has a couple of general service detection
plugins. They work by looking for spontaneous banners or by sending
something relatively harmless like an HTTP GET or 'HELP' to the port
and reading a response. If a service responds to one of these probes,
we can often identify the service without taking the actual port
number into consideration. MySQL and to some extent PostgreSQL work
like this.

On the other, we have some plugins that try to detect specific
applications, including database services like Oracle, DB2, MSSQL, and
Firebird. They work by sending packets that try to do something like
simulate a login and then make sure the response looks "ok". These
plugins are generally coded such that they look for a service only on
its well-known port(s) by default, although they will also check on
any open port with an unidentified service if the 'Thorough tests'
option is enabled. Note that enabling 'Thorough tests' entails some
risk, though, since some services react poorly when they are sent data
that appear to them to be malformed.

> My other option is to run an all port scan that will reach database
> on non-common port but... how will Nessus handle that ?
> Nessus will do a fingerprint on the service and then scan it for
> known vulnerability or it will skip it ?


Are you able to do a credentialed scan? That would likely be the
safest and most reliable.

Otherwise, if Nessus identifies the service, it should run the
associated plugins against that service regardless of which port its on.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal