Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
Port range
nexact at gmail
Nov 25, 2008, 7:48 AM
Post #1 of 2 (2233 views)
Permalink
Hello,

I am having a question concerning port scan range...
How can I define that I want to scan this port with UDP and not TCP ?
Actually, by default... it scans it using TCP.

Thanks.
Re: Port range [ In reply to ]
rgula at tenablesecurity
Nov 25, 2008, 8:44 AM
Post #2 of 2 (2124 views)
Permalink
nexact wrote:
> Hello,
>
> I am having a question concerning port scan range...
> How can I define that I want to scan this port with UDP and not TCP ?
> Actually, by default... it scans it using TCP.
>

A short question, but one that deserves a long response.

Until recently, Nessus did not have a UDP port scanner. Tenable made one
available to Nessus Professional Feed users as part of our PCI package,
which has a requirement to perform full UDP port scans as well. Of course,
we highly recommend that users perform port scans with credentialed
access.

If you absolutely have to perform a network scan with UDP, there is an
nbin available on the Tenable Customer Portal. Once this scanner is
installed, you can create a scan policy that only enables this UDP
port scanner and then the port scan range that you choose will be
performed by this nbin.

UDP scanning is very unreliable. The service fingerprinting in Nessus
may actually find more open UDP ports than a vanilla port scan. If you
read this blog for example:

http://blogs.securiteam.com/index.php/archives/1152

You'll see that the user tried several different tools and Nessus (without
the actual UDP Port Scanner nbin) found more open UDP ports than GFI or
NMAP. I doubt that if this person re-did their scan with the UDP port
scanner, they would have found more ports.

If readers are curious why UDP port scanning is so unreliable, it is
because you have to play a guessing game and many Linus OSes will limit
their responses to UDP packets so your scan rate is intollerably slow.
And by a guessing game in order to see if a port is open, you need to
send in a UDP packet. If you get an ICMP response, you know the port
is open. If you don't get a response, the port might be open, or a
firewall could have dropped you, or the network could have dropped you,
or the kernel could have dropped you and on and on.

This was actually one of the reasons we developed the Passive
Vulnerability Scanner. Being able to sniff a network 24x7 and see what
services (TCP and UDP) are running from both a client and server
perspective is very accurate and has no impact on the network.

Ron Gula
Tenable Network Security













_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal