Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan
cwu at cticonnect
Dec 31, 2008, 7:25 AM
Post #1 of 10 (11813 views)
Permalink
Hi,

I'm a Nessus newbie, so please excuse my ignorance

I just downloaded the PCI Plug-ins, and got the following error / output on my scan

>>>>>>>>>>>>>>>>>>>

PCI DSS compliance: tests requirements

Synopsis :

Nessus is not properly configured for PCI DSS validation.

Description :

The scan settings did not fulfill the PCI DSS scan validation
requirements. Even if the technical tests passed, this report
may be insufficient to certify this server.

Plugin output :
+ A full TCP scan is required
+ A full UDP scan is required

>>>>>>>>>>>>>>>>>>>

So, in reviewing the documentation, it seems that the place to "configure" this is in Edit Policy -> Options -> Port Scanner range. I've changed the settings on my client from default to 0-65535; that should have all my bases covered. Obviously, I missing something somewhere that's probably extremely trivial, but after re-reading the normal and advanced user guides and searching the knowledge base, I can't find any other mention of such a setting.

Any ideas?

-Charles

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivery of the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone at 630-344-1586.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
mikhail at nessus
Jan 1, 2009, 1:18 AM
Post #2 of 10 (11641 views)
Permalink
On Wed, 31 Dec 2008 09:25:40 -0600
"Charles Wu (CTI)" <cwu@cticonnect.com> wrote:

> I've changed the settings on my client from default to 0-65535

1-65535 will be enough.

> Obviously, I missing something somewhere

Did you enable the UDP scanner? As it is slow, it is disable by
default. You have to change its "preferences".

A quicker way is to use a "port enumerator":
http://blog.tenablesecurity.com/2008/09/how-to-perform.html

You can also import the output from nmap -sU -oG ..., or
amap -u -m -o ...
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
david at ombrepixel
Jan 1, 2009, 5:20 AM
Post #3 of 10 (11643 views)
Permalink
> So, in reviewing the documentation, it seems that the place to "configure" this is in Edit Policy -> Options -> Port Scanner range. I've changed the settings on my client from default to 0-65535;

I can`t manage to make Port Scanner range work properly.
Is there anyone here aware about bugs related to this ?

David:
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
welias at conviso
Jan 1, 2009, 10:09 AM
Post #4 of 10 (11641 views)
Permalink
Hi Michel,

How do you make import nmap output?

Tks

2009/1/1 Michel Arboi <mikhail@nessus.org>

> On Wed, 31 Dec 2008 09:25:40 -0600
> "Charles Wu (CTI)" <cwu@cticonnect.com> wrote:
>
> > I've changed the settings on my client from default to 0-65535
>
> 1-65535 will be enough.
>
> > Obviously, I missing something somewhere
>
> Did you enable the UDP scanner? As it is slow, it is disable by
> default. You have to change its "preferences".
>
> A quicker way is to use a "port enumerator":
> http://blog.tenablesecurity.com/2008/09/how-to-perform.html
>
> You can also import the output from nmap -sU -oG ..., or
> amap -u -m -o ...
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--

Wagner Elias, CBCP, SANS GIAC, CobiTc, ITILc
Research & Development Manager
Conviso IT Security - http://www.conviso.com.br
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
mikhail at nessus
Jan 1, 2009, 10:16 AM
Post #5 of 10 (11652 views)
Permalink
On Thu, 1 Jan 2009 16:09:40 -0200
"Wagner Elias" <welias@conviso.com.br> wrote:

> How do you make import nmap output?

With the nmap.nasl plugin.
http://www.nessus.org/documentation/index.php?doc=nmap-usage
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
welias at conviso
Jan 1, 2009, 10:45 AM
Post #6 of 10 (11649 views)
Permalink
Tks Michel.

I did not know this technique.



2009/1/1 Michel Arboi <mikhail@nessus.org>

> On Thu, 1 Jan 2009 16:09:40 -0200
> "Wagner Elias" <welias@conviso.com.br> wrote:
>
> > How do you make import nmap output?
>
> With the nmap.nasl plugin.
> http://www.nessus.org/documentation/index.php?doc=nmap-usage
>



--

Wagner Elias, CBCP, SANS GIAC, CobiTc, ITILc
Research & Development Manager
Conviso IT Security - http://www.conviso.com.br
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
theall at tenablesecurity
Jan 2, 2009, 9:42 AM
Post #7 of 10 (11633 views)
Permalink
On Jan 1, 2009, at 8:20 AM, David ROBERT wrote:

>> So, in reviewing the documentation, it seems that the place to
>> "configure" this is in Edit Policy -> Options -> Port Scanner
>> range. I've changed the settings on my client from default to
>> 0-65535;
>
> I can`t manage to make Port Scanner range work properly.

Exactly what sorts of problems are you having? What are you specifying
for the range? [.NB: the lower number in the range should be 1 rather
than 0.]

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
david at ombrepixel
Jan 5, 2009, 2:54 AM
Post #8 of 10 (11607 views)
Permalink
>> I can`t manage to make Port Scanner range work properly.

>Exactly what sorts of problems are you having? What are you specifying
>for the range? [.NB: the lower number in the range should be 1 rather
>than 0.]

I did some test again today, maybe this can help you:
Information about this scan :

Nessus version : 3.2.1.1
Plugin feed version : 200901050134
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : ***.***.***.***

WARNING : no port scanner was enabled during the scan. This may
lead to incomplete results

But, I enabled in the option tab of the scan policy:
Safe Check, Nessus TCP Scanner, Ping the remote host
Port scanner range: default

Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Max hosts : 10
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2009/1/5 10:40
Scan duration : 104 sec

Nessus ID : 19506

Here is a copy of what a sent on this list a few weeks ago on my port
scan issues:

============
I only activated the plugin (21643)

Port scanner range : 443
Consider unscanned ports as closed : unchecked
Nessus TCP scanner : Checked
Ping the remote host : Checked

This didn't work, in fact, port scanner range was not taken into account.

The only way I got the scanner to detect port 443 was to check Syn
Scan box. Then, once again, the port scanner range is not taken into
account, but a huge number of ports are scanned (including 443!). The
plugin worked then.
==========

Any help is welcome

David
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
theall at tenablesecurity
Jan 5, 2009, 6:18 PM
Post #9 of 10 (11581 views)
Permalink
On Jan 5, 2009, at 5:54 AM, David ROBERT wrote:

> Nessus version : 3.2.1.1

Which platform?

> WARNING : no port scanner was enabled during the scan. This may
> lead to incomplete results
>
> But, I enabled in the option tab of the scan policy:
> Safe Check, Nessus TCP Scanner, Ping the remote host

"Ping the remote host", while it appears in the client under the list
of portscanners, isn't considered one for the purposes of plugin
#19506, which summarizes scan settings. So the fact that you're
enabling "Nessus TCP Scanner" yet the plugin is saying there's no
portscanner enabled suggests that the TCP scanner plugin is not
available. If you're running under Windows, this is a known limitation
(eg, see Appendix 1 of the 3.2 Installation Guide); otherwise, check
for the existence of "nessus_tcp_scanner.nes" in your plugins
directory or look for error messages in the nessusd.messages file.

George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus Plug-In Configuration -- is there a setting other than port scanner range that needs to be configured to setup a full TCP / UDP Scan [ In reply to ]
david at ombrepixel
Jan 7, 2009, 8:30 AM
Post #10 of 10 (11562 views)
Permalink
> Still, for increased performance and scan reliability, we recommend that you
> use Nessus Windows on a server product such as Windows 2003 Server.

I just switched to Windows 2003, the behaviour of nessus looks more
reliable (range was taken into account)

However, afer 30 mn of testing and tricking, the "port scanner to
use" in the option tab where all
unselected, (on all the policies, event the default scan policy that I
didn't use).

I check again then the nessus TCP scanner, save and etc. then it stay checked
But, again, Nessus ID : 19506 reports WARNING : no port scanner was
enabled during the scan. This may lead to incomplete results

If I save the session (.nessus) and then re-open the file, the port
scanner to use are then again all unchecked.

I spent a lot of time on this, it's driving me crazy

Anyway, any help welcome, I'm currenlty evaluation solutions, I'd like
to have this one working

David

>
>>> If you're running under Windows, this is a known limitation
>>
>> Does this means that the nessus port scanner is not working on Windows
>> ? Using the SYN scanner doesn't take into account the range port.
>
> I was wrong - apparently, Nessus Windows simulates the presence of the TCP
> scanner but really uses the SYN scanner under the hood.
>
> George
> --
> theall@tenablesecurity.com
>
>
>
>



--
David ROBERT
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal