Mailing List Archive

In the Advanced tab there is an option under "UDP port scanner (NASL)"
that says "Maximum run time in seconds: 0", are we correct to assume
zero means unlimited, or does it literally mean 0secs, in which case it
would not complete, and that could be Charles' problem.

One of the problems with UDP scans is that they take hours usually, so
its probably best to do it as a separate process using nmap and rely on
netstat from within Nessus - and/or import the nmap results.

Would that satisfy the PCI dependency, or have we got to use the UDP
plugin or the nmap plugin with UDP scanning enabled?


Charles Wu wrote:
> Per this message from the Nessus archive, it seems that a non nmap UDP
> port scanner has been developed and implemented for Nessus
>
> http://www.mail-archive.com/nessus@list.nessus.org/msg17847.html
>
> So, went to the support site and grabbed the Nessus UDP Port Scanner
> from the PCI Compliance page, followed the proper instructions to unzip
> and build the plug-in database, and have the following configuration
> (see below / attached screen shot)
>
> Based on these settings, I am under the impression that I have enabled
> Nessus to scan BOTH TCP & UDP ports 1-65535 – however, the scan output
> below states that a full UDP port scan isn’t occurring
>
> Any ideas / thoughts? What am I missing?

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Friday 02 January 2009 14:23:59 Simon John wrote:
> In the Advanced tab there is an option under "UDP port scanner (NASL)"
> that says "Maximum run time in seconds: 0", are we correct to assume
> zero means unlimited, or does it literally mean 0secs, in which case it
> would not complete, and that could be Charles' problem.

No, it defaults to 14440 s = 4 hours.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Michel Arboi wrote:
> On Friday 02 January 2009 14:23:59 Simon John wrote:
>> In the Advanced tab there is an option under "UDP port scanner (NASL)"
>> that says "Maximum run time in seconds: 0", are we correct to assume
>> zero means unlimited, or does it literally mean 0secs, in which case it
>> would not complete, and that could be Charles' problem.
>
> No, it defaults to 14440 s = 4 hours.

so on my install the field always says 0, which i guess means that it
will not even start, so you have to fill that field with non-zero?

or does 0 = 4 hours?

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Friday 02 January 2009 15:54:12 Simon John wrote:
> or does 0 = 4 hours?

Any value <= 0 is changed to 14440



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

>In the Advanced tab there is an option under "UDP port scanner (NASL)"

>that says "Maximum run time in seconds: 0", are we correct to assume

>zero means unlimited, or does it literally mean 0secs, in which case it

>would not complete, and that could be Charles' problem.



That "option" doesn't exist for me (see below screen shot) - does that mean that I have improperly installed the UDP port scanner?



[cid:image002.jpg@01C96CCC.98AEA3C0]





In case the "option name" has changed, here is a listing of the options available to me under my "Advanced Settings" Tab (I clicked "enable all" to make sure I'm not missing anything for now)



- Do not scan fragile devices

- Global variable settings

- HTTP login page

- ICCP/COTP TSAP Addressing

- Login configurations

- Misc information on News server

- Modbux/TCP Coil Access

- PCI DSS compliance

- Ping the remote host

- Port scanners settings

- SMB Scope

- SMB use domain SID to enumerate users

- SMB use host SID to enumerate local users

- SMTP settings

- SNMP settings

- SYN Scan

- Service detection

- Unix Compliance

- Unknown CGIs arguments torture

- Web mirroring

- Windows Compliance Checks

- Windows File Contents Compliance Checks



Just to be sure, here is the process I went through to install the UDP scanner Plug-in



1. Download and unzip .nbin file from Nessus Support Site

2. Copy file into my Nessus\plugins\scripts directory

3. Run the build.exe utility in the Nessus directory to rebuild my plug-in library



After step 3, the UDP Port Scanner (NASL) selection appeared under the Options tab of Edit Policy



I believe I've followed all the steps per documentation, but as these things go, it's always the 1 silly seemingly trivial step missed that turns out to be extremely important



Is there anything you can think of that I could be missing?



>One of the problems with UDP scans is that they take hours usually, so

>its probably best to do it as a separate process using nmap and rely on

>netstat from within Nessus - and/or import the nmap results.



Yes, I am aware of the nmap plug-in, however, at this point, I am testing functionality for the sake of understanding what does / doesn't work within the Nessus tool - that said, this early in the process, I don't want to point fingers by insinuating that this could be a problem with Nessus; chances are, being a Nessus "newbie" - I would wager that the issues I am experiencing are more to do with configuration and my lack of experience with Nessus than it is to do with an actual bug/problem with the software



>Would that satisfy the PCI dependency, or have we got to use the UDP

>plugin or the nmap plugin with UDP scanning enabled?



It's my understanding that most ASVs using Nessus 2.x actually use Nmap for the TCP/UDP port scans and Nessus for vulnerability...however, one of the reasons why I have been tasked with evaluating Nessus is that we are looking for a simpler and more integrated/elegant way to operate PCI scans (our current implementation is a kludge of the following tools tied together with a variety of scripts)



1. Hping

2. Nmap

3. SupserScan

4. ISS

5. Netcat



That's just for scans - then there's the issue of automating / managing / maintaining compliance with the other 50 or so requirements of PCI...



The concept of having 1 tool (Nessus) integrated with a nice management / automation system (Security Center + PVS + LCE?) that handles everything in a turn-key "single-click" manner is quite appealing - however, before getting enamored with all the "bells and whistles" of the "other stuff", I have to make sure that the core scanning tool (Nessus) work properly for our needs



-Charles







Charles Wu wrote:

> Per this message from the Nessus archive, it seems that a non nmap UDP

> port scanner has been developed and implemented for Nessus

>

> http://www.mail-archive.com/nessus@list.nessus.org/msg17847.html

>

> So, went to the support site and grabbed the Nessus UDP Port Scanner

> from the PCI Compliance page, followed the proper instructions to unzip

> and build the plug-in database, and have the following configuration

> (see below / attached screen shot)

>

> Based on these settings, I am under the impression that I have enabled

> Nessus to scan BOTH TCP & UDP ports 1-65535 - however, the scan output

> below states that a full UDP port scan isn't occurring

>

> Any ideas / thoughts? What am I missing?



--

Simon John

nessus at the-jedi.co.uk



_______________________________________________

Nessus mailing list

Nessus@list.nessus.org

http://mail.nessus.org/mailman/listinfo/nessus

________________________________
This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivery of the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone at 630-344-1586.

On Friday 02 January 2009 18:23:54 Charles Wu (CTI) wrote:

> That "option" doesn't exist for me (see below screen shot)

It is not "portscanners settings". there should be another entry in the menu.

> that I have improperly installed the UDP port scanner?

You won't see the UDP scanner in that case.

I suspect that it times out; or maybe it aborts at once because the target is
firewalled.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Michel Arboi wrote:

> I suspect that it times out; or maybe it aborts at once because the target is
> firewalled.

i always thought udp was inherently broken on windows due to bugs in
winsock, surprises me that most of the list seems to be windows users.

i've consistently seen windows portscanners miss udp ports that
nmap/netstat on linux/solaris haven't.

have you tried disabling "ping the remote host" - not just in the
"options" tab, but in the "advanced" tab too - as if the host looks dead
to nessus it will move on - same goes for nmap, if it doesn't respond to
an arp ping, then it thinks its dead (unless you use -PN).

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus