The way we have built our scanning cluster is to use nmap to do an initial portscan of each host, and then use the IPs in a list form to pass to nessus.
Tim On Wed, Mar 19, 2003 at 11:48:13AM -0300, [EMAIL PROTECTED] wrote: > Hi, > > Thkz again for help. > > I tryed to ping the port 80 that is open in my remote host, see: > > # telnet www.host.com 80 > Trying xxx.xxx.xxx.xxx... > Connected to xxx.xxx.xxx.xxx. > Escape character is '^]'. > GET / HTTP/1.0 > > HTTP/1.1 404 Object Not Found > Server: Microsoft-IIS/4.0 > Date: Sat, 19 Apr 2003 11:33:50 GMT > Content-Type: text/html > Content-Length: 102 > > <html><head><title>Error</title></head><body>The system cannot find the file > specified. </body></html>Connection closed by foreign host. > > The port is Open. :) > > I put it in my /root/.nessurc > > # This file was automagically created by nessus > trusted_ca = /usr/local/com/nessus/CA/cacert.pem > nessusd_host = xxx.xxx.xxx.xxx > nessusd_user = armando > paranoia_level = 3 > begin(SCANNER_SET) > 10796 = yes > 10180 = yes > 10331 = yes > 10335 = yes > 10336 = yes > end(SCANNER_SET) > > begin(PLUGIN_SET) > 10747 = yes > 11187 = yes > 10277 = yes > 10715 = yes > 10949 = yes > 10973 = yes > 10974 = yes > 10975 = yes > 10976 = yes > Several pluggins.... > end(PLUGIN_SET) > > begin(SERVER_PREFS) > max_hosts = 30 > max_checks = 10 > log_whole_attack = yes > report_killed_plugins = yes > cgi_path = /cgi-bin:/scripts > port_range = 1-1700 > optimize_test = yes > language = english > per_user_base = /usr/local/var/nessus/users > checks_read_timeout = 5 > delay_between_tests = 1 > non_simult_ports = 139, 445 > plugins_timeout = 320 > safe_checks = yes > auto_enable_dependencies = yes > use_mac_addr = no > save_knowledge_base = yes > kb_restore = no > only_test_hosts_whose_kb_we_dont_have = no > only_test_hosts_whose_kb_we_have = no > kb_dont_replay_scanners = no > kb_dont_replay_info_gathering = no > kb_dont_replay_attacks = no > kb_dont_replay_denials = no > kb_max_age = 864000 > plugin_upload = no > plugin_upload_suffixes = .nasl > admin_user = root > end(SERVER_PREFS) > > begin(PLUGINS_PREFS) > HTTP NIDS evasion[checkbox]:Use HTTP HEAD instead of GET = no > HTTP NIDS evasion[radio]:URL encoding = none > HTTP NIDS evasion[radio]:Absolute URI type = none > HTTP NIDS evasion[radio]:Absolute URI host = none > HTTP NIDS evasion[checkbox]:Double slashes = no > HTTP NIDS evasion[radio]:Reverse traversal = none > HTTP NIDS evasion[checkbox]:Self-reference directories = no > HTTP NIDS evasion[checkbox]:Premature request ending = no > HTTP NIDS evasion[checkbox]:CGI.pm semicolon separator = no > HTTP NIDS evasion[checkbox]:Parameter hiding = no > HTTP NIDS evasion[checkbox]:Dos/Windows syntax = no > HTTP NIDS evasion[checkbox]:Null method = no > HTTP NIDS evasion[checkbox]:TAB separator = no > HTTP NIDS evasion[checkbox]:HTTP/0.9 requests = no > Test HTTP dangerous methods[checkbox]:Integrist test = no > NIDS evasion[radio]:TCP evasion technique = none > NIDS evasion[checkbox]:Send fake RST when establishing a TCP connection = > no > Libwhisker options[radio]:IDS evasion technique: = X (none) > Login configurations[entry]:FTP account : = anonymous > Login configurations[password]:FTP password (sent in clear) : = > [EMAIL PROTECTED] > rg > Login configurations[entry]:FTP writeable directory : = /incoming > Misc information on News server[entry]:From address : = Nessus > <[EMAIL PROTECTED] > sbl.org> > Misc information on News server[entry]:Test group name regex : = > f[a-z]\.tests? > Misc information on News server[entry]:Max crosspost : = 7 > Misc information on News server[checkbox]:Local distribution = yes > Misc information on News server[checkbox]:No archive = no > Ping the remote host[entry]:TCP ping destination port(s) : = 80 > Ping the remote host[checkbox]:Do a TCP ping = yes > Ping the remote host[checkbox]:Do an ICMP ping = no > Ping the remote host[entry]:Number of retries (ICMP) : = 10 > Ping the remote host[checkbox]:Make the dead hosts appear in the report = > yes > RedHat 6.2 inetd[radio]:Testing method = quick and dirty > SMB Scope[checkbox]:Request information about the domain = yes > SMB use host SID to enumerate local users[entry]:Start UID : = 1000 > SMB use host SID to enumerate local users[entry]:End UID : = 1020 > SMB use domain SID to enumerate users[entry]:Start UID : = 1000 > SMB use domain SID to enumerate users[entry]:End UID : = 1020 > SMTP settings[entry]:Third party domain : = nessus.org > SMTP settings[entry]:From address : = [EMAIL PROTECTED] > SMTP settings[entry]:To address : = [EMAIL PROTECTED] > Web mirroring[entry]:Number of pages to mirror : = 25 > Web mirroring[entry]:Start page : = / > Default accounts[entry]:Simultaneous connections : = 10 > Services[entry]:Network connection timeout : = 5 > Services[entry]:Network read/write timeout : = 5 > Services[entry]:Wrapped service read timeout : = 2 > Services[radio]:Test SSL based services = All > Services[checkbox]:Quick SOCKS proxy checking = yes > FTP bounce scan[entry]:FTP server to use : = localhost > ftp writeable directories[radio]:How to check if directories are writeable > : = > Trust the permissions (drwxrwx---) > Brute force login (Hydra)[entry]:Number of simultaneous connections : = 4 > Brute force login (Hydra)[checkbox]:Brute force telnet = no > Brute force login (Hydra)[checkbox]:Brute force FTP = no > Brute force login (Hydra)[checkbox]:Brute force POP3 = no > Brute force login (Hydra)[checkbox]:Brute force IMAP = no > Brute force login (Hydra)[checkbox]:Brute force cisco = no > Brute force login (Hydra)[checkbox]:Brute force VNC = no > Brute force login (Hydra)[checkbox]:Brute force SOCKS 5 = no > Brute force login (Hydra)[checkbox]:Brute force rexec = no > Brute force login (Hydra)[checkbox]:Brute force NNTP = no > Brute force login (Hydra)[checkbox]:Brute force HTTP = no > Brute force login (Hydra)[checkbox]:Brute force ICQ = no > Brute force login (Hydra)[checkbox]:Brute force PCNFS = no > Brute force login (Hydra)[checkbox]:Brute force SMB = no > Nmap[radio]:TCP scanning technique : = connect() > Nmap[checkbox]:UDP port scan = no > Nmap[checkbox]:RPC port scan = no > Nmap[checkbox]:Ping the remote host = no > Nmap[checkbox]:Identify the remote OS = no > Nmap[checkbox]:Use hidden option to identify the remote OS = no > Nmap[checkbox]:Fragment IP packets (bypasses firewalls) = no > Nmap[checkbox]:Get Identd info = no > Nmap[radio]:Port range = User specified range > Nmap[checkbox]:Do not randomize the order in which ports are scanned = > yes > Nmap[entry]:Source port : = any > Nmap[radio]:Timing policy : = Normal > Whisker[radio]:Method: = 1 HEAD method (default) > Whisker[radio]:Alternate database format: = X standard > Whisker[checkbox]:Brute force usernames via directories = no > HTTP NIDS evasion[entry]:Force protocol string : = > Login configurations[entry]:HTTP account : = > Login configurations[password]:HTTP password (sent in clear) : = > Login configurations[entry]:NNTP account : = > Login configurations[password]:NNTP password (sent in clear) : = > Login configurations[entry]:POP2 account : = > Login configurations[password]:POP2 password (sent in clear) : = > Login configurations[entry]:POP3 account : = > Login configurations[password]:POP3 password (sent in clear) : = > Login configurations[entry]:IMAP account : = > Login configurations[password]:IMAP password (sent in clear) : = > Login configurations[entry]:SMB account : = > Login configurations[password]:SMB password (sent in clear) : = > Login configurations[entry]:SMB domain (optional) : = > Login configurations[entry]:SNMP community (sent in clear) : = > Services[file]:SSL certificate : = > Services[file]:SSL private key : = > Services[password]:PEM password : = > Services[file]:CA file : = > Brute force login (Hydra)[file]:Logins file : = > Brute force login (Hydra)[file]:Passwords file : = > Brute force login (Hydra)[entry]:Web page to brute force : = > Nmap[entry]:Data length : = > Nmap[entry]:Ports scanned in parallel = > Nmap[entry]:Host Timeout (ms) : = > Nmap[entry]:Min RTT Timeout (ms) : = > Nmap[entry]:Max RTT Timeout (ms) : = > Nmap[entry]:Initial RTT timeout (ms) = > Nmap[entry]:Minimum wait between probes (ms) = > Nmap[file]:File containing nmap's results : = > Whisker[file]:script database: = > Whisker[file]:Password file: = > end(PLUGINS_PREFS) > > begin(SERVER_INFO) > server_info_nessusd_version = 1.2.7 > server_info_libnasl_version = 1.2.7 > server_info_libnessus_version = 1.2.7 > server_info_thread_manager = fork > server_info_os = Linux > server_info_os_version = 2.4.18-k6 > end(SERVER_INFO) > > begin(RULES) > end(RULES) > > OK, i set TCP PING = yes and port to 80, it must work, but when i exec: > > nessus xxx.xxx.xxx.xxx 3001 armando mypass host-to-test.txt result.html -T > html > > Then when i open result.html i have: > > Nessus Scan Report > This report gives details on hosts that were tested and issues that > were found. Please follow the recommended steps and procedures to > eradicate these threats. > > Scan Details > Hosts which where alive and responding during test 1 > Number of security holes found 0 > Number of security warnings found 0 > > Host List > Host(s) Possible Issue > 255.255.255.255 Security note(s) found > > [ return to top ] > > Analysis of Host > Address of Host Port/Service Issue regarding Port > 255.255.255.255 general/tcp Security notes found > Type Port Issue and Fix > Informational general/tcp The remote host is considered as dead - not > scanning > > Someone know what is wrong ?? > > Thkz a lot. > > Regards. > > [ ]'s > > -- Tim Sailer <[EMAIL PROTECTED]> Application Services Information Technology Division Brookhaven National Laboratory (631) 344-3001
