On Mon, Jul 07, 2003 at 02:32:53PM +0200, Michel Arboi wrote:
> Javier Fernandez-Sanguino <[EMAIL PROTECTED]> writes:
>
> > That is not usually the case and most certaintly is not when pen-testing.
>
> And even during audits where I had a root access on the target
> machine, I saw some very odd network glitches.
>
> One time, an HTTPS server was identified by find_service as running
> SSL/TLS, but HTTP was missed. This means that the target answered to
> the SSL negociation and timed out on the HTTP request. Very odd...
This might not even be a network glitch per se - ie: if you've been
scanning a host which is low on memory and whose web server has not
been used in years, it has to be loaded from swap and its initial
response may take a lot of time.
> I'm still looking for a smart method to solve this kind of
> problem.
The most obvious is to scan the server twice, so that you know that
every service has now been swapped out.
> Nessus may run like a slug if there are many "silent"
> services or firewalled ports.
Yes and no. There's a balance between speed and accuracy (and
non-intrusiveness). If you routinely scan 20k hosts, then you are
probably interested in a "nearly complete but fast" scan. At the
opposite, if your mission is to audit the computer in the back that
nobody touched this year, you clearly do not have the same goal, in that
case you may want to run a sluggish scan and get everything you can as
non-intrusively as possible, and finally if your goal is to test that
host that will be plugged in the DMZ next week, you probably want to
beat it up and get every bit of information you can against it.
Now Nessus is not a magical elf who can guess what your goal is, and
once again, it needs to be tuned according to your needs, and at the
same time you have to accept its inherent limitations : very fast but
probably victim to network or host glitches, very slow but very
thorough, and so on...
It's a _tool_ and you have to learn how to use it.
-- Renaud
