Javier, Excellent list. Congrats! May I add that Sun Solaris 2.6 and below running the Sunlink service will also fail when running Nessus (even with the safe checks and non-DOS checks enabled). This is not a fault of Nessus, rather a misconfiguration in the inetd.conf (default).
Great job! Might be a good idea to create a web page on Nessus.org with known issues when running Nessus. Overall, I believe that Nessus is an excellent tool (perhaps one of the best open source tools available). This is my personal professional opinion and does not necessarily reflect the opinions of my employer. Rafael Rosado, CISSP, CISA Lucent Technologies IT Security Manager Corporate IT Security 2400 SW 145th Avenue Miramar, Florida 33027 Office: 954-885-2176 Facsimile: 954-885-3861 Email: [EMAIL PROTECTED] This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Javier Fernandez-Sanguino [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 6:24 AM To: [EMAIL PROTECTED] Subject: List of Hardware/Software that might crash/fail to work after a Nessus scan Since this seems to came up fairly often. Why not make a list of hardware that seems to break when scanned by Nessus? (Even if enabling safe_checks and disabling dangerous plugins). Let's try this (from recent threads and some googling on DoS vulnerabilities in Bugtraq) Format: Hardware/software type: problem description - HP Procurve 4000M switches: meshing information lost, network blackout, will not answer to telnet requests if scanned from the management IP address (BID-4212/CAN-2002-0350). - Enterasys Networks (formerly Cabletron) SmartSwitch Router 8000 (BID-5703/CAN-2002-1501) - Thomson SpeedTouch 510 DSL Router: might crash when port scanned (BID-9102) - HP printers with built-in NICs: print blank pages, in some cases they might crash when being scanned. - HP-UX, different versions inlcuding 11.00: might crash when scanned, also many services might crash: dce service (crashes with msrpc_dcom*, plugins) NIS server, NFS, automounter, OVO agents, ecotools... - IBM's Netview: nvlockd and other daemons of NetView die with core. - IBM's HACMP (cluster): application might crash when doing a connect scan (code IY23867, BID-3358) - Compaq TruCluster: might crash when port scanned (BID-3362) - SGI IRIX IPV6 inetd: might crash when port scanned (BID-8027) - Caldera OpenServer 5.0.5 and previous: might crash when port scanned (BID-4044) - Packeteer Packetshaper: tables full, drops traffic. - AS/400: CPF87D7 ("cannot automatically select virtual device") after an assessment (will show up continously). - NAV for Exchange 2000: the embedded web server cannot handle the web plugins. - Veritas Volume Manager on Solaris: might be crashed because of a port scan. - SonicWall Pro 100: will die after an Nmap scan - Checkpoint FW-1 4.1: might be killed (probably by stream.nasl) - PIX 525 running IOS 6.22.140: killed by WAP discovery NASL - Allegro-based embedded web server on a network switch: crash after port scan - Legacy systems such as old MVS (IBM mainframe) systems: might crash when port scanned (see BID-3358) - Old versions of Solaris: might crash when port scanned - Data General's Unix (DGUX) 2.x and previous: might crash when port scanned - Unisys's Clearpath mainframe server: might crash when port scanned (BID-5863) - DEC UNIX: might crash when port scanned (because of inetd) - HP Tru64: portmapper might crash when port scanned (BID-7249) - Symantec pcAnywhere might crash when port scanned (BID-1150) NOTE (1): Notice that (in general) stateful firewalls might be taxed due to port scanning (needs a state table entry for each port being scanned). Also some systems might not handle port scans properly NOTE (2): Many PBX, built up on top of old UNIX versions (such as Nortel Meridan PBX) might crash due to the same reasons as given above. BTW, a good read (might be eligible to add to the documentation) is Reanud answer to a post in pen-test: http://archives.neohapsis.com/archives/sf/pentest/2003-06/0067.html "The bottom line is that as soon as you start to interfere with another host, you can never predict how it will react to actions that it has never been designed to handle, so no scan is totally risk-free[1], and it's often very hard to find the balance between a 99.9% accurate security audit and a non-intrusive one. Note that this does not only affects Nessus+Nmap, but any network vulnerability scanner." Feel free to add more information here, we could submit it to the FAQ author/maintainer when finished or to the nessus-core/doc documentation. Regards Javi PS: I've checked also a pen-test thread (http://archives.neohapsis.com/archives/sf/pentest/2003-06/0060.html) _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
