On Mon Sep 18 2006 at 14:46, Kostadin Kostadinov wrote: > I am planning to scan with Nessus 3.0.3 from command line using Nmap > port scan results but not portscanner of Nessus itself.
I'd like to know why so many people still prefer Nmap to the embedded scanners. Some people want to scan UDP ports. However, UDP scanning is unreliable, dangerous against broken IP stacks [1] and can be terribly slow [2]. If you really need that, you should consider giving Nessus proper credentials to access the remote machine and use the SNMP or netstat "scanners". They are quick, reliable and not intrusive. Plus, keep in mind that Nessus will not use the result from the UDP scanner to perform some kind of "find_service". Such a feature is slow and dangerous -- most software which implement a UDP-based protocol either drop packets that they cannot decode or do sepuku. [3] As far as TCP scan is concerned... We've tried to achieve a reasonable compromise between speed and accuracy. Until now, nessus_tcp_scanner is quicker than Nmap is most situations. The only case I saw where Nmap could be quicker is with an un-firewalled machine on the LAN. nessus_tcp_scanner will take 5 to 10 seconds to scan 64k ports and Nmap may run in 4. Great. In fact, nessus_tcp_scanner also tries to grab banners (for later service identification): 5 s + 5 s read timeout = 10 s if you are unlucky. But against a firewalled machine, nessus_tcp_scanner is quicker. Against a BSD, it is quicker again. In some pathological cases [4], we've seen nessus_tcp_scanner run for half an hour whereas Nmap would take days. You may play with the -T options: Nmap will start like a rocket, and then slow down as soon as it starts losing packets. [5] Why not choose the quicker scanner? [1] Well... More dangerous than plain TCP scanning. Scanning a machine is always dangerous if it runs broken software. There is no "safe" scanner. [2] Some OS like Solaris limit ICMP rate to 2 messages per second. You'd need more than 9 hours in the *best* case to scan such a machine. In fact, you'll probably need more than one day. [3] e.g., amap option "-H" which skips potential harmful triggers disables all UDP probes. [4] for example, some vicious IPS, or an IP filter returning ICMP on TCP filtered ports (with ICMP rate limitation of course, otherwise, everything would work fine!). [5] "nmap -T insane" is quick in all situations, but stresses the remote target and may miss some ports. It is not designed to scan a slow target. -- http://arboi.da.ru/ http://ma75.blogspot.com/ PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91 Fingerprint: 1048 B09B EEAF 20AA F645 2E1A 1320 924F 0BBA BA91 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
