Hi Doug, Thanks for your comments/suggestion.
> 1) zombie scanning (-sI in nmap) - this is handy for mapping out trust > relationships in networks that are not well documented. In my role as an > auditor, I often ask for documentation, and it's almost always lacking :) Although this feature is good for performing a port scan from a 3rd party, you can't perform an application audit or vulnerability scan this way. Most of our customers and Nessus users who want to do this add more scanners. > 2) very solid os detection - I've found that (within the scope of the > scanner specifically) that nmap tends to be more accurate on OS detection. I > realize that nessus has several other mechanisms for this. OS fingerprinting is debated by lots of people. Nessus adds many other checks (including credentialed operating system checks and things I've not seen in any other scanner like Windows OS fingerprinting via RDP) into the mix. > 3) scan delay - this might be in there (I thought it was, but can't find it) > but being able to control the amount of time between each probe of a host is > a good thing on the scanner side. Nessus does not have this, but you can control number of checks per host and the number of simultaneous hosts. > 4) spoofing/cloaking/hiding/misdirection - one of the issues that I have run > into is that we have deliberately belligerent employees who will firewall > their box from the scanners. This always happens on nets with inadequate > managerial oversight and/or configuration management. The proper solution, > of course, is to fix these two problems, but this is not always an option > within my control. Being able to show that a computer is specifically > blocking the scanner for whatever reason (perhaps because it's > been compromised) is useful to me. Nessus can detect a variety of filtering and firewall scenarios, but not all of them. When performing just a port scan, there are a variety of ways to hide where you are coming from. However, when performing an audit of a host, this is much more difficult. Of course for 100% hiding of a network, passive monitoring is very effective. > 5) quick and easy command line port scanning - it's really hard to beat > "nmap myhost" for simplicity, and "nmap -sP mynet" for checking what's out > there. As nessus moves away from a command line, I find that nmap's ease for > the seasoned unix administrator makes more sense for many things. based on > the help output of the nessus command line, you need a minimum of 7 > arguments to do a batch mode scan. It's not that these are not useful and > important, but it's also pretty weighty for an everyday tool. This was one of the biggest reasons we added the nessuscmd command line tool on both Windows and UNIX systems. You can see an example of this here: http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html although it was written when Nessus 3.2 was still beta. Ron Gula Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
