I've been testing the Nessus scan this morning on our test systems and it worked pretty well. I went through a couple of class C networks in short order and didn't have any problems with the hosts. Even better, I didn't find anything that shouldn't be there so far.
Jason On Mon, Mar 30, 2009 at 11:26 AM, Paul Asadoorian <[email protected]>wrote: > > Nmap with no timing options: > > done: 256 IP addresses (224 hosts up) scanned in 40.38 seconds > > Nmap with -T5 > > done: 256 IP addresses (224 hosts up) scanned in 8.94 seconds > > Nessus using the command you sent earlier. > > 2m36.659s > > Oh, i c, you were running Nessus on a 486 right and Nmap on a Core 2 Duo? > :) > > Thanks for the data, I will pass it along. > > Cheers, > Paul > > > > > > > -jhs > > > > > > On Mar 30, 2009, at 12:40 PM, Paul Asadoorian wrote: > > > >> Okay, to better answer your question, the Nmap NSE script checks for: > >> > >> * MS08-067, a Windows RPC vulnerability > >> * Conficker, an infection by the Conficker worm > >> * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically > >> found in Windows 2003 > >> > >> The NASL script in Nessus only checks for the presence of conficker > >> (conficker responds to certain RPC calls with specific error codes). > >> > >> So, if you are scanning a large network (class B for example), I'd lean > >> towards the Nessus plugin if its speed your after. Of course, its not a > >> bad idea to check for the MS08-067 vulnerability while you're at it :) > >> > >> Also, there is another Nessus plugin that will help detect Conficker: > >> > >> http://www.nessus.org/plugins/index.php?view=single&id=35322 > >> <http://www.nessus.org/plugins/index.php?view=single&id=35322> > >> > >> It detects: > >> > >> "Regardless of the request that's made, the remote web server returns a > >> Microsoft executable." > >> > >> Which is behavior exhibited by Conficker.A. > >> > >> Cheers, > >> Paul > >> > >> Albert R. Campa wrote: > >>> interesting, so not having looked at this yet, whats the difference > >>> between that and scanning with Nessus? > >>> > >>> > >>> __________________________________ > >>> Albert R. Campa > >>> > >>> > >>> 2009/3/30 John Sawyer <[email protected] <mailto:[email protected]>> > >>> > >>> The Conficker check is in the latest SVN version of Nmap. It's in > >>> the smb-check-vulns.nse which now checks for Conficker, MS08-067 and > >>> a regsvc DoS. > >>> > >>> nmap --script smb-check-vulns.nse -p445 > >>> > >>> For safety's sake, you might want to also run it with > >>> --script-args=unsafe=1 to prevent possible crashes from the regsvc > >>> check. That should not turn off the conficker check. > >>> > >>> -jhs > >>> > >>> On Mar 30, 2009, at 11:10 AM, Chris Merkel wrote: > >>> > >>>> According to this: > >>>> > http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/ > >>>> > >>>> A script should be released today to scan for conficker-infected > >>>> machines over the wire. > >>>> > >>>> I looked at the NSE portal and haven't seen anything yet - would it > >>>> show up there, or is there a development site or repository where > >>>> this > >>>> will first appear? > >>>> > >>>> I'd like to get a scan in before April 1st, when variant C drops. > >>>> > >>>> -- > >>>> - Chris Merkel > >>>> > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > -- > Paul Asadoorian > PaulDotCom Enterprises > Web: http://pauldotcom.com > Phone: 401.829.9552 > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
