Mailing List Archive

Command line report export
I was wondering if there was a way to run a nessus scan from start to end
using the command-line. I need to script the running of a nessus scan on a
regular basis and it would be nice to kick it off at the command-line and
then have the results exported as an HTML file to a desired location at
the end.

Also, it is possible to import the results of an NMAP scan into nessus to
avoid having to double scan hosts ? Seems like a waste if I've already
scanned 65535 ports using NMAP.

Thanks,

Chris

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
from `nessus --help`:

Batch-mode scan:
nessus -q [-pPS] <host> <port> <user> <pass> <targets-file> <result-file>

The batch mode (-q) arguments are :
-----------------------------------
host : nessusd host
port : nessusd host port
user : user name
pass : password
targets : file containing the list of targets
result : name of the file where
nessus will store the results

General options :
-v : shows version number
-h : shows this help
-T : Output format: 'nbe', 'nsr', 'html', 'nessus' or 'txt'
-V : make the batch mode display status messages
to the screen.
-x : override SSL "paranoia" question preventing nessus from
checking certificates.





christopher.riley@r-it.at
Sent by: nessus-bounces@list.nessus.org
08/29/2008 11:36 AM

To
nessus@list.nessus.org
cc

Subject
Command line report export






I was wondering if there was a way to run a nessus scan from start to end
using the command-line. I need to script the running of a nessus scan on a

regular basis and it would be nice to kick it off at the command-line and
then have the results exported as an HTML file to a desired location at
the end.

Also, it is possible to import the results of an NMAP scan into nessus to
avoid having to double scan hosts ? Seems like a waste if I've already
scanned 65535 ports using NMAP.

Thanks,

Chris

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
Thanks for the feedback Mike. For some reason the Windows command-line
(nessuscmd.exe --help) doesn't seem to have the same options. I'll have to
move this over to a Linux box and do some more research. Any idea on
importing the NMAP scan output ?

Thanks,

Chris



mike.sleeper@srs.gov@inet
02.09.2008 13:36

An
christopher.riley@r-it.at
Kopie
nessus@list.nessus.org, nessus-bounces@list.nessus.org
Thema
Re: Command line report export







from `nessus --help`:

Batch-mode scan:
nessus -q [-pPS] <host> <port> <user> <pass> <targets-file> <result-file>


The batch mode (-q) arguments are :
-----------------------------------
host : nessusd host
port : nessusd host port
user : user name
pass : password
targets : file containing the list of targets
result : name of the file where
nessus will store the results

General options :
-v : shows version number
-h : shows this help
-T : Output format: 'nbe', 'nsr', 'html', 'nessus' or 'txt'
-V : make the batch mode display status messages
to the screen.
-x : override SSL "paranoia" question preventing nessus from
checking certificates.




christopher.riley@r-it.at
Sent by: nessus-bounces@list.nessus.org
08/29/2008 11:36 AM


To
nessus@list.nessus.org
cc

Subject
Command line report export








I was wondering if there was a way to run a nessus scan from start to end
using the command-line. I need to script the running of a nessus scan on a

regular basis and it would be nice to kick it off at the command-line and
then have the results exported as an HTML file to a desired location at
the end.

Also, it is possible to import the results of an NMAP scan into nessus to
avoid having to double scan hosts ? Seems like a waste if I've already
scanned 65535 ports using NMAP.

Thanks,

Chris

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Friday 29 August 2008 17:36:53 christopher.riley@r-it.at wrote:
> Also, it is possible to import the results of an NMAP scan into nessus to
> avoid having to double scan hosts ?

Yes, but what's the use of running Nmap first? Nessus scanners are quicker.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
the nmap.nasl plugin can handle your nmap desires. You can find it at
http://www.nessus.org/documentation/index.php?doc=nmap-usage which is also
the first link out of googling "nmap nessus"

as for the command line scan, I forget exactly how it's done, but I believe
you can do this.

On Fri, Aug 29, 2008 at 8:36 AM, <christopher.riley@r-it.at> wrote:

> I was wondering if there was a way to run a nessus scan from start to end
> using the command-line. I need to script the running of a nessus scan on a
> regular basis and it would be nice to kick it off at the command-line and
> then have the results exported as an HTML file to a desired location at
> the end.
>
> Also, it is possible to import the results of an NMAP scan into nessus to
> avoid having to double scan hosts ? Seems like a waste if I've already
> scanned 65535 ports using NMAP.
>
> Thanks,
>
> Chris
>
> ----------------------------------------
> Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
> 0486809, UID ATU 16351908
>
> Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
> dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
> duerfen ueber dieses Medium nicht ausgetauscht werden.
> Correspondence with above mentioned sender via e-mail is only for
> information purposes. This medium may not be used for exchange of
> legally-binding communications.
> ----------------------------------------
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
Re: Command line report export [ In reply to ]
I guess it's a personal choice, but mainly as we're using the NMAP Service
Discovery and comparing them against the Nessus results to make sure that
we're covering everything. Plus NMAP gives a lot more options on how we
scan than Nessus does (it is a specific scanning tool after all).

Chris



mikhail@nessus.org@inet
02.09.2008 14:25

An
nessus@list.nessus.org
Kopie
christopher.riley@r-it.at
Thema
Re: Command line report export






On Friday 29 August 2008 17:36:53 christopher.riley@r-it.at wrote:
> Also, it is possible to import the results of an NMAP scan into nessus
to
> avoid having to double scan hosts ?

Yes, but what's the use of running Nmap first? Nessus scanners are
quicker.



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Tuesday 02 September 2008 14:52:12 christopher.riley@r-it.at wrote:
> I guess it's a personal choice, but mainly as we're using the NMAP Service
> Discovery and comparing them against the Nessus results to make sure that
> we're covering everything.

If you import Nmap results into Nessus and disable all other portscanners to
save bandwidth, the probability that you discover a new open port is exactly
0. What's the use of comparing?

> Plus NMAP gives a lot more options on how we scan

Are they useful?
If yes, maybe we can add them to Nessus.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Tuesday 02 September 2008 13:47:00 christopher.riley@r-it.at wrote:
> Any idea on importing the NMAP scan output ?

The latest version of nmap.nasl can import greppable format (nmap -oG ....) on
Windows too.
http://www.nessus.org/documentation/index.php?doc=nmap-usage
http://www.nessus.org/documentation/nmap.nasl
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
Not quite what I was getting at. Let me explain.

We are aiming to complete a NMAP scan (TCP and UDP) and store this in a
structured database as well as grepable output. We would then like to
import the grepable nmap output into Nessus and have Nessus restrict it's
scans to only those ports that NMAP has found to be open. This then
prevents Nessus scanning 65535 ports, but still gives us a comparison
between the NMAP and Nessus service discovery. Once the NMAP and Nessus
scans are finished we will output the report to HTML and process this to
compare it with previous results. I know it's not a perfect option, but
we've been asked to look at it as a possiblity instead of comercial
options.

@Raleel, thanks for the link. One of our guys here was looking at the NASL
plugin option but couldn't get it to import through a command-line. I'll
have to take another look though as it seems he's not been looking too
hard for a solution.




mikhail@nessus.org@inet
02.09.2008 15:00

An
christopher.riley@r-it.at
Kopie
nessus@list.nessus.org
Thema
Re: Command line report export






On Tuesday 02 September 2008 14:52:12 christopher.riley@r-it.at wrote:
> I guess it's a personal choice, but mainly as we're using the NMAP
Service
> Discovery and comparing them against the Nessus results to make sure
that
> we're covering everything.

If you import Nmap results into Nessus and disable all other portscanners
to
save bandwidth, the probability that you discover a new open port is
exactly
0. What's the use of comparing?

> Plus NMAP gives a lot more options on how we scan

Are they useful?
If yes, maybe we can add them to Nessus.



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: Command line report export [ In reply to ]
Just my two cents, so feel free to ignore.

If you are wanting to compare the two results I would think you would want
to have nmap do its port scan, nessus do one, and compare the results of the
two. I haven't checked so much with port scans, but I know from personal
experience that when using nmap for host discovery and nessus scanning the
same network:

1. mostly they have the same results
2. some systems found by nmap are not found by nessus
3. some systems found by nessus are not found by nmap
4. some systems are found by neither

I don't have a reason for the above to be the case, it is simply what I have
observed. Consequently I run both nmap and nessus and compare the results of
the two. It is the closest I can get to a view of what is really on the
network.

Tim Doty

-----Original Message-----
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org]
On Behalf Of christopher.riley@r-it.at
Sent: Tuesday, September 02, 2008 8:16 AM
To: mikhail@nessus.org
Cc: nessus@list.nessus.org
Subject: Re: Command line report export

Not quite what I was getting at. Let me explain.

We are aiming to complete a NMAP scan (TCP and UDP) and store this in a
structured database as well as grepable output. We would then like to
import the grepable nmap output into Nessus and have Nessus restrict it's
scans to only those ports that NMAP has found to be open. This then
prevents Nessus scanning 65535 ports, but still gives us a comparison
between the NMAP and Nessus service discovery. Once the NMAP and Nessus
scans are finished we will output the report to HTML and process this to
compare it with previous results. I know it's not a perfect option, but
we've been asked to look at it as a possiblity instead of comercial
options.

@Raleel, thanks for the link. One of our guys here was looking at the NASL
plugin option but couldn't get it to import through a command-line. I'll
have to take another look though as it seems he's not been looking too
hard for a solution.




mikhail@nessus.org@inet
02.09.2008 15:00

An
christopher.riley@r-it.at
Kopie
nessus@list.nessus.org
Thema
Re: Command line report export






On Tuesday 02 September 2008 14:52:12 christopher.riley@r-it.at wrote:
> I guess it's a personal choice, but mainly as we're using the NMAP
Service
> Discovery and comparing them against the Nessus results to make sure
that
> we're covering everything.

If you import Nmap results into Nessus and disable all other portscanners
to
save bandwidth, the probability that you discover a new open port is
exactly
0. What's the use of comparing?

> Plus NMAP gives a lot more options on how we scan

Are they useful?
If yes, maybe we can add them to Nessus.



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
Doty, Timothy T. wrote:

> I don't have a reason for the above to be the case, it is simply what I have
> observed. Consequently I run both nmap and nessus and compare the results of
> the two. It is the closest I can get to a view of what is really on the
> network.

I get this question from customers very often when they want to compare the
results from Nessus and NMAP, or Nessus and some other vulnerability scanner.

I usually ask them to start with how two scans with Nessus compare with each
other before they start comparing other technologies. If they have inconsistencies
here, it could be any number of reasons such as network performance, network
volatility, performance of the scanner, .etc.

Even if you like your active scans, adding in realtime passive monitoring
gives you another view. Tenable has a lot of customers that use this blended
approach to either not perform scans of super-sensitive devices, or to ease
up on the amount of scans needed to be completed. Regardless, performing a
full 65k port scan with any scanner takes time and simply sniffing for what
ports are open can tell you the ones that are in use.

Ron Gula
Tenable Network Security








_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Tuesday 02 September 2008 15:15:39 christopher.riley@r-it.at wrote:
> We would then like to import the grepable nmap output into Nessus and have
> Nessus restrict it's scans to only those ports that NMAP has found to be
> open.

Then import Nmap results and disable all other port scanners.

> I know it's not a perfect option, but we've been asked to look at it as a
> possiblity instead of comercial options.

Nessus _is_ a commercial option.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: Command line report export [ In reply to ]
I agree that passive sniffing will give a good view of what is happening on
the network. My argument is that if using two scanners (which I don't see
anything wrong with the approach) then they should be configured comparably.
That is, if one is scanning for all ports so should the other. Trying to
limit one based on the results of the other is guaranteed to not give any
new results and does not make any real comparison.

In my particular case we are getting mac notify events from many of the
switches which serves as another data feed and I am currently tying things
together so that scans can be triggered (shortly after) a system connects to
our network. In my opinion there is some synergy between these things that
can be tapped to improve things overall.

Tim Doty

-----Original Message-----
From: nessus-bounces@list.nessus.org [mailto:nessus-bounces@list.nessus.org]
On Behalf Of Ron Gula
Sent: Tuesday, September 02, 2008 9:07 AM
To: nessus@list.nessus.org
Subject: Re: Command line report export

Doty, Timothy T. wrote:

> I don't have a reason for the above to be the case, it is simply what I
have
> observed. Consequently I run both nmap and nessus and compare the results
of
> the two. It is the closest I can get to a view of what is really on the
> network.

I get this question from customers very often when they want to compare the
results from Nessus and NMAP, or Nessus and some other vulnerability
scanner.

I usually ask them to start with how two scans with Nessus compare with each
other before they start comparing other technologies. If they have
inconsistencies
here, it could be any number of reasons such as network performance, network
volatility, performance of the scanner, .etc.

Even if you like your active scans, adding in realtime passive monitoring
gives you another view. Tenable has a lot of customers that use this blended
approach to either not perform scans of super-sensitive devices, or to ease
up on the amount of scans needed to be completed. Regardless, performing a
full 65k port scan with any scanner takes time and simply sniffing for what
ports are open can tell you the ones that are in use.

Ron Gula
Tenable Network Security








_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Sep 2, 2008, at 10:18 AM, Michel Arboi wrote:

> On Tuesday 02 September 2008 15:15:39 christopher.riley@r-it.at wrote:
>> We would then like to import the grepable nmap output into Nessus
>> and have
>> Nessus restrict it's scans to only those ports that NMAP has found
>> to be
>> open.
>
> Then import Nmap results and disable all other port scanners.
>
>> I know it's not a perfect option, but we've been asked to look at
>> it as a
>> possiblity instead of comercial options.
>
> Nessus _is_ a commercial option.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Sort of. It has the same name as a non-commercial option, which leads
to a lot of confusion and frustration. Especially when you're running
a FreeBSD box and you're trying to unravel the old free nessus port
from the one you have to pay for. There should be instructions just
for that.


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
Let me be clear up front, I don't have favorites among the nessus scanners
and the nmap scanner. I like and use them both.
>From my own perception, I think that nmap and nessus have a different slant,
but a similar purpose. nmap has options that are decidedly more esoteric,
yet are undoubtedly useful, such as the christmas scan or the "pick a random
ip" for security research. nessus is more focused on the security auditor.
It's not to say that both tools cannot be used in both environments, but
they do tend to have a different bent. I think that useful is probably
better defined with that context in mind. Undoubtedly Fyodor (and others on
the list, apparently) find them useful.

That having been said, here are some of the features I might like to see out
of the nessus scanners that are in the nmap scanner. Improvement of the
interface might be handy as well:

1) zombie scanning (-sI in nmap) - this is handy for mapping out trust
relationships in networks that are not well documented. In my role as an
auditor, I often ask for documentation, and it's almost always lacking :)

2) very solid os detection - I've found that (within the scope of the
scanner specifically) that nmap tends to be more accurate on OS detection. I
realize that nessus has several other mechanisms for this.

3) scan delay - this might be in there (I thought it was, but can't find it)
but being able to control the amount of time between each probe of a host is
a good thing on the scanner side.

4) spoofing/cloaking/hiding/misdirection - one of the issues that I have run
into is that we have deliberately belligerent employees who will firewall
their box from the scanners. This always happens on nets with inadequate
managerial oversight and/or configuration management. The proper solution,
of course, is to fix these two problems, but this is not always an option
within my control. Being able to show that a computer is specifically
blocking the scanner for whatever reason (perhaps because it's
been compromised) is useful to me.

5) quick and easy command line port scanning - it's really hard to beat
"nmap myhost" for simplicity, and "nmap -sP mynet" for checking what's out
there. As nessus moves away from a command line, I find that nmap's ease for
the seasoned unix administrator makes more sense for many things. based on
the help output of the nessus command line, you need a minimum of 7
arguments to do a batch mode scan. It's not that these are not useful and
important, but it's also pretty weighty for an everyday tool.

It hasn't gone unnoticed by myself at least that several features have been
added to the scanners in the last couple of version which address problems
that I've dealt with personally.

On Tue, Sep 2, 2008 at 6:00 AM, Michel Arboi <mikhail@nessus.org> wrote:

> On Tuesday 02 September 2008 14:52:12 christopher.riley@r-it.at wrote:
> > I guess it's a personal choice, but mainly as we're using the NMAP
> Service
> > Discovery and comparing them against the Nessus results to make sure that
> > we're covering everything.
>
> If you import Nmap results into Nessus and disable all other portscanners
> to
> save bandwidth, the probability that you discover a new open port is
> exactly
> 0. What's the use of comparing?
>
> > Plus NMAP gives a lot more options on how we scan
>
> Are they useful?
> If yes, maybe we can add them to Nessus.
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
Re: Command line report export [ In reply to ]
James Birk wrote:
> On Sep 2, 2008, at 10:18 AM, Michel Arboi wrote:
>
>> On Tuesday 02 September 2008 15:15:39 christopher.riley@r-it.at wrote:
>>> We would then like to import the grepable nmap output into Nessus
>>> and have
>>> Nessus restrict it's scans to only those ports that NMAP has found
>>> to be
>>> open.
>> Then import Nmap results and disable all other port scanners.
>>
>>> I know it's not a perfect option, but we've been asked to look at
>>> it as a
>>> possiblity instead of comercial options.
>> Nessus _is_ a commercial option.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Sort of. It has the same name as a non-commercial option, which leads
> to a lot of confusion and frustration. Especially when you're running
> a FreeBSD box and you're trying to unravel the old free nessus port
> from the one you have to pay for. There should be instructions just
> for that.

The Nessus 2 engine is distributed under the GPL. Nessus 3 is not.

The Nessus Registered plugin feed is no longer available. Switching
to the ProfessionalFeed should not require you to "unravel the old
free Nessus port". You should have just needed to use a new activation
code.

Both of these changes were covered in the media, this mailing list,
and many other places well in advance of these changes.

If anyone gets a Nessus port from Debian, FreeBSD, Gentoo, .etc, you
should be aware, Tenable did not configure these or do these. If you
are using Nessus, we highly recommend you to work with the distributions
you get from nessus.org directly.

Ron Gula
Tenable Network Security










_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
Hi Doug,

Thanks for your comments/suggestion.

> 1) zombie scanning (-sI in nmap) - this is handy for mapping out trust
> relationships in networks that are not well documented. In my role as an
> auditor, I often ask for documentation, and it's almost always lacking :)

Although this feature is good for performing a port scan from a 3rd party,
you can't perform an application audit or vulnerability scan this way. Most
of our customers and Nessus users who want to do this add more scanners.

> 2) very solid os detection - I've found that (within the scope of the
> scanner specifically) that nmap tends to be more accurate on OS detection. I
> realize that nessus has several other mechanisms for this.

OS fingerprinting is debated by lots of people. Nessus adds many other
checks (including credentialed operating system checks and things I've not
seen in any other scanner like Windows OS fingerprinting via RDP) into the
mix.

> 3) scan delay - this might be in there (I thought it was, but can't find it)
> but being able to control the amount of time between each probe of a host is
> a good thing on the scanner side.

Nessus does not have this, but you can control number of checks per host
and the number of simultaneous hosts.

> 4) spoofing/cloaking/hiding/misdirection - one of the issues that I have run
> into is that we have deliberately belligerent employees who will firewall
> their box from the scanners. This always happens on nets with inadequate
> managerial oversight and/or configuration management. The proper solution,
> of course, is to fix these two problems, but this is not always an option
> within my control. Being able to show that a computer is specifically
> blocking the scanner for whatever reason (perhaps because it's
> been compromised) is useful to me.

Nessus can detect a variety of filtering and firewall scenarios, but not
all of them. When performing just a port scan, there are a variety of
ways to hide where you are coming from. However, when performing an audit
of a host, this is much more difficult. Of course for 100% hiding of a
network, passive monitoring is very effective.

> 5) quick and easy command line port scanning - it's really hard to beat
> "nmap myhost" for simplicity, and "nmap -sP mynet" for checking what's out
> there. As nessus moves away from a command line, I find that nmap's ease for
> the seasoned unix administrator makes more sense for many things. based on
> the help output of the nessus command line, you need a minimum of 7
> arguments to do a batch mode scan. It's not that these are not useful and
> important, but it's also pretty weighty for an everyday tool.

This was one of the biggest reasons we added the nessuscmd command line
tool on both Windows and UNIX systems. You can see an example of this
here: http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html although
it was written when Nessus 3.2 was still beta.

Ron Gula
Tenable Network Security









_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Command line report export [ In reply to ]
On Tuesday 02 September 2008 16:48:17 Doug Nordwall wrote:

> 1) zombie scanning (-sI in nmap) - this is handy for mapping out trust
> relationships in networks that are not well documented.

What do you mean by "trust relationship"??

> 2) very solid os detection - I've found that (within the scope of the
> scanner specifically) that nmap tends to be more accurate on OS detection.

As far as TCP/IP fingerprinting is concerned, sinfp is probably as good as
Nmap -- and Nessus uses it. Nessus also uses other methods to identify the
remote OS, and nothing beats "uname -a" on the remote system.

> I realize that nessus has several other mechanisms for this.

Right, although they are not "fingerprinting" per se.

> 3) scan delay - this might be in there (I thought it was, but can't find
> it) but being able to control the amount of time between each probe of a
> host is a good thing on the scanner side.

There is no direct equivalent of the scan delay that you have in Nmap, but you
can do something like that by playing on the level of parallelism and
the "micro_timeout" option.

> Being able to show that a computer is specifically blocking the scanner for
> whatever reason (perhaps because it's been compromised) is useful to me.

I suppose that you can do that by looking at machines that have no open ports?

> 5) quick and easy command line port scanning

nessuscmd -sT / -sP

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus