On Nov 12, 2008, at 3:32 PM, nexact wrote: > We have some machine that is running a database on a non-common
> port, however, we are scanning with common port policy.
> I would like to know, is there a kind of ways that could allow
> Nessus to detect these non-common port ?
The answer depends to some extent on how the database service reacts
and how you're configuring your scan. [.Not to mention of course the
port range that you specify.]
On the one hand, Nessus has a couple of general service detection
plugins. They work by looking for spontaneous banners or by sending
something relatively harmless like an HTTP GET or 'HELP' to the port
and reading a response. If a service responds to one of these probes,
we can often identify the service without taking the actual port
number into consideration. MySQL and to some extent PostgreSQL work
On the other, we have some plugins that try to detect specific
applications, including database services like Oracle, DB2, MSSQL, and
Firebird. They work by sending packets that try to do something like
simulate a login and then make sure the response looks "ok". These
plugins are generally coded such that they look for a service only on
its well-known port(s) by default, although they will also check on
any open port with an unidentified service if the 'Thorough tests'
option is enabled. Note that enabling 'Thorough tests' entails some
risk, though, since some services react poorly when they are sent data
that appear to them to be malformed. > My other option is to run an all port scan that will reach database
> on non-common port but... how will Nessus handle that ?
> Nessus will do a fingerprint on the service and then scan it for
> known vulnerability or it will skip it ?
Are you able to do a credentialed scan? That would likely be the
safest and most reliable.
Otherwise, if Nessus identifies the service, it should run the
associated plugins against that service regardless of which port its on.
Nessus mailing list