i was wondering what is the best vulnerability scanning tool in bt4 i been using nessus to scan my network and it works great but when i scan my other computers external ip that is not hooked up to a network it wont grab any open ports i no ports are open on it and it has some vulnerabilitys
So, are you scanning over the internet? If the box is behind a router or firewall, you won't be able to "see" the open ports.
i disabled my firewall and don't have a router hooked up :(
don't just use fancy gui's to start with vulnerability scanning - start with nmap on the commandline
nmap -n -sS x.x.x.x
especially if you don't see any status - you have to watch for the packets coming back.
So just press ? during your nmap commandline usage and use the v/d/p switches!
Very good to learn first the basics about scanning and not using tools like nessus.
Recommended basics about all the different scanning techniques:
nmap-secrets-training-course by professor messer (just past it into google)
ok cool thanks i will do that.
This really depends on whether you want to perform vulnerability scanning or port scanning. That command above is port scanning (TCP Syn scanning specifically). Its going to identify open TCP ports within a certain range on the given hosts, but not the services running on them or any vulnerabilities on those ports.
Originally Posted by email@example.com
NMap is great at port scanning, and service and operating system identification. It has some basic vulnerability scanning capability when extended with NSE scripts (these allow a greater level of customised interaction with each identified service).
To use nmap to perform service identification, use the -sV switch, and the -sC or --script switches to run NSE scripts.
Nessus is a vulnerability scanner, and a pretty good one too. The plugins for it (which provide the ability to scan for particular vulnerabilities) are not completely free however. As an alternative to Nessus, OpenVAS is a completely free vulnerability scanner, featuring open source software and free plugins. It doesn't perform as many checks as Nessus (the last time I checked around 10,000 plugins for OpenVAS from the official feed and about 25,000 for Nessus, although a simple count of plugins may not be the best comparison of quality). There are other commercial scanners as well, SAINT is one (a basic version is included in BT4) GFI LanGuard another.
To the OP, if you want to learn vulnerability scanning, Id suggest going with Nessus, but it is worthwhile to start with port scanning and service identification first.
thanks you guys been very helpful! :D
If it's not hooked up to a network how does it have an external IP?
Originally Posted by fullyloaded
I'm pretty sure nmap defaults to running scripts, you should only need -sC or --script if you want a specific script. (At least this seems to be true of the version of nmap included with BT3 ... maybe this has been changed in more recent versions.).
Originally Posted by lupin
Edit: Just checked on my windows box and as of version 4.68 you don't need to specify -sC or --scripts to have scripts run. (Now I just wish I could figure out how to disable them. The only solution I know of is to specify --script=none and then it errors when it can't find a script called "none".)
Yeah thats right, particular scripts will run if you have detected a relevant port or service (with port or service scanning) for them to run against. Thanks for the clarification.
Originally Posted by thorin
Edit: Just tried this on nmap 4.85 Beta 7 on Windows. I did some basic tests using a Connect scan (-sT) but could only get nmap to run scripts when using service detection (-sV) or specifying to run scripts manually (-sC). I used the -vvvv (overkill on verbose) to obtain command line notification of when scripts were being run. This result seems to coincide with the nmap scripting engine documentation which states that version detection category scripts are run when version detection is enabled.
Do we chalk this behavior up to a version difference or did you run some other sort of scan?
That might make sense, I almost always run with -sV or -A.
So now I still need to figure out a way to do version detection and not scripts.