Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: vulnerability scanning

  1. #11
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by thorin View Post
    That might make sense, I almost always run with -sV or -A.

    So now I still need to figure out a way to do version detection and not scripts.
    Well, it only apparently runs the scripts in the version detection category when the -sV option is used, so you could remove all scripts from the "version" category by editing the scripts/script.db file. You could even keep two copies of the file and swap them around if you only wanted to run scripts some of the time.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  2. #12

    Default

    hi,

    a scanning tool itself doesn't care if you scan internal or external networks, but it depends what network element(s) you have between your int-ext-network, like a
    firewall or router access-lists.

    You mentioned your external NIC is not hooked up, so interface will be down and doesn't have any IP-address - so nothing to scan at all for nessus ;-) Just configure
    an ip-address on this NIC and look if interface is enabled.

    If you have found vulnerabilities on the internal-NIC, you will have mostly the same
    vulnerabilities on the external-side, as long you don't block anything. The vulnerable
    service will mostly run on all active NIC's, as long you don't change the settings to
    bound this service to a specific interface.

    nessus is a quite comprehensive tool for doing the usual-suspect-scan and it relies on latest signatures (plugin feed). So every pen-tester is using his own flavor of scanning techniques/tools - depends how serious you wanna deep into it.

    Do identify the 'best' tool is therfore a matter how you wanna look at your nework. On one hand you can do the usual-suspects network scan and on the other hand you can scan very specifically for interesting services or open ports not usually scanned by these tools. Also if you go beyond identifying services and try to do protocol fuzzing you have to use different tools. Another many times overlooked scanning method: check for all UDP ports, this is not simple like a TCP-scan and also takes much longer and not very accurate, but as soon you find something, always quite interesting to do
    further analysis and see how many times programmers still not reading RFC's from the 80's ;-)

    A good list to start looking for other scanning tools:
    sectools[.]org/vuln-scanners.html

    /brtw2003

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •