Results 1 to 6 of 6

Thread: Vulnerability scanners?

Hybrid View

  1. #1
    Junior Member cRaZylilmuffin's Avatar
    Join Date
    Mar 2010
    Posts
    38

    Question Vulnerability scanners?

    From what I have gathered they all seem to be pretty noisy and like they would be of no use during a blackbox pentest. Is it just better to play it safe and find vulns. the hard way or are there ways to configure a scanner to be more "stealthy".

    I'v done quite a bit of Google hunting and searched these forums as well with no luck.
    Any advice or links to tuts would be greatly appreciated Thx
    "Things are not what they appear to be: nor are they otherwise." -Surangama Sutra

  2. #2

    Default

    hi,

    do some home work first..if you are serious interested about
    advanced scanning techniques: understand the tool first, you are using!

    Tweaking a little bit the default settings will be much
    more silent in many cases (e.g. nmap timing & scanflag settings). But if you are really serious testing just a couple of specific devices, go for a fully customizable scanner, like
    hping, unicornscan or just use the scapy python library and create your own fully custom scanner with a couple lines of code!

    Highly recommended book: NMAP Handbook (really great,
    even for experienced nmap users!)

    Amazon.com: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (9780979958717): Gordon Fyodor Lyon: Books

    Also don't forget, if you are looking for a real serious blackbox pentest, what you mostly need: hands-on experience, imagination, time & passion ;-)

    /brtw2003

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    A Vulnerability Assessment as a blackbox test? The two of them are rather exclusive. It sounds like the client doesn't know what they want.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Junior Member cRaZylilmuffin's Avatar
    Join Date
    Mar 2010
    Posts
    38

    Default

    Quote Originally Posted by Thorn View Post
    A Vulnerability Assessment as a blackbox test? The two of them are rather exclusive. It sounds like the client doesn't know what they want.
    lol I am not actually being asked to do this. I don't even have a job pentesting......yet (I hope to become a penetration tester)..... I'm just getting in to it and I'm still a pretty big noob. I was just curious.

    Also about the whole nmap thing. I'v read up quite a bit on ids/ips evation and how to be more "quiet" when preforming a scan. I just didn't know what port-scanner or different configurations to use with say...nessus...to get good results AND not be so noisy.

    The thing is when I tried to use nmap with nessus it took forever so I used nmap by itself using the grepable output which i then used with nessus. But after completing the nessus scan it came back with zero results.

    I know there are vulnerabilities on the box I am scanning because when I do a scan with the default settings I get a bunch of hits.....

    so what am I doing wrong?


    P.S. Thanks for the responses
    "Things are not what they appear to be: nor are they otherwise." -Surangama Sutra

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cRaZylilmuffin View Post
    From what I have gathered they all seem to be pretty noisy and like they would be of no use during a blackbox pentest. Is it just better to play it safe and find vulns. the hard way or are there ways to configure a scanner to be more "stealthy".
    Its usually possible to configure a vulnerability scanner to be less noisy, yes. In Nessus for example you can configure whether you want it to port scan the system first, what type of port scan to use, whether to use the results of a nmap scan, what particular ports to query, what vulnerability checks to use, what timing profile to use (how much time between checks), etc, etc. All of those options will influence the noise level of a scan.

    Most of the vulnerability checks will make some sort of noise at the target, depending on what monitoring is being done. Any checks against a TCP based service will register a TCP connection to the appropriate post for example (if that is being logged somewhere), and depending on the service you might see odd log entries in the application log. Remember that a vulnerability scanner is really just connecting to services it finds and sending a bunch of probes to the system to try and determine its characteristics, e.g. determining what version of services are running via banners, checking how do those services respond to certain stimuli, etc.

    If you are really curious about this you could run various scans against a system and capture the packets to see what happens. Then once you see how it works consider how you would monitor for it on a target system.

    You should also consider that many pen tests may not require you to be stealthy, unless part of the test involves testing incident response capabilities. After all you should have permission to actually perform the test, and getting detected shouldn't really matter.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #6
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    5

    Default

    I believe nmap can be stealthy as shit with the right command line options. Options like -sL (list scan via dns resolution), or -sP (ping scan only) are "stealthy," if you will. Also, you can slow down the scan to avoid tripping IDS. -T <0-5> affects the speed. 3 is default, 5 is kamakazi, 0 is very very slow. -iR will choose targets in random order, also avoiding IDS.

    I recommend Nmap Network Scanning by Fyodor, the creator of nmap. It's full of great information and is actually really well written to the point of being hilarious at times.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •