Vulnerability scanners?

[cRaZylilmuffin]

From what I have gathered they all seem to be pretty noisy and like they would be of no use during a blackbox pentest. Is it just better to play it safe and find vulns. the hard way or are there ways to configure a scanner to be more "stealthy".

I'v done quite a bit of Google hunting and searched these forums as well with no luck.
Any advice or links to tuts would be greatly appreciated Thx

[brtw2003]

hi,

do some home work first..if you are serious interested about
advanced scanning techniques: understand the tool first, you are using!

Tweaking a little bit the default settings will be much
more silent in many cases (e.g. nmap timing & scanflag settings). But if you are really serious testing just a couple of specific devices, go for a fully customizable scanner, like
hping, unicornscan or just use the scapy python library and create your own fully custom scanner with a couple lines of code!

Highly recommended book: NMAP Handbook (really great,
even for experienced nmap users!)

Amazon.com: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (9780979958717): Gordon Fyodor Lyon: Books

Also don't forget, if you are looking for a real serious blackbox pentest, what you mostly need: hands-on experience, imagination, time & passion ;-)

/brtw2003

[Thorn]

A Vulnerability Assessment as a blackbox test? The two of them are rather exclusive. It sounds like the client doesn't know what they want.

[lupin]

From what I have gathered they all seem to be pretty noisy and like they would be of no use during a blackbox pentest. Is it just better to play it safe and find vulns. the hard way or are there ways to configure a scanner to be more "stealthy".

Its usually possible to configure a vulnerability scanner to be less noisy, yes. In Nessus for example you can configure whether you want it to port scan the system first, what type of port scan to use, whether to use the results of a nmap scan, what particular ports to query, what vulnerability checks to use, what timing profile to use (how much time between checks), etc, etc. All of those options will influence the noise level of a scan.

Most of the vulnerability checks will make some sort of noise at the target, depending on what monitoring is being done. Any checks against a TCP based service will register a TCP connection to the appropriate post for example (if that is being logged somewhere), and depending on the service you might see odd log entries in the application log. Remember that a vulnerability scanner is really just connecting to services it finds and sending a bunch of probes to the system to try and determine its characteristics, e.g. determining what version of services are running via banners, checking how do those services respond to certain stimuli, etc.

If you are really curious about this you could run various scans against a system and capture the packets to see what happens. Then once you see how it works consider how you would monitor for it on a target system.

You should also consider that many pen tests may not require you to be stealthy, unless part of the test involves testing incident response capabilities. After all you should have permission to actually perform the test, and getting detected shouldn't really matter.

[cRaZylilmuffin]

A Vulnerability Assessment as a blackbox test? The two of them are rather exclusive. It sounds like the client doesn't know what they want.

lol I am not actually being asked to do this. I don't even have a job pentesting......yet (I hope to become a penetration tester)..... I'm just getting in to it and I'm still a pretty big noob. I was just curious.

Also about the whole nmap thing. I'v read up quite a bit on ids/ips evation and how to be more "quiet" when preforming a scan. I just didn't know what port-scanner or different configurations to use with say...nessus...to get good results AND not be so noisy.

The thing is when I tried to use nmap with nessus it took forever so I used nmap by itself using the grepable output which i then used with nessus. But after completing the nessus scan it came back with zero results.

I know there are vulnerabilities on the box I am scanning because when I do a scan with the default settings I get a bunch of hits.....

so what am I doing wrong?


P.S. Thanks for the responses

[lefty]

I believe nmap can be stealthy as shit with the right command line options. Options like -sL (list scan via dns resolution), or -sP (ping scan only) are "stealthy," if you will. Also, you can slow down the scan to avoid tripping IDS. -T <0-5> affects the speed. 3 is default, 5 is kamakazi, 0 is very very slow. -iR will choose targets in random order, also avoiding IDS.

I recommend Nmap Network Scanning by Fyodor, the creator of nmap. It's full of great information and is actually really well written to the point of being hilarious at times.