[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

how to tell nessus to focus on spcific service or port for scanning

Posted on 2006-05-22
18
Medium Priority
?
662 Views
Last Modified: 2013-11-18
Dear,

I would use nessus to scan a server,
and what i am caring about is the web service which is working at port 8000

How can tell nessus only to scan this service, or this port, and not to scan any other

0
Comment
Question by:malibusa
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16734259
disable all tests not related to web services, then add :8000 to the target host
0
 

Author Comment

by:malibusa
ID: 16735019
dear,

when adding the part :8000 to the end of the target host, i get a message "nessusd returned an empty report"

0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16738055
Probably a silly question, but from the machine you have nessus on you can definitely see port 8000 on the web server?

test - either browse to the server in you web browser, or telnet to port 8000.

might also be worth performing a port scan with something like nmap to confirm the open ports

cheers

Kevin
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:malibusa
ID: 16740216
the port is open and i can access it from the scanner machine using the command telnet 10.10.10.10 8000

when i enable only the plugins which are specificly for Apache, it gives a report about it, as TCP/8000 apache service

but when i enable all the plugins, it does not show it at all
0
 
LVL 3

Expert Comment

by:cduke250
ID: 16825954
Instead of using only using nessus, I would instead use a tool specific for web-testing like whiskers.  



I recently wrote an article for governmentsecurity.org detailing my review of several vulnerability testers.

You may find it useful, though it is somewhat off-topic.

You might try changeing the reports verbosity level in the nessus setup area.  



========================================
A few months back I did some intense testing of all the best vulnerability scanners out there... I had a couple nix boxes hooked up, as well as some dozers, and figured I could add clients to a "once-a-week" scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose.

-----------------------------------------------------------------------------------------------------
I tested the following (trying to only list automated vulnerability scanners):

ISS Internet Security Systems
SSS Shadow Security Scanner
Retina eEye
Nessus
GFI Languard Network Security Scanner
Qualys www.qualys.com
Nstealth Security Scanner www.nstalker.com
Nikto
Whisker
Infiltrator http://www.infiltration-systems.com/
Nscan
-----------------------------------------------------------------------------------------------------


Review here.. (12+ pages) http://www.nwc.com/1201/1201f1b1.html

-----------------------------------------------------------------------------------------------------
I was looking at 3 main areas while evaluating the scanners.

1. Comprehensiveness of the testing: including how many options are allowed for different scanning, IDS evasion, and types of scans. Also in this category is the availability for the latest exploits and a custom exploit option to allow me to plug in custom exploits.

2. Quality of the program: included in this category is availability of updates, speed of various variables, efficiency, "smartness" or "AI" of the program while scanning/reporting, security- (does running this version of this vuln scanner leave me vulnerable?), scheduling capabilities, alert and message capabilities, quaility of exploits, reactions to "false positives", and overall feature and capabilities.

3. Reporting Capabilities: How easy is it to create a report? The quality and design of the report. The comprehensiveness and personalization of the reports..
-----------------------------------------------------------------------------------------------------


My findings
===========
All of these programs can be tested for free, either through an evaluation or trial, or warez... ISS is extra tricky. I believe that the availability of these programs on the net represents the conspiracy to aid script-kiddies everywhere so that these companies will then profit after an intrusion (or even a loud scan).

Each of these programs is not to be used for cracking... Nothing serious at least.. using these programs is akin to knocking on every window of a house, while simultaneously ringing the doorbell and playing loud music in the driveway.. Some of the programs allow for easy use of anonymous socks and web proxys, but we all know by now that to achieve any real anonymity takes much more work than that.

Well, after several months of constantly using most of these products continually, it became clear to me which ones I liked the best.

The top pick all-around (for windows) has to be retina's eeye, the company has a bunch of hackers and you can tell by their awesome product.

Another great scanner (windows -web) are the different products offered by nstalker... very good web vuln scanner. Free for download..

A close 2nd would be the SSS, I love it, its great, but eEye's is better.

The best choice for me however is nessus. Although it has a few negatives compared to some of the other products, it is the best solution for anything serious. Set-up up a couple of nessus servers around the globe and try attacking the same location through different networks for some real eye-opening fun. Also good to practice tracking and tracing.

Qualys is poised to be super-rich, just check out their site... great if you don't want to f with a scanner yourself.

ISS is way to expensive and I didn't like the fact that I had to try for awhile until I could download it. [Hint: Backdoor to download for clients/employees? Old Version != license? Google.. ;) ] But it is considered to be the best scanner and I admit the anti-pirating features and licensing of their software is pretty dam good.

GFI is another top contender. It was just prone to crashing...

A money place to get some other cool tools (Especially a bad-a$$ SSL encryption tester) are available for free at www.foundstone.com. Get them soon, make a foundstone toolkit.... mcafee bought them so expect the free stuff to get yanked shortly... (I can't believe foundstone is almost gone...)

Unless you are using these tools on yourself, or to check your friends pc or company (use scheduling with alerts to email or pager), there is no sane or logical reason to use these tools on any pc that you do not have express permission to use against.

Remember these tools are the noisiest tools in a hackers arsenal and if you use it just once on an unknown host, your ISP can yank your account, you can face legal action, etc..

Better to use firewalk, hping3 (now with scripting!), nmap, etc, and leave these crutch-like tools alone.

Also check out www.coresecurity.com , for the best product I have found so far.

A few pointers..

If you have a network of your own, and you don't have the time or resources to set up a nessus installation at a remote site to repeatedly test your network, the best solution IME is Qualys. I am not affiliated in any way, I checked it out merely to examine the competition in the marketplace... after experiencing their free trial, unheard of amounts of documentation, and extremely skilled marketing team, I am still very jealous.

What an easy concept but they took it to that level and it stands alone, IMHO.

So if you need that kind of simple, safe, comprehensive fix, check out qualys. Still, you would ultimately save a lot of money (even after computing time and costs) by setting up your own remote server somewhere to automatically check the network for you. Multiple locations of course are ideal (go through different networks etc..)

The major lack of enthusiasm I have for most of these "vulnerability scanners" is the fact that so many of them run on windows and nothing else. The benefits to running from (almost anything else) a linux type platform are enormous. IOW, nessus can only continue to get better and better, while the only advantage eeye, ISS, and the rest of the dozer boys have is better knowledge of exploits.

This is really a small point (in the big picture) because of the fact that it is sooo easy to copy an exploit (for those that do that sort of thing).

So if you are out there, go help out the excellent people who give us nessus, go give them a donation, help them develop the software, test it out and email them detailed feedback of your likes and dislikes, do what you can to keep it around. I see it as having the most potential.

NOTE: Just imagine if the source code to the "commercial scanners" (funny they are all for windows) was made available to the nessus teams.

-----------------------------------------------------------------------------------------------------


There are also vuln scanners that operate locally, many professionals use these to scan a lan of windows hosts for example. These are hard to find, so if you know of any, post.

-----------------------------------------------------------------------------------------------------


Also, after months of testing all the different vuln tools, including tons not listed above, still failed to find a bug that allowed me root on a server.

It was the mole.cfm script that got me in... an old exploit that none of the scanners picked up. So if you are serious about keeping your data safe, hire a real expert (like foundstone or coresecurity) and not rely on a commericial marketing solution alone.
=======================================
0
 

Author Comment

by:malibusa
ID: 16991200
cduke250 recommended many other solution, and i am really thankfull to him/her

but my Q is not yet answered
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16991352
> but when i enable all the plugins, it does not show it at all
what should all the plugins do with port 8000? most of them test anthing else, for example other ports.
Please follow my suggestion http:#16734259

BTW, nessus is currently not a proper web application scanner. If you want to scan your web application use a specialised scanner like nikto/wikto or a commercial one (AppScan, WebInspect, etc.)
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16992115
Hi

ahoffman is correct - what are you specifically trying to test for?

If you run nessus from you machine against a different webserver does it give you the results you are expecting?

If the web server is running apache and you run the nessus apache tests, I'm not sure what else you would expect from running other modules against the web server port.

I'll second the vote for nikto/wikto is pretty good:
http://www.sensepost.com/research/wikto/
In our tests we have found the paid for apps like AppScan etc to be slightly better than wikto, bt it does a pretty good job, and it's free!  I'd recommend wikto as it is effectively a development of nikto with increased functionality.

Another recommendation for you when using web site testing tools is to perform a manual walk through of the site in addition to any automated site walk through they perform as we have found they sometimes miss pages.





0
 
LVL 3

Expert Comment

by:cduke250
ID: 16998655
You can easily tell nessus to only scan port 8000 by specifying  "8000"  (without "") in the ports field of the nessus options.

You should also click on the "enable all checks" at the first nessus screen.

Are you using nessus on windows? Linux? Unix? BSD? Cygwin?
0
 

Author Comment

by:malibusa
ID: 17000000
thank you all for participating,

when i put any port number or range of ports in the box of port range field,

the results comes as if it has been scanning all the services, it gives issues in snmp, ... and many other,

i just ask it to scan port 8000 not any other port, yes i want it to try all checks, like if the service on this port is ssh or any other,
but do not search and scan other ports

the nessus is installed on Linux box (Debian)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17000232
> .. the results comes as if it has been scanning all the services, it gives issues in snmp ..
please read the comments again
  you have to disable those check which you're not interested in!!
0
 

Author Comment

by:malibusa
ID: 17000298
lets assume that we do want to scan a port which we do not know the service running on it,
yes we know its port 8000, but i am not sure if it is web service behind it or not,

so, i want to check it using all plug-ins, and get final report about it,

again, all that scans to be only applied on this specific port not any thing else
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1500 total points
ID: 17001450
> again, all that scans to be only applied on this specific port not any thing else
again, then you have to enable those plug-ins only which do not use different or fixed ports

(I know, that this is a bit work to do, but as explained before: nessus is primary a network not application scanner)
0
 

Author Comment

by:malibusa
ID: 17026392
my update, is i did not receive a solution, because nesses is not having this facility,

if i am to give some one the credit, then i will give to
ahoffmann

regards,
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 17160823
Any Update?
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question