Saturday, 20 September 2014

Issues & features of Nessus

1, Intrusive or Non-Intrusive
- "Safe Mode" (Nessus)
- Qualys will only use non-intrusive

2, "Don't scan fragile devices" - Nessus
- Printers
- NetWare

3, "Do not log in with user accounts not specified in the policy" - Nessus
- To prevent users being locked out if there is locking out policy

4, Scan to internal from outside or inside. (But avoid scan outside from internal if possible - Qualys says)

5, "Enable experimental scripts" - (Nessus: Do not enable this setting while scanning a production network.)

6, Scan options which might cause long time (Nessus):
- Thorough test (slow)
- CGI test

7, "Report paranoia" - Nessus
- This setting determines if "Avoid false alarm"

8, Nessus support communicating with various Vendor products to:
- Gether information of assets
- Scan their policy files to do compliance check (e.g. Cisco IOS, Juniper OS, Huawei)

9, The “HTTP login page” settings provide control over where authenticated testing of a custom web-based application begins - Nessus

10, Nessus checks system hosts files for signs of a compromise

11, The “Malicious Process Detection” menu allows you to specify a list of additional MD5 hashes that Nessus will use to scan a system for known malware, as well as a list of known good hashes to reduce false positives.

12, Scan if not available:
- Scan or not if host not discoverable (enable ping)
- Scan closed ports? ("Ignore closed ports")

13, Plugins might need to provide some information to proceed, e.g.:
+ Login password
- AD, Ldap
- HTTP cookie
- Database login (then it is similar to previous ISS database scanner!)
- Known malicious or benigh file hashes

14, Nessus can leverage credentials for patch management system like WSUS to perform patch auditing on systems for which credentials may not be available to the Nessus scanner

15, The “Ping the remote host” options allow for granular control over Nessus’ ability to ping hosts during discovery scanning. This can be done via ARP ping, TCP ping, ICMP ping, or applicative UDP ping.

16, To scan VMware guest systems, “ping” must disabled. In the scan policy under “Advanced” -> “Ping the remote host”, uncheck TCP, ICMP, and ARP ping. (--why??)

17,Check open TCP ports found by local port enumerators If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall).

18, The “Remote web server screenshot” menu enables Nessus to take screenshots to better demonstrate some findings. This includes some services (e.g., VNC, RDP) as well as configuration specific options (e.g., web server directory indexing)

19, Under the “SMB Scope” menu, if the option “Request information about the domain” is set, then domain users will be queried instead of local users.

20, The “SMTP settings” menu specifies options for SMTP (Simple Mail Transport Protocol) tests that run on all devices within the scanned domain that are running SMTP services. E.g. to test relay.

21, "Enable web applications tests"


Monday, 15 September 2014

Comparison of Vulnerability Scanners

Qualys:

All vulnerability tests performed by QualysGuard are non-intrusive in design, architecture and implementation. Their objective is to assess a target system with no impact on its operation or functions to determine if vulnerabilities exist.