Penetration Testing mailing list archives
Re: Nessus, Harmful?
From: Jonathan Cran <jcran () 0x0e org>
Date: Mon, 1 Feb 2010 14:59:02 -0500
disclaimer, i work for rapid7, but if you're looking into nessus, you should check out nexpose community edition: http://www.rapid7.com/vulnerability-scanner.jsp. agreed with most of the comments above. there's a lot of "it depends" comments, which should give you an indication. The commercial vulnerability scanners (nexpose, nessus, qualys, saint etc) have dealt with this problem by disabling dangerous checks by default. it's not /likely/ that you'll take anything down with default settings. To respond to the vuln-scanning vs pentesting question, nexpose is a vulnerability scanner ( albeit, a good one :p ), but it doesn't get the depth of a pen test. - one useful thing, it can re-use credentials found via one vector in another vector. For example, if creds are found via brute forcing an SSH login, those credentials will then also be submitted to other vectors such as HTTP / telnet / etc. - this will get more depth than the majority of automated tools. In short, vulnerability scanning is often used in pentesting to quickly gather information about a network, but no automated device is going to get you the same depth or accuracy as a person pentesting. jcran -- Jonathan Cran jcran () 0x0e org 515.890.0070 On Fri, Jan 29, 2010 at 4:21 AM, rajat swarup <rajats () gmail com> wrote:
Also post this question to the Nessus mailing list...you'll definitely get some good responses from Michel Arboi and the likes. On Fri, Jan 29, 2010 at 1:58 AM, Himanshu Goyal <idhimanshu () gmail com> wrote:There are few plugins for destructive attacks like DOS in NESSUS. You need to make sure that they are unchecked before running the scan. Regards, Himanshu On Fri, Jan 29, 2010 at 3:45 AM, Shohn Trojacek <trojacek () gmail com> wrote:Hello, I've brought down my fair share of devices using Nessus, so I would always advise the client as to the residual risk and if possible try to do this under a change request. Generally, I ask that a couple people be clued into my activities, but not to tell the entire IT department so as to spoil the testing if this is on a penetration test. I've had good success when running safe checks, disable DoS, etc. Once, several years ago I had hacked up nessus a bit into what could only be described as a "scanning cluster". I found that I was able to reboot Cisco catalyst switches about every 10 minutes when I had 16 machines running scans in parallel. This is an extreme example though. I've had other scanners including various Web app scanners bring things down too. In some cases, I had a replication of the production environment and then scanned the "mock" production environement when availability was more concerning than confidentiality. Generally, I've found it better to just be straight forward and honest about the risks and this calms people. If you seem skittish, they will be too. Godspeed, Shohn On Wed, Jan 6, 2010 at 11:17 PM, Zaki Akhmad <zakiakhmad () gmail com> wrote:Hello, I want to do a nessus scanning, but before I'd like to know is it nessus scanning harmful? Because I don't want to make the server down. Thanks! -- Zaki Akhmad ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Jonathan Cran jcran () 0x0e org 515.890.0070 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Nessus, Harmful? Joseph McCray (Feb 02)
- <Possible follow-ups>
- Re: Nessus, Harmful? Jonathan Cran (Feb 02)
- Re: Nessus, Harmful? Danijel Starman (Feb 03)
- Re: Nessus, Harmful? Kevin Shaw (Feb 05)