Re: Nessus, Harmful?

[Jonathan Cran <jcran () 0x0e org>]

disclaimer, i work for rapid7, but if you're looking into nessus, you
should check out nexpose community edition:
http://www.rapid7.com/vulnerability-scanner.jsp.

agreed with most of the comments above. there's a lot of "it depends"
comments, which should give you an indication. The commercial
vulnerability scanners (nexpose, nessus, qualys, saint etc) have dealt
with this problem by disabling dangerous checks by default. it's not
/likely/ that you'll take anything down with default settings.

To respond to the vuln-scanning vs pentesting question, nexpose is a
vulnerability scanner ( albeit, a good one :p ), but it doesn't get
the depth of a pen test. - one useful thing, it can re-use credentials
found via one vector in another vector. For example, if creds are
found via brute forcing an SSH login, those credentials will then also
be submitted to other vectors such as HTTP / telnet / etc. - this will
get more depth than the majority of automated tools.

In short, vulnerability scanning is often used in pentesting to
quickly gather information about a network, but no automated device is
going to get you the same depth or accuracy as a person pentesting.

jcran

--
Jonathan Cran
jcran () 0x0e org
515.890.0070

On Fri, Jan 29, 2010 at 4:21 AM, rajat swarup <rajats () gmail com> wrote:
> Also post this question to the Nessus mailing list...you'll definitely
> get some good responses from Michel Arboi and the likes.
>
> On Fri, Jan 29, 2010 at 1:58 AM, Himanshu Goyal <idhimanshu () gmail com> wrote:
> > There are few plugins for destructive attacks like DOS in NESSUS. You
> > need to make sure that they are unchecked before running the scan.
> >
> > Regards,
> > Himanshu
> >
> > On Fri, Jan 29, 2010 at 3:45 AM, Shohn Trojacek <trojacek () gmail com> wrote:
> > > Hello,
> > >
> > > I've brought down my fair share of devices using Nessus, so I would
> > > always advise the client as to the residual risk and if possible try
> > > to do this under a change request. Generally, I ask that a couple
> > > people be clued into my activities, but not to tell the entire IT
> > > department so as to spoil the testing if this is on a penetration
> > > test.
> > >
> > > I've had good success when running safe checks, disable DoS, etc.
> > >
> > > Once, several years ago I had hacked up nessus a bit into what could
> > > only be described as a "scanning cluster". I found that I was able to
> > > reboot Cisco catalyst switches about every 10 minutes when I had 16
> > > machines running scans in parallel. This is an extreme example though.
> > >
> > > I've had other scanners including various Web app scanners bring
> > > things down too. In some cases, I had a replication of the production
> > > environment and then scanned the "mock" production environement when
> > > availability was more concerning than confidentiality.
> > >
> > > Generally, I've found it better to just be straight forward and honest
> > > about the risks and this calms people. If you seem skittish, they will
> > > be too.
> > >
> > > Godspeed,
> > >
> > > Shohn
> > >
> > > On Wed, Jan 6, 2010 at 11:17 PM, Zaki Akhmad <zakiakhmad () gmail com> wrote:
> > > > Hello,
> > > >
> > > > I want to do a nessus scanning, but before I'd like to know is it
> > > > nessus scanning harmful? Because I don't want to make the server down.
> > > >
> > > > Thanks!
> > > > --
> > > > Zaki Akhmad
> > > >
> > > > ------------------------------------------------------------------------
> > > > This list is sponsored by: Information Assurance Certification Review Board
> > > >
> > > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> > > > CPT and CEPT certs require a full practical examination in order to become certified.
> > > >
> > > > http://www.iacertification.org
> > > > ------------------------------------------------------------------------
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification Review Board
> > >
> > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> > > CPT and CEPT certs require a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> > CPT and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
>
> --
> Rajat Swarup
>
> http://rajatswarup.blogspot.com/
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



--
Jonathan Cran
jcran () 0x0e org
515.890.0070

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------