[unisog] OS Vuln Scanners

jonesy jonemark at isu.edu
Thu May 8 16:03:42 GMT 2008


You might want to start "light" and use Nmap to map out you subnets  
first: "nmap -sP subnet/00" will get you a basic host detection. Then  
ramp up from there to find open service ports on just those hosts you  
find "alive" with increasingly larger guns (more aggressisve nmap  
scans and larger nessus scans. (Nmap.org is your friend.)

Nessus also now contains a CLI tool called "nessuscmd" which can act  
as a test bed for certain nessus plugins.

I would contact the admins for the machines in question and talk with  
them, as a courtesy, about the scans. I would be hesitant to give  
them a certain time as, in my experience, they just turn the machines  
off or make them unavailable during the scan, mucking up the work  
you're trying to do.

jonesy

Mark Jones
ITS - Idaho State University


On May 8, 2008, at 6:00 AM, unisog-request at lists.dshield.org wrote:
>
> Date: Wed, 7 May 2008 13:14:42 -0400
> From: "Nipper, Johnny R." <Nipperj at uncw.edu>
> Subject: Re: [unisog] OS Vuln Scanners
> To: "UNIversity Security Operations Group" <unisog at lists.dshield.org>
> Message-ID:
> 	<F68B99A3CB5A764EBAB65292104BC70E178C0AAD at UNCWMAILVS2.dcs.uncw.edu>
> Content-Type: text/plain;	charset="iso-8859-1"
>
> Hello all,
>
> We are a new security department in the beginning stages of  
> discovering vulnerabilities as well as rogue servers on our  
> network.  We are discovering as we go and learning from our  
> mistakes.  One issue we are tackling is departmental servers  
> outside of our central IT.  We do not have a comprehensive list of  
> every system.  I have been using different techniques for  
> discovering servers and working with each administrator  
> individually to do routine scans.  Recently we began running Nessus  
> on the entire network one subnet at a time.  During this time,  
> systems have crashed with our "safe scan" option set.  This  
> undoubtedly helps us discover systems as well as vulnerabilities,  
> but in the meantime this causes issues.  We would like to notify  
> departmental administrators prior to each scan.  Our issue is, we  
> did not previously know about these systems.
>
> We have already sent out a communiqu? with a protocol for every  
> administrator to run scans on their system and report them to the  
> security department.  The ones that are having issues now are  
> systems that were not disclosed during our initial request several  
> months ago.
>
> How would everyone tackle this situation?  Would you send out a  
> communication to the entire campus in advance for all scans?  When  
> would you run your scans?  Do you make this part of your change  
> control procedure?  Any help would be very appreciated.
>
> Thanks,
> Johnny
>
>
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog- 
> bounces at lists.dshield.org] On Behalf Of BACHAND, Dave (Info. Tech.  
> Services)
> Sent: Wednesday, April 23, 2008 10:17 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] OS Vuln Scanners
>
> Hello-
>
> We use Nessus to scan the entire university frequently.  The freeware
> version is the same as the paid commercial version, except that the
> signatures are delayed on the free one.  All that said, it's an
> extremely useful tool, and is not very hard to use.
>
> One thing I like is the "safe checks" flag.  IE for Internet facing
> services, we probe it more harshly, whereas for more protected  
> services
> we can scale back the aggressiveness.  But beware that "safe checks  
> off"
> can and will wax a weakly configured system. :-)
>
>


More information about the unisog mailing list