Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Port scan causing system crashes
From: Renaud Deraison <deraison () nessus org>
Date: Thu, 12 Jun 2003 15:01:12 -0400

On Thu, Jun 12, 2003 at 11:55:26AM -0400, Clem Skorupka wrote:

I had a case where an rpc scan using nessus (I forget the particular module or if it was the nmap precursor scan, 
this was a couple of years ago) against some large range of ports knocked out an allegro-based embedded web server on 
a network switch.  It didn't crash this particular switch (though one had to reboot the switch in order to bring back 
the web interface).

The bottom line is that as soon as you start to interfere with another
host, you can never predict how it will react to actions that it has
never been designed to handle, so no scan is totally risk-free[1], and
it's often very hard to find the balance between a 99.9% accurate
security audit and a non-intrusive one. Note that this does not only
affects Nessus+Nmap, but any network vulnerability scanner.

Regarding the port scan itself (which is usually what disrupts the most
services), you may want to try using a SYN scan instead of a full TCP
connect() scanner, this way the remote services will not "know" they are
being scanned and are less likely to crash. But then again, some
printers *hate* SYN scans because their IP stack is poorly written, and
they may crash.

When doing a scan with Nessus for the first time, I recommand the
following settings :

        - Enter "default" as a port range. This will only scan
          ~ 1,500 ports on which services are usually bound to
          (this is equivalent to nmap -F)

        - Use the SYN scanner if you know you're testing a box which
          has a decent IP stack (mostly any non-embedded OS should
          withstand that)

        - Enable the "safe checks" options.

        - In Prefs->Services, change the option "Test SSL based
          services" from "All" to "Known SSL ports". When "All" is
          enabled, Nessus attempts to negociate SSL on every open port, and
          a lot of badly written daemons will hate that (mostly because
          they receive 8bit data and they're not all designed to cope
          with it too well).

If you are scanning an ultra-fragile box, you may also want to :

        - Disable find_service.nes ("Misc.->Services"). This plugin
          attempts to do a Port<->Service mapping the less intrusively
          as possible, but some services may die on that (although it's
          quite rare).

        - Disable port scanning at all.

But keep in mind that your audit won't be as complete as it could be -
it's all a matter of finding the right balance.

                                -- Renaud

[1] Which is why we are working on a non-intrusive passive
vulnerability scanner for the networks/host that can not afford
any disruption.

See http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf

Renaud Deraison
The Nessus Project


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]