[attrition] Nessus, Harmful?

security curmudgeon jericho at attrition.org
Sun Jan 24 12:01:01 UTC 2010 

SecurityFocus sometimes ignores my posts. Apparently they are not deemed 
'helpful', despite a level of honesty most list members aren't used to. 
This post bounced as 'moderator did not act on..' (And Zaki did not reply 
either, what a jerk)

---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: Zaki Akhmad <zakiakhmad at gmail.com>
Cc: pen-test at securityfocus.com
Date: Tue, 12 Jan 2010 09:53:13 +0000 (UTC)
Subject: Re: Nessus, Harmful?


really?

and i say this in the context of many of the replies too. all these years
in the industry, and we're actually discussing this question on such a
basic level? what, is Google broken completely?

On Thu, 7 Jan 2010, Zaki Akhmad wrote:

: I want to do a nessus scanning, but before I'd like to know is it nessus
: scanning harmful? Because I don't want to make the server down.

yes. running Nessus will not only crash your network, it will sodomize
your sigoth and throw plastic into the pacific ocean while voting for
$political party and killing a baby kitten. (oh don't fret, nmap will do
much worse, just don't ask for permission or about your grandma's virtues)

is this really a serious question? any vulnerability scanner will do what
first.. a port scan? what happens when you plug "port scan dos" in your
favorite VDB?

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=port+scan+dos

six results.. oh, but you don't like CVE?

http://webapp.iss.net/Search.do?keyword=port+scan+dos&searchType=vuln&doSearch.x=0&doSearch.y=0

lots of results.. oh, but you want a more powerful search and more
vulnerabilities than any other VDB?

http://osvdb.org/search?search%5Bvuln_title%5D=port+scan+dos&search%5Btext_type%5D=titles

31 results for "port scan dos"

in case you didn't realize a vuln scanner does a port scan first, you of
course knew they would do a vulnerability scan after.. right? so search
that?

http://osvdb.org/search?search%5Bvuln_title%5D=vulnerability+scan+dos&search%5Btext_type%5D=titles

10 results

Cliff notes?

YES... si.. oui.. ja.. Sim.. Ken.. jes.. hai.. ndiyo..

running ANY scanner (port or vulnerability) against a host has the chance
to crash it. vendors that release crappy software continue to do so, and
don't even run ./nmap or ./nessus against their software before selling it
to customers for tens of thousands of dollars. if you decide to run nmap
against a host, there is a *chance* it will crash it. if you runn Nessus
against a host, there is a *chance* it will crash it.

guess what.. if you run *ping* against (or on) the remote host, there is a
chance you crash it:

http://osvdb.org/search?search%5Bvuln_title%5D=ping+dos&search%5Btext_type%5D=titles

seriously, how can anyone not understand this, or fail to find Google
results for related topics?

the fact that nessus actually gives you options to protect against DoS
attacks by not scanning a) printers b) Novell hosts and finally, disabling
DoS attacks or only running "SAFE CHECKS" <- wow... something about that
configuration option stands out. and hey, that is the *friendly* GUI based
options, because nmap assumes the user has SOME clue about security tools
i think. if not, i officially request Fyodor add a --i_cant_google and
--please_dont_crash_host options to nmap in the next version that are
default, and must be overridden by --my_first_time_running_nmap for the
scan to actually happen.

- jericho


p.s. fyodor mugged me for my wallet, true story

More information about the attrition mailing list