Now that's
organized thought!> ----- Original Message ----- > From: "H D Moore" <[EMAIL PROTECTED]> > To: "Dion Stempfley" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, March 06, 2002 6:02 PM > Subject: Re: TCP_Ping modification > > > > On Wednesday 06 March 2002 05:13 pm, Dion Stempfley wrote: > > > I am going to make a modification to the tcp ping capability to support > a > > > list of destination ports. > > > > The entire host detection process in Nessus is horribly inaccurate and > > non-robust. I ended up taking the host detection, rtt calculation (more on > > this later), and the port scanning completely out of Nessus. > > > > > > What Nessus Should Do (TM): > > > > > > 1. Take the entire list of targets and break them into reasonable sized > > chunks, each chunk being processed in a different thread/process. The > number > > of chunks depends on the total number of hosts and the system resources of > > the scanning machine. > > > > 2. Iterate through a large number of ping_* checks and record how the host > > was a found in the KB. The RTT time for the ping should also be recorded > now. > > The ping checks will start off with icmp and iterate through all types in > > order of less commonality, removing the targets off a stack as it finds > them. > > The ping types which should be used are (in order): icmp, tcp-syn (a > dozen+ > > ports), tcp-ack, application-layer-queries. For the last ping type > > (application), this entails actually sending a UDP BOOTP, DNS, NTP, SNMP > > packet and looking for a response indicating that the host is alive. > > > > 3. Now that the RTT and ping_type has been determined for every host, the > > scanner should now be able to portscan at a much faster (and more > accurate) > > rate. The rule of thumb I use is the RTT * 1.5 + 60ms and pass that to > nmap > > --max_rtt_timeout for the host. This allows you to scan firewalled > machines > > incredibly fast with nmap... > > > > 4. At this point, we have a list of alive hosts, their RTT times, and the > > ports open on them. When a destructive plugin (or any other for that > matter > > is called), the original ping_type can be called for the host to determine > if > > its still online or not. > > > > > > The above process is a PITA to implement in NASL, maybe even impossible. I > > have some code semi-working which does the host-detection stuff in C > > (pcap/libnet), but I am still at a loss to figure out how to integrate the > > rest of it into Nessus. Everything listed above (plus a ton of networking > > monitoring and firewall penetration stuff) has already been implemented, > but > > as a preprocessor to the input files for Nessus. I imagine quite a few > other > > people do it the same way, but its high time we get together and put this > > functionality back into the actual scanner ;) > > > > >
