Hmmm. Absolutely right. I hadn't thought about the application level and had mostly ignored the RTT as a too hard to do.
I will do a NASL hack of the TCP Ping for myself and then look at the problem again. Maybe we can come up with something that works better for all. Dion -----Original Message----- From: H D Moore To: Dion Stempfley; '[EMAIL PROTECTED]' Sent: 3/6/2002 7:02 PM Subject: Re: TCP_Ping modification On Wednesday 06 March 2002 05:13 pm, Dion Stempfley wrote: > I am going to make a modification to the tcp ping capability to support a > list of destination ports. The entire host detection process in Nessus is horribly inaccurate and non-robust. I ended up taking the host detection, rtt calculation (more on this later), and the port scanning completely out of Nessus. What Nessus Should Do (TM): 1. Take the entire list of targets and break them into reasonable sized chunks, each chunk being processed in a different thread/process. The number of chunks depends on the total number of hosts and the system resources of the scanning machine. 2. Iterate through a large number of ping_* checks and record how the host was a found in the KB. The RTT time for the ping should also be recorded now. The ping checks will start off with icmp and iterate through all types in order of less commonality, removing the targets off a stack as it finds them. The ping types which should be used are (in order): icmp, tcp-syn (a dozen+ ports), tcp-ack, application-layer-queries. For the last ping type (application), this entails actually sending a UDP BOOTP, DNS, NTP, SNMP packet and looking for a response indicating that the host is alive. 3. Now that the RTT and ping_type has been determined for every host, the scanner should now be able to portscan at a much faster (and more accurate) rate. The rule of thumb I use is the RTT * 1.5 + 60ms and pass that to nmap --max_rtt_timeout for the host. This allows you to scan firewalled machines incredibly fast with nmap... 4. At this point, we have a list of alive hosts, their RTT times, and the ports open on them. When a destructive plugin (or any other for that matter is called), the original ping_type can be called for the host to determine if its still online or not. The above process is a PITA to implement in NASL, maybe even impossible. I have some code semi-working which does the host-detection stuff in C (pcap/libnet), but I am still at a loss to figure out how to integrate the rest of it into Nessus. Everything listed above (plus a ton of networking monitoring and firewall penetration stuff) has already been implemented, but as a preprocessor to the input files for Nessus. I imagine quite a few other people do it the same way, but its high time we get together and put this functionality back into the actual scanner ;)
