Hi, First of all, thanks for the new SYN scanner - it is 3-4 times faster than an NMAP Syn scan. However it does appear quite innacurate. In multiple tests against a host running ssh, http, https the syn scanner only detected https - Even though a tcpdump during the portscan for packets with SA flags set showed responses from ssh and https (not http however):
# tcpdump 'tcp[13] = 0x12 and src host 10.10.0.10' tcpdump: listening on eth0 10:09:56.602170 10.10.0.10.ssh > 10.10.0.2.60954: S 4081817627:4081817627(0) ack 3117034878 win 57344 <mss 1460> 10:09:58.696109 10.10.0.10.https > 10.10.0.2.4702: S 3240161090:3240161090(0) ack 1610656235 win 57344 <mss 1460> Using nmap as the syn-scanner gave accurate results, matching the tcpdump output: # tcpdump 'tcp[13] = 0x12 and src host 10.10.0.10' tcpdump: listening on eth0 10:11:00.771970 10.10.0.10.http > 10.10.0.2.47792: S 1118785711:1118785711(0) ack 2540869317 win 57344 <mss 1460> 10:11:23.995632 10.10.0.10.https > 10.10.0.2.47791: S 2666482224:2666482224(0) ack 3111011811 win 57344 <mss 1460> 10:11:24.296284 10.10.0.10.ssh > 10.10.0.2.47791: S 3784483774:3784483774(0) ack 3111011811 win 57344 <mss 1460> The results were consistent during 3 test runs. All tests ran on redhat 7.3 running Nessus 1.3.4 against FreeBSD 4.6 host. Tests against a Windows 2000 host showed similar results - while the SA flagged packets were being sent by the target (as seen using tcpdump), the syn-scanner was not picking up on them, and only saw 4 out of 7 open ports. Nmap correcty saw 7 open ports. Thanks. -----Original Message----- From: Renaud Deraison [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:21 PM To: [EMAIL PROTECTED] Subject: Nessus 1.3.4 is available I'm pleased to announce the availability of Nessus 1.3.4, which should be the last 1.3.x version (meaning that I consider it as being stable and I'm waiting on users feedback to declare it stable enough to be called "Nessus 2.0.0"). I sent a request for missing features on the nessus devel list today, and I'm re-iterating it : If you think this version of Nessus is lacking something critical, let me know NOW. Hopefully the lifetime of Nessus 1.3.4 should be short (one or two weeks), and I expect to release Nessus 2.0.0 afterwards. So : Try this version Torture it Let me know what goes wrong for you with it. What has changed between Nessus 1.3.4 and 1.3.3 : . changes by Renaud Deraison (deraison at nessus.org) - Re-written the process manager for the hosts - Lots of bugfixes in the plugins text store manager - New port scanner "synscan" which uses the RTT of the packets to do its job. - Fixed several small issues in nasl and nessusd (bug fixes, code cleanup) - Added cryptographic hashing functions in NASL - Added the function get_kb_list() which returns the content of a KB without forking the plugin - Updated the manpages of nessusd and nasl . changes by Michel Arboi (mikhail at nessus.org) - Fixed scanner_get_port() when running in standalone mode - Fixed possible uninitiliazed memory issues in libnasl - Started to write the NASL2 reference guide (to be found in libnasl/doc/) This release can be found at : ftp://ftp.nessus.org/pub/nessus/unstable/nessus-1.3.4/ http://www.nessus.org/experimental.html
