George A. Theall escribió: > On Jun 23, 2008, at 3:21 PM, Roman Medina-Heigl Hernandez wrote: > >> I'm trying to scan a host with the default policy. The host is alive >> and >> responding to pings. I got no results when scanning with Nessus 3.2.0 >> (Windows). Looking at scan.log (in he "logs" dir), I can see a >> "remote host >> is dead". But my question is why? If I run nmap against the host, I >> can see >> unprivileged ports open (>1024) and of course it's responding to >> ping. I >> also entered 1-65535 in "port scanner range". > > Hi Roman.
Hello, > Is the remote host a printer or some type of multifunction device? By > default, Nessus will try to identify hosts that are and mark them as > dead because many such devices don't react very well to scanning, even > a basic port scan. If so, you can edit the scan policy and check "Scan > Network Printers" (look on the "Advanced" tab, under "Do not scan > fragile devices"). No, it's not a multifunction device. Anyway, I had also thought of that possibility, and had done the following: I created a new policy and marked the two checks: scan network printer and novell netware hosts. I chose the new policy and rescanned, with no luck. Btw, the "do not scan fragile devices" will only appear if you create a new policy. Why doesn't it appear when editing default scan policy? > Also, Nessus doesn't use ICMP pings by default but instead sends TCP > pings to a limited number of ports. You could either choose to do an > ICMP ping or make sure that one of the TCP ports you know to be open > is included in the list of TCP ports to be pinged (look under the > "Advanced" tab, under "Ping the remote host", "TCP ping destination > port(s)"). Or you can disable the Ping port scan altogether. I disabled the ping scan and it didn't work either. But... I reenabled ping and check icmp ping in advanced options, and now it worked!! I suppose that Nessus marks a host as dead if all tests failed, and now that icmp ping is being checked, the host is no longer mark as dead... is it right? Anyway, I'm still a bit confused because letting only marked the "Nessus TCP scanner" option (thus ping scanner disabled), and changing "port scanner range" from "default" to 1-65535, the host is still being marked as dead. What's the exact algorithm to mark a host as dead? And why are those ports not being used by TCP scanner? >> Another question, how could I debug this? If I enable the option to >> "save a >> packet capture of the scan", I couldn't find any new log on logs dir >> (where >> should it be placed?) > > > Unfortunately, Nessus Windows does not have support for saving packet > captures. I suppose the alternate approach would be to use Wireshark > alongside Nessus to see what's being sent and what's coming back. If > my comments above don't help, that is. Ok, I'll try it. Thanks for your comments, they are helpful. > Hope this helps, > > George -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
