Wednesday
Sep162009
Corrections and Questions about Nessus on Securabit
Wednesday, September 16, 2009 at 1:52PM
*Update* I can't say with 100% certainty that Nessus ever used NMAP as it's base scanner, I was going off of memory. I apologize for not being perfect.
*Update 2* Since people can't seem to let it go, I would say that I was totally wrong and the nmap was absolutely never used in nessus ever, but then I would be caught in another absolute that I can't confirm. According to their wiki, the nmap nasl script were taken out because people were No, I haven't listened to the latest episode of Securabit in which Paul comes on and talks about Nessus. If he states in there that nmap was never the port scanning engine for nessus, then please go bug him if you think he is wrong.
*Update 3* Ron Gula of Tenable has confirmed via email that Nessus has never used nmap as it's base scanner. Also, Attrition.org posted a bit of history on the subject: http://attrition.org/misc/ee/nessus_and_nmap.html
On Securabit Episode 37 - I made the statement that some people could be running nmap and not even know it. While this could still hold true, the context I put around it. "Nessus uses nmap for scanning" showed my years a bit. That statement is now a falsehood. Nessus uses it's own "optimized" port scanner. I put quotes around the word "optimized" simply because I don't know what tweaks that have been done. Paul Asadorian from PaulDotCom Security Weekly sent an email into Securabit letting us know of the error.
I didn't take the news very gallantly, but Paul was nice enough to lay out how someone would go about using nmap with Nessus these day. Those steps are pretty drawn out too, which I find kinda disheartining that not only do you not have nmap as your base port scanner, but the NASL scripts to use nmap are no longer included in the base install of Nessus (according to Paul, I haven't confirmed that, but he does work for the company). And who knows why they decided to leave those script out, but you will have your chance to ask those questions because Paul will be on Securabit LIVE tonight to tie up any loose ends and talk about Nessus tonight at 8 PM EST (September 16th 2009).
For more info about tonight's show:
http://www.securabit.com/2009/09/15/securabit-live-wednesday-with-paul-asadoorian-from-pauldotcom/
*Update 2* Since people can't seem to let it go, I would say that I was totally wrong and the nmap was absolutely never used in nessus ever, but then I would be caught in another absolute that I can't confirm. According to their wiki, the nmap nasl script were taken out because people were No, I haven't listened to the latest episode of Securabit in which Paul comes on and talks about Nessus. If he states in there that nmap was never the port scanning engine for nessus, then please go bug him if you think he is wrong.
*Update 3* Ron Gula of Tenable has confirmed via email that Nessus has never used nmap as it's base scanner. Also, Attrition.org posted a bit of history on the subject: http://attrition.org/misc/ee/nessus_and_nmap.html
On Securabit Episode 37 - I made the statement that some people could be running nmap and not even know it. While this could still hold true, the context I put around it. "Nessus uses nmap for scanning" showed my years a bit. That statement is now a falsehood. Nessus uses it's own "optimized" port scanner. I put quotes around the word "optimized" simply because I don't know what tweaks that have been done. Paul Asadorian from PaulDotCom Security Weekly sent an email into Securabit letting us know of the error.
I didn't take the news very gallantly, but Paul was nice enough to lay out how someone would go about using nmap with Nessus these day. Those steps are pretty drawn out too, which I find kinda disheartining that not only do you not have nmap as your base port scanner, but the NASL scripts to use nmap are no longer included in the base install of Nessus (according to Paul, I haven't confirmed that, but he does work for the company). And who knows why they decided to leave those script out, but you will have your chance to ask those questions because Paul will be on Securabit LIVE tonight to tie up any loose ends and talk about Nessus tonight at 8 PM EST (September 16th 2009).
For more info about tonight's show:
http://www.securabit.com/2009/09/15/securabit-live-wednesday-with-paul-asadoorian-from-pauldotcom/
Reader Comments (3)
[...] This post was mentioned on Twitter by grecs. grecs said: NESSUS CORRECTION: @room362 / @mubix notes correction on Nessus using NMAP fr Securabit podcast. http://ow.ly/pFFH #novablogger [...]
Hey Mubix,
First, thanks for posting the correction! To answer your question about why the Nmap plugins are not included in the feed, I will refer to the documentation page on this topic:</p><p>http://www.nessus.org/documentation/index.php?doc=nmap-usage" http://www.nessus.org/documentation/index.php?d...
It explains, in some level of details, about the integration of Nmap and Nessus and why the scripts are not included by default. Essentially:</p><p>"Nessus is optimized to work with "plugins", which are updated daily and distributed with the Nessus feed. Plugins are implemented in such a way that there is no memory utilization required to launch them -- the NASL interpreter is optimized in such a way that launching a plugin only uses several kilobytes. The operating system is not involved when a plugin is created, which makes the process of execution fast and efficient.
However, since Nmap is an external application, Nessus calls it by launching a special plugin which actually executes the nmap binary, which is a costly operation. To make things worse, in the Nessus architecture each plugin is in charge of ONE host. This means that if you have configured Nessus to scan forty hosts at a time, then there will be forty instances of Nmap running in memory."
Thanks!
Cheers,
Paul
its ok Rob, if someone had asked me i would have said the same thing.
for fun, i did find this old image from a securityfocus article that shows nmap in the scan options tab... one could see where the confusion could come in.
http://www.securityfocus.com/pen-test/images/nessus9.jpg
It is first on the list...