The 'Set Preferences' area allows the user to configure the scanning options of particular vulnerability tests; login and password details for target servers and services; and other general options regarding the HackerGuardian scan engine.

HackerGuardian Set Preferences

Click on the links below to find out more about each preference.

Cleartext protocols settings

Set clear text credentials to perform local security checks:

Cleartext Protocol Settings

Do not scan fragile devices

Define which type of hosts can or can not be scanned:

Do Not Scan Fragile Devices

This script creates a user interface in the 'Preferences' section of the client letting users enable or disable certain categories of network devices and hosts from being scanned.

  • Network printers : It is usually a good idea to avoid scanning a network printer. Scanning a network printer is likely to cause it to print random data, thus wasting paper and harming the environment.
  • Novell Netware : Older versions of Novell Netware do not withstand a vulnerability scan. Please read :http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972443.htm before doing a vulnerability scan against a Novell server.

Global variable settings

This test configures miscellaneous global variables for Nessus scripts. It does not perform any security check but may disable or change the behaviour of others.
Network Security Threat Level: None

HTTP login page

Login through HTTP page. This script logs onto a web server through a login page and stores the authentication / session cookie.

HTTP Login Page

  • Login page: - If the HTTP server on the target requires authentication, this option would specify the HTTP path (not the file system path) of the login page. HackerGuardian willl use his page to authentice to the HTTP server before performing testing.
  • Login form: - If the HTTP server on the target requires authentication, this option would specify the HTTP form for login. Nessus will use this information to authenticate to the HTTP server before performing testing.
  • Login form fields: - If the HTTP server on the target requires authentication, this option would specify the form field names for login. HackerGuardian will use this information to authenticate to the HTTP server before performing testing. The %USER% and %PASS% variables are defined in the Prefs - Login configurations - HTTP account and HTTP password sections.

Hydra (NASL wrappers options)

This plugin sets options for the hydra(1) tests. Hydra attempts to discover passwords using brute force.

Hydra: Cisco enable

This option integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack Cisco authentication.

Hydra: Cisco Enable

Hydra: HTTP

This option enables integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack HTTP authentication.

Hydra HTTP

Hydra: HTTP proxy

This option enables integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack HTTP authentication.

Hydra HTTP Proxy

Hydra: LDAP

This option enables integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack LDAP authentication.

Hydra LDAP

Hydra: Postgres

This option enables integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack LDAP authentication.

Hydra Postgres

Hydra: SAP R3

This option enables integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack LDAP authentication.

Hydra SAP R3

Hydra: SMB

This option enables Nessus integration with the THC Hydra network authentication brute force cracker. Enabling this option will cause Hydra to attempt to brute-force crack SMB (SAMBA, Windows file sharing) authentication.

Hydra SMB

Kerberos configuration

This test lets a user enter information about the Kerberos server which will be queried by some scripts (SMB at this time) to log into the remote hosts.

Kerberos Configuration

Login configurations

Provide the username/password for the common servers :
HTTP, FTP, NNTP, POP2, POP3, IMAP and SMB (NetBios).

Some tests will use those logins when needed. If you do not fill some logins, those tests will not be able run.

This test does not do any security check.

Login Configurations

  • HTTP Account : The %PASS% is the variable for HTTP Account field which is used as the password for specified login name in ACCOUNT field. This is used for authenticating the HTTP server on the target. Nessus will use this information to authenticate to the HTTP server before performing testing.
  • HTTP Password (sent In clear) : The %USER% is the variable for HTTP Account field which is used as the login name for authenticating the HTTP server on the target. Nessus will use this information to authenticate to the HTTP server before performing testing.
  • NNTP account : NNTP account option specifies the username of the NNTP account used to login to the target for NNTP testing.
  • NNTP password (sent in clear) : NNTP password option specifies the password of the NNTP account used to login to the target for NNTP testing.
  • FTP account : FTP account option specifies the username of the FTP account used to login to the target for FTP testing.
  • FTP password (sent in clear) : FTP password option specifies the password of the FTP account used to login to the target for FTP testing.
  • FTP writeable directory : During FTP testing, the scanner tries to detect writable directories and/or upload test files to the FTP server. The directory specified here will be used as the upload/writable directory on the target FTP server.
  • POP2 account : This option specifies the username of the POP2 account used to login to the target for POP2 testing.
  • POP2 password (sent in clear) : This option specifies the password of the POP2 account used to login to the target for POP2 testing.
  • POP3 account : This option specifies the username of the POP3 account used to login to the target for POP3 testing.
  • POP3 password (sent in clear) : This option specifies the password of the POP3 account used to login to the target for POP3 testing.
  • IMAP account : This option specifies the username of the IMAP account used to login to the target for IMAP testing.
  • IMAP password (sent in clear) : This option specifies the password of the IMAP account used to login to the target for IMAP testing.
  • SMB account : Specify the gobal user name account which has ths the read only register rights to all the server in the domain inorder to audit the primary Domain Controller.
  • SMB password : Specify the gobal password account which has ths the read only register rights to all the server in the domain inorder to audit the primary Domain Controller.
  • SMB domain (optional) : Specify the domain name to audit the primary Domain Controller.
  • Never send SMB credentials in clear text : This option encrypts the credentals namely SMB account, SMB password, SMB domain. These credentials otherwise sent as a clear text.
  • Only use NTLMv2 : This option will cause scanner to only use the NTLMv2 protocol for all SMB testing. Enable this option only if the target network is configured to support NTLMv2. Otherwise, enabling this option may cause Nessus to be unable to authenticate to the Windows domain and could cause some vulnerabilities to be missed.
  • SNMP community (sent in clear) : The community name specified here is passed to the snmpwalk command to try and gather information about the target via SNMP.

WARNING! Beware that the password specified here will be sent in clear text over the network during testing.

Misc information on News server

Misc Information On News Server

  • From address :During NNTP testing, Nessus will attempt to post test articles to news groups through the target NNTP server. The value specified here will be used as the From address in these test postings.
  • Test group name regex : During NNTP testing, Nessus will attempt to post test articles to news groups through the target NNTP server. The value specified here will be used as a regular expression match to find the names of news groups for posting test messages.
  • Max crosspost : During NNTP testing, Nessus will attempt to post test articles to news groups through the target NNTP server. The value specified here will be used as the maximum number of cross-posts Nessus should attempt during NNTP testing.
  • Local distribution : During NNTP testing, Nessus will attempt to post test articles to news groups through the target NNTP server. If this option is enabled, Nessus will attempt to limit test NNTP postings for local distribution on the target NNTP server only.
  • No archive : During NNTP testing, Nessus will attempt to post test articles to news groups through the target NNTP server. If this option is enabled, Nessus will attempt to have the test NNTP postings not archived.

Nessus TCP scanner

Nessus TCP Scanner

Nikto (NASL wrapper)

Force full (generic) scan - this option is used with the Nikto.pl CGI vulnerability scanning option within Nessus. Enabling this option will cause Nessus to pass the -generic option to Nikto when it is called. This forces a full scan rather than trusting the Server: identification string, as many servers allow this to be changed.

Nmap (NASL wrapper)

Nmap (NASL Wrapper)

  • Connect() : If the nmap port scanner is selected, this option uses the TCP connect() method for the port scan. This option is similar to the "Scan Options - Port Scanner - TCP connect() scan" option. Enabling either option will generate the same results. The only difference is that this option uses nmap to port scan, while the other option does the port scan directly from Nessus. Enabling both options is not necessary - it would simply cause the target host to be port scanned twice. Doing so would also make the scan take significantly longer to complete.
  • SYN scan : If the nmap port scanner is selected, this option uses the SYN scan method for the port scan. This option is similar to the "Scan Options - Port Scanner - SYN scan" option. Enabling either option will generate the same results. The only difference is that this option uses nmap to port scan, while the other option does the port scan directly from Nessus. Enabling both options is not necessary - it would simply cause the target host to be port scanned twice. Doing so would also make the scan take significantly longer to complete.
  • FIN scan : If the nmap port scanner is selected, this option uses the FIN scan method for the port scan.
  • Xmas Tree scan : If the nmap port scanner is selected, this option uses the Xmas Tree scan method for the port scan.
  • SYN FIN scan : If the nmap port scanner is selected, this option uses the SYN FIN scan method for the port scan.
  • FIN SYN scan : If the nmap port scanner is selected, this option uses the FIN SYN scan method for the port scan.
  • Null scan : If the nmap port scanner is selected, this option uses the Null scan method for the port scan.
  • UDP port scan : If the nmap port scanner is selected, this option enables UDP port scanning.
  • Service scan : If the nmap port scanner is selected, this option enables the Nmap service fingerprinting techniques by passing the -sV flag to Nmap when it is called.
  • RPC port scan : If the nmap port scanner is selected, this option enables RPC port scanning.
  • Identify the remote OS : If the nmap port scanner is selected, this option enables fingerprinting the operating system (OS) of the target host.
  • Use hidden option to identify the remote OS : If the nmap port scanner is selected, this option enables the "--osscan_guess" or "--fuzzy" command-line options when nmap is called. If nmap attempts to fingerprint the target's operating system, and is unable to correctly identify it, these options will cause nmap to be more aggressive in trying to identify the remote OS. This option should now be depreciated, as nmap now attempts to guess the remote OS automatically if a good fingerprint match is not discovered. Nessus also has built-in OS fingerprinting (os_fingerprint.nasl). Consider using this plugin in Nessus - it should be less intrusive to the target host.
  • Fragment IP packets (bypasses firewalls : If the nmap port scanner is selected, this option causes nmap to fragment IP packets during the port scan in an attempt to bypass some firewall devices.
  • Get Identd info : If the nmap port scanner is selected, this option enables RPC identd scanning.
  • Do not randomize the order in which ports are scanned : If the nmap port scanner is selected, this option tells Nmap NOT to randomize the order in which ports are scanned.
  • Source port : If the nmap port scanner is selected, this option sets the source port number used in scans.
  • Auto (nessus specific) : In addition to the Nmap built-in timing policies, Nessus also provides this "auto" policy. Selecting this option causes Nessus to run some network tests on the target attempting to discover its response characteristics. Based on these tests, Nessus will create a custom Nmap timing policy for the target.
  • Normal : If the nmap port scanner is selected, this option enables the "Normal" timing policy for the port scanning.
  • Insane : If the nmap port scanner is selected, this option enables the "Normal" timing policy for the port scanning.
  • Aggressive : If the nmap port scanner is selected, this option enables the "Normal" timing policy for the port scanning.
  • Polite : If the nmap port scanner is selected, this option enables the "Polite" timing policy for the port scanning.
  • Sneaky : If the nmap port scanner is selected, this option enables the "Sneaky" timing policy for the port scanning.
  • Paranoid : If the nmap port scanner is selected, this option enables the "Paranoid" timing policy for the port scanning.
  • Custom : If the nmap port scanner is selected, this option enables a custom timing policy for the port scanning.
  • Host Timeout(ms) : When the "Custom Timing Policy" is selected for the nmap port scanner, this option specifies the amount of time Nmap is allowed to spend scanning a single host before giving up on that IP. The default timing mode has no host timeout.
  • Min RTT Timeout(ms) : When the "Custom Timing Policy" is selected for the nmap port scanner, this option specifies the minimum round-trip time (RTT) per nmap probe packet.
  • Initial RTT Timeout(ms) : When the "Custom Timing Policy" is selected for the nmap port scanner, this option specifies the initial probe timeout. This is generally only useful when scanning firewalled hosts with -P0. Normally Nmap can obtain good RTT estimates from the ping and the first few probes. The default mode uses 6000.
  • Ports Scanned in parallel(max) : Specifies the maximum number of scans Nmap is allowed to perform in parallel. Setting this to one means Nmap will never try to scan more than 1 port at a time. It also effects other parallel scans such as ping sweep, RPC scan, etc.
  • Minimun wait between probes(ms) : When the "Custom Timing Policy" is selected for the nmap port scanner, this option specifies the minimum amount of time Nmap must wait between probes. This is mostly useful to reduce network load or to slow the scan way down to sneak under IDS thresholds.
  • File containing grepable results : This option will look to the specified file for the results of the nmap port scan. Thus, Nessus will not launch nmap, but rather read a file containing the results of a previously-run nmap session. The act of generating this nmap result file must be done manually, before running the Nessus scan.
  • Data Length : Normally Nmap sends minimalistic packets that only contain a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. This option tells Nmap to append the given number of random bytes to most of the packets it sends. OS detection (-O) packets are not affected, but most pinging and portscan packets are. This slows things down, but can be slightly less conspicuous.

Oracle settings

Oracle Settings

Ping the remote host

Ping the Remote Host

  • TCP ping destination port(s) : The default TCP ping destination ports are 22;23;80.
  • Do an ARP ping:
  • Do a TCP ping : This option performs No Operation noop command to the target by which it performs a tcp ping.
  • Do an ICMP ping : This option sends ICMP echo commands.
  • Number of retries (ICMP) :
  • Do an applicative UDP ping (DNS,RPC...)
  • Make the dead hosts appear in the report : The Ping the Remote Host scanner option will cause Nessus to include the target names/target IPs that failed to respond to the pings in the report.
  • Log live hosts in the report : The Log live hosts in the report option will cause Nessus to include the target names/target IPs that successfully responded to the pings in the report.

SMB Scope

SMB Scope

Request information about the domain : Checking this option enables to check the domain user account & unchecking this option specifies the local user account on the target SMB server.

SMB use host SID to enumerate local users

SMB Use Host SID

  • Start UID : Specify the starting user id of the domain users in the target smb server.
  • End UID : Specify the ending user id of the domain users in the target smb server.

SMTP settings

SMTP Settings

  • Thirt party domain : During SMTP testing, Nessus may attempt to send and/or relay email through the target SMTP server. The value specified here will be used as the third party domain for these attempts.
  • To address : During SMTP testing, Nessus may attempt to send and/or relay email through the target SMTP server. The value specified here will be used as the To address for these attempts. This field allows a special variable name called AUTO_REPLACED_IP. If used, that name will be automatically expanded to the IP address of the target.

SNMP settings

SNMP Settings

  • Community name : If the "SNMP port scan" option is enabled, the SNMP community name configured here will be used. This community name is passed to the snmpwalk command to try and gather information about the target via SNMP. See the snmpwalk (1) manual page for more information.
  • UDP port : If the SNMP Port Scan option is enabled, this setting specifies which UDP or TCP port will be used to try and gather information from the target via SNMP.

SSH settings

SSH Settings

  • SSH user name : This option is used with the local security checks functions of Nessus. The value specified here will be used as the user name when establishing an SSH connection to the target host to login and perform local security checks.
  • SSH password (unsafe!) : This option is used with the local security checks functions of Nessus. The value specified here will be used as the password when establishing an SSH connection to the target host to login and perform local security checks.
  • SSH public key to use : This option is used with the local security checks functions of Nessus. The value specified here will be used as the public key when establishing an SSH connection to the target host to login and perform local security checks.
  • SSH private key to use : This option is used with the local security checks functions of Nessus. The value specified here will be used as the private key when establishing an SSH connection to the target host to login and perform local security checks.
  • Passphrase for SSH key : This option is used with the local security checks functions of Nessus. The value specified here will be used as the SSH key passphrase when establishing an SSH connection to the target host to login and perform local security checks.

Services

Services

Unknown CGIs arguments torture

Unknown CGIs Arguments Torture

Send POST request : During testing, Nessus will attempt to identify CGIs on the target web server and send arguments to those CGIs to test for vulnerabilities. However, if Nessus is not able to accurately identify a particular CGI on the target web server, it does not always know what arguments the CGI will, or will not, accept. Enabling this option will cause Nessus to blindly send various POST requests to unidentified CGIs in an attempt to discover vulnerabilities.

Web mirroring

Web Mirroring

  • Number of pages to mirror : During HTTP testing, Nessus will attempt to mirror pages from the target web server. This option specifies the number of unique pages that Nessus should attempt to mirror.
  • Start page : During HTTP testing, Nessus will attempt to mirror pages from the target web server. This option specifies the starting HTTP path that Nessus will use to begin mirroring attempts.

Windows File Contents Compliance Checks

Windows File Contents Compliance Checks