• caglararli@hotmail.com
  • 05386281520

Credentialed scanning through SSH tunnel

Çağlar Arlı      -    29 Views

Credentialed scanning through SSH tunnel

If I wish to run Nessus against a Windows server that is only accessible from another machine, I can setup an SSH tunnel like so:

ssh user@10.99.5.6 -L 127.0.0.1:445:10.0.0.45:445 -L 127.0.0.1:139:10.0.0.45:139

Then I would configure Nessus to scan localhost or 127.0.0.1 with credentialed checks, using the Windows admin username and password.

Trouble is that Nessus detects that it has command execution on my local Linux host and mixes the results from the target host with my local host.

Not normally a problem as I should be able to differentiate Linux results from Windows, but just wondered if there was a way to tell Nessus not to query the local machine in the interests of clean separation of results.

Note that limiting the ports to 139 and 445 and setting the Test the local Nessus host setting have no effect on this.