[Full-Disclosure] Microsoft Scanning Tool, Parameterhandling

[Carsten Kiess]

Hello,   anyone already used the Scanning Tool from MS? ( http://www.microsoft.com/downloads/details.aspx?FamilyID=c8f04c6c-b71b-4992-91f1-aaa785e709da&DisplayLang=en ) a) The download has the same name as the patch, minor but may be irritating and b) it seems to reverse the input parameters (see below) and c) can maybe somebody explain why it scans an IP-Range which is not in the specified bounds in either case? Specification is:   Targets can take any of the following forms:       a.b.c.d             - IP address     a.b.c.d-i.j.k.l     - IP address range     a.b.c.d/mask        - IP address with CIDR mask     host                - unqualified hostname     host.domain.com     - fully-qualified domain name     localhost           - check local machine   What it actually does is:   C:\Programme\KB823980Scan>kb823980scan 213.196.135.1-213.169.135.2 <=== Input Parms 1   Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.   <+> Starting scan (timeout = 5000 ms)   Checking 213.169.135.2 - 213.196.135.1               <=== That's what it takes for scanning .... 213.169.135.42: connection to tcp/135 refused     <=== These are the results for try 1 213.169.135.87: connection to tcp/135 refused 213.169.135.84: connection to tcp/135 refused 213.169.135.81: connection to tcp/135 refused 213.169.135.85: connection to tcp/135 refused 213.169.135.82: connection to tcp/135 refused 213.169.135.86: connection to tcp/135 refused ^C C:\Programme\KB823980Scan>kb823980scan 213.196.135.2-213.169.135.1 <=== Input Parms 1   Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.   <+> Starting scan (timeout = 5000 ms)   Checking 213.169.135.1 - 213.196.135.2             <=== That's what it takes for scanning .... 213.169.135.42: connection to tcp/135 refused    <=== These are the results for try 1 213.169.135.85: connection to tcp/135 refused 213.169.135.82: connection to tcp/135 refused 213.169.135.86: connection to tcp/135 refused 213.169.135.87: connection to tcp/135 refused 213.169.135.84: connection to tcp/135 refused 213.169.135.81: connection to tcp/135 refused ^C C:\Programme\KB823980Scan>   and d) a log-file did not show up in the current directory as documented (not on the html-page supplied but as pgm-help when calling w/o parms), but maybe it must be explicitly requested ...   Did I get something wrong? Nervous, tense, tired? <g> And last:   "Targets can be specified on the command line & in user-specified input files. ... kb823980scan will create a list of vulnerable systems (unpatched as well as those with KB823980 installed) in the current working directory. This file should be fed as input to the autopatching script that you write. This file will be named "Vulnerable.txt" by default. Its name can be changed with the /o switch."   Hm. Could be used the other way round ... Has anybody ever heard of "speeding up" a worm? Somebody who could be interested to "sideattack" a specific site?       Carsten