Is
it a true statement that Internet Scanner is not
effective for external vulnerability scans? Is nessus better suited
to external scans or does it have the same limitations? I'd appreciate
any feedback on these or other tools that those listening have used to
accomplish thorough external vulnerability scans. It seems that nmap
combined with nessus is what most use. I've also seen @stake using
TyphonII from NGSSoftware (originally Cerberus Internet scanner). However,
they were initiating scans from an internal segment as well.
I basically want to see my network as an attacker would
from the outside first, then move to the inside view. I want to be
thorough yet have the ability to perform this type of assessment efficiently
(mid size range in a reasonable period of time).
-----Original Message-----
From: Evans, Mark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 08, 2002 8:26 AM
To: 'Frataccia, Rick'; Evans, Mark; '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)The scan if ping fails is only relative if ICMP is disabled or absorbing the requests. ISS will scan all selected key ranges regardless of the PING response. Very long. Prot scanning has nothing to do with this. We've looked at the ISS port scanning with sniffers a lot, and it does do the scans, provided the range is increased. The services file only looks for comparative responses. The admin rights have nothing to do with the port scan either. It is required for most checks, but this is a vulnerability assessment tool, not an exploitation tool. Running with admin privs gets rid of most false positives, and more importantly, false negatives.-----Original Message-----
From: Frataccia, Rick [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 08, 2002 7:11 AM
To: 'Evans, Mark'; '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)Even if you increase the port scan options to include 1 - 65535, Internet Scanner does not perform a complete port scan. This particular piece has been broken since the 5.x release (which is when I noticed it, but may have been longer). Anyway, another configuration change required is in the Tools pull down menu, select Options, and turn on the options for:Scan if ping failsAlways run ChecksSomething else that needs to be noted is that a large number of checks require Administrative privileges on the systems you are scanning (not the scanner). This is another flaw, as Administrative rights are not needed to exploit the vulnerabilities.The configuration change will increase the time for the scan to complete. Also, continue to use NMAP, it's a solid tool !! Take a look at Nessus as well, http://www.Nessus The side by side comparison will amaze you..-----Original Message-----
From: Evans, Mark [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 07, 2002 1:23 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)You need to increase the port range under TCP Services. By default, IS only scans the well-known port range (0-1024).-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 07, 2002 9:29 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Internet Scanner & RDP (TCP 3389)Does anyone know what you have to enable in the Internet Scanner Policy to detect the RDP service (TCP 3389)? I scanned a range with nmap and it detected RDP running on a few hosts. However, an Internet Scanner scan of the same range didn't pick it up. I would expect it to be listed under the services tab? Is it possible that Internet Scanner is looking for the actual service while nmap is just seeing the open port?Wade Dauphinee
[EMAIL PROTECTED]
*****
"The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers."
