>From my experience, using a sniffer is the *only* way you will get the definitive answer to what ISS Internet Scanner actually does.
Queries to ISS get rapid acknowledgement, but then go into a black hole: 26 June 2002: "As soon as we have additional updates/details to provide to you, we will be in touch." (Last message sent by ISS on sequence number predictability, still waiting!) Or don't have many details or certainty: "While I cannot give you exactly how Internet Scanner performs the check due to its proprietary nature, I can give you a general idea of how the check works." "As far as we can tell, if we find .ASP files on your website, then first we get the file (for example foo.exe) and store it in a buffer. Then we get the file's data stream (for example, foo.asp::$DATA), and see if it is different. If it's not the same as foo.asp, then it's probably the source of the .asp file, and you're vulnerable. If foo.asp:: $DATA is the same as foo.asp, then you're not vulnerable." (Reply to why a vulnerability was not reported by ISS.) Personally I use both ISS Internet Scanner and Nessus. To me, the ability to read the test code in Nessus is very valuable, and you can easily run individual tests. Andrew Yeomans -----Original Message----- From: Neth Six [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 02:10 To: [EMAIL PROTECTED] Subject: [ISSForum] Reply with a bad sequence to a DNS server was made and accepted Hi everyone, I did an scan on my DNS using Internet Scanner and the following vulnerability was reported: dns-badseq (198) Low Risk A reply with a bad sequence to a DNS server has been made Description: An attempt to send a reply to a DNS (Domain Name System) server with a bad sequence number has been made. DNS servers should not accept out of sequence replies. Platforms Affected: DNS Any version Remedy: Update your DNS server. I believe this vulnerability implies that the DNS server is susceptible to DNS cache poisoning i.e. make a DNS query to the DNS server and then flood the DNS server with spoofed replies. Am I right? I would like to verify to see if it's a false positive. In order to do that I need to understand how Internet Scanner checked for this vulnerability e.g. sent DNS query for www.xxx.com, flood DNS with DNS reply for www.xxx.com, check reply from DNS server to see if it is the 'poisoned' entry. Please correct me if I'm wrong but I don't think Internet Scanner allows me to check how it probes for vulnerabilities. If so, can some one enlighten me how can I verify this? Does anyone know how Internet Scanner check for this vulnerability? Using a sniffer is one way but it's way too troublesome for a non-technical person. Thanks. soon hin -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Meet Singles http://corp.mail.com/lavalife _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
