Nelson, C.M. wrote:
Hello,
I'm interested to see if people concur with what I have found or have
better ideas relating to scanning XP SP2 systems. I'm particularly
interested in finding and scanning XP SP2 systems that do not respond to
ping and also not wasting scanning time on IP addresses that do not
correspond to a live device. (I can assume that not every device
attached my network is supposed to be there and registered).
My suggestion is:
* build a list of "live" systems "outside" of Nessus either using:
- Nmap (in ARP scan mode)
- ping sweep and noting down which IP addresses are available in the
ARP cache (note that if the hosts are on your local subnet you can
determine they are alive since you should see the answers to ARP queries)
- monitor the network and register systems sending broadcasts: even
Windows XP SP2 systems will send broadcast ARP queries when their
default router expires from their ARP cache table, they will do even
more broadcasts if they are part of a Domain. They will also do
broadcasts if they use DHCP (but you will not "see" the answer in most
cases, so you will only have the Ethernet address of the hosts and not
its IP address)
- ask your DHCP admin (if using DHCP in your network) for a list of
systems that have been given an IP address in whatever time frame you
believe is proper
- ask your Domain admin (if using a Domain) to provide you a list of
Netbios names (you can then resolve those to IP addresses) registered it
Note1: if you use Nmap for hosts outside your local subnet you cannot
tell apart hosts that are not live vs. hosts that are live but are
firewalled. For your local subnet, however, Nmap (at least v 3.95)
automatically works as an ARP scan (-PR switch flag), that's maybe why
it takes less time than Nessus.
Note2: The above only applies if you are running Nmap as root (it has
access to raw sockets), otherwise it will use, by default, ICMP probes
which take somewhat longer to work through and will *not* detect
firewalled hosts.
* use this list to provide a starting point for Nessus for systems to scan.
That should speedup your scans, by providing a limited list of IP
addresses instead of the whole IP range.
I would be interested to know how you end up doing it, so please share
your experience with the list once you've tested this out.
Regards
Javier
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
