Is it a true statement that Internet Scanner is not effective for external
vulnerability scans? Is nessus better suited to external scans or does it
have the same limitations? I'd appreciate any feedback on these or other
tools that those listening have used to accomplish thorough external
vulnerability scans. It seems that nmap combined with nessus is what most
use. I've also seen stake using TyphonII from NGSSoftware (originally
Cerberus Internet scanner). However, they were initiating scans from an
internal segment as well. I basically want to see my network as an attacker
would from the outside first, then move to the inside view. I want to be
thorough yet have the ability to perform this type of assessment efficiently
(mid size range in a reasonable period of time).
 

-----Original Message-----
From: Evans, Mark [mailto:EvansMritchie.disa.mil]
Sent: Tuesday, October 08, 2002 8:26 AM
To: 'Frataccia, Rick'; Evans, Mark; 'WDauphineemanagedops.com';
issforumiss.net
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)

The scan if ping fails is only relative if ICMP is disabled or absorbing the
requests. ISS will scan all selected key ranges regardless of the PING
response. Very long. Prot scanning has nothing to do with this. We've looked
at the ISS port scanning with sniffers a lot, and it does do the scans,
provided the range is increased. The services file only looks for
comparative responses. The admin rights have nothing to do with the port
scan either. It is required for most checks, but this is a vulnerability
assessment tool, not an exploitation tool. Running with admin privs gets rid
of most false positives, and more importantly, false negatives.
 
 
 
 -----Original Message-----
From: Frataccia, Rick [mailto:RICK.FRATACCIABELLSOUTH.COM]
Sent: Tuesday, October 08, 2002 7:11 AM
To: 'Evans, Mark'; 'WDauphineemanagedops.com'; issforumiss.net
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)

    Even if you increase the port scan options to include 1 - 65535,
Internet Scanner does not perform a complete port scan. This particular
piece has been broken since the 5.x release (which is when I noticed it, but
may have been longer). Anyway, another configuration change required is in
the Tools pull down menu, select Options, and turn on the options for:
    Scan if ping fails
    Always run Checks
 
    Something else that needs to be noted is that a large number of checks
require Administrative privileges on the systems you are scanning (not the
scanner). This is another flaw, as Administrative rights are not needed to
exploit the vulnerabilities.
 
    The configuration change will increase the time for the scan to
complete. Also, continue to use NMAP, it's a solid tool !! Take a look at
Nessus as well, http://www.Nessus <http://www.Nessus> The side by side
comparison will amaze you..
 

-----Original Message-----
From: Evans, Mark [mailto:EvansMritchie.disa.mil]
Sent: Monday, October 07, 2002 1:23 PM
To: 'WDauphineemanagedops.com'; issforumiss.net
Subject: RE: [ISSForum] Internet Scanner & RDP (TCP 3389)

You need to increase the port range under TCP Services. By default, IS only
scans the well-known port range (0-1024).

-----Original Message-----
From: WDauphineemanagedops.com [mailto:WDauphineemanagedops.com]
Sent: Monday, October 07, 2002 9:29 AM
To: issforumiss.net
Subject: [ISSForum] Internet Scanner & RDP (TCP 3389)

Does anyone know what you have to enable in the Internet Scanner Policy to
detect the RDP service (TCP 3389)? I scanned a range with nmap and it
detected RDP running on a few hosts. However, an Internet Scanner scan of
the same range didn't pick it up. I would expect it to be listed under the
services tab? Is it possible that Internet Scanner is looking for the
actual service while nmap is just seeing the open port?
 
Wade Dauphinee
wdauphineemanagedops.com <mailto:wdauphineemanagedops.com>

*****

"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."

_______________________________________________
ISSforum mailing list
ISSforumiss.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]