Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Scanning XP SP2

from [Nelson, C.M.] Network Security [Permanent Link]
Subject: Scanning XP SP2
Date: Tue, 24 Jan 2006 10:07:43 -0000 
Hello,

I'm interested to see if people concur with what I have found or have
better ideas relating to scanning XP SP2 systems. I'm particularly
interested in finding and scanning XP SP2 systems that do not respond to
ping and also not wasting scanning time on IP addresses that do not
correspond to a live device. (I can assume that not every device
attached my network is supposed to be there and registered).

XP SP2 systems by default have the firewall enabled and, as a result of
having the "File and Printer Sharing" configuration checkbox unchecked,
do not respond to ping (the MS way of doing things!). It is however
possible to open a port on such a system to allow remotely initiated
connection to a service running on the system (i.e. expose a potential
vulnerability on a system that does not respond to ping). 

I want to scan my network to find such systems and also check any open
ports for vulnerabilities. If I use the Nessus ping option then XP SP2
systems, such as described above, do not respond and do not get scanned.
If I do not use ping, and use the Nessus built in port scanner, it will
take as long scanning addresses where there really are no systems as
ones where there are (I choose to scan all ports because compromises
often appear as anomalous open ports not highlighted by any Nessus
plug-ins). 

If I do not use ping, and use Nmap to portscan it completes very quickly
where an address does not correspond to a live host. In other words the
Nmap portscan doesn't waste time port scanning "thin air" like the
Nessus built in one does.  

After Nmap has run, whether it scanned a live host or not, some Nessus
plug-in tests run regardless. It seems that although Nmap completes
quickly where there is no live host, it does not convey to Nessus that
there is no point in running any plug-in. (This is the case no matter
which way the "assume unscanned ports are closed" option is set).
Fortunately, however, where the IP address being scanned does not
correspond to a real host the unnecessary Nessus plug-in tests complete
fairly quickly.

As I'm sure everyone is now aware port scanning XP SP2 systems is far
slower when the Windows firewall is on (which is now sensibly the
default situation). I have found by tweaking the Nmap timeout and
parallelism settings it is possible to get seemingly accurate and
reasonably quick portscan done.
 
--
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of
Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Nessus Risk Factors, Paul Melson
Next by Date:  Re: [nessus 2.2] two ways to call nmap?, Marc Haber
Previous by Thread:  Nessus Risk Factors, sawall
Next by Thread:  Re: Scanning XP SP2, Javier Fernandez-Sanguino
Indexes:  [Date] [Thread] [Top] [All Lists]