Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Scanning XP SP2

from [Javier Fernandez-Sanguino] Network Security [Permanent Link]
Subject: Re: Scanning XP SP2
Date: Tue, 24 Jan 2006 15:39:21 +0100
Nelson, C.M. wrote: 
Hello,

I'm interested to see if people concur with what I have found or have
better ideas relating to scanning XP SP2 systems. I'm particularly
interested in finding and scanning XP SP2 systems that do not respond to
ping and also not wasting scanning time on IP addresses that do not
correspond to a live device. (I can assume that not every device
attached my network is supposed to be there and registered).


My suggestion is:

* build a list of "live" systems "outside" of Nessus either using:
- Nmap (in ARP scan mode)
- ping sweep and noting down which IP addresses are available in the ARP cache (note that if the hosts are on your local subnet you can determine they are alive since you should see the answers to ARP queries)
- monitor the network and register systems sending broadcasts: even Windows XP SP2 systems will send broadcast ARP queries when their default router expires from their ARP cache table, they will do even more broadcasts if they are part of a Domain. They will also do broadcasts if they use DHCP (but you will not "see" the answer in most cases, so you will only have the Ethernet address of the hosts and not its IP address)
- ask your DHCP admin (if using DHCP in your network) for a list of systems that have been given an IP address in whatever time frame you believe is proper
- ask your Domain admin (if using a Domain) to provide you a list of Netbios names (you can then resolve those to IP addresses) registered it

Note1: if you use Nmap for hosts outside your local subnet you cannot tell apart hosts that are not live vs. hosts that are live but are firewalled. For your local subnet, however, Nmap (at least v 3.95) automatically works as an ARP scan (-PR switch flag), that's maybe why it takes less time than Nessus.

Note2: The above only applies if you are running Nmap as root (it has access to raw sockets), otherwise it will use, by default, ICMP probes which take somewhat longer to work through and will *not* detect firewalled hosts.

* use this list to provide a starting point for Nessus for systems to scan.

That should speedup your scans, by providing a limited list of IP addresses instead of the whole IP range.

I would be interested to know how you end up doing it, so please share your experience with the list once you've tested this out.

Regards

Javier
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [nessus 2.2] two ways to call nmap?, Marc Haber
Next by Date:  NessusClient in Swedish, Daniel Nylander
Previous by Thread:  Scanning XP SP2, Nelson, C.M.
Next by Thread:  Re: Scanning XP SP2, Michel Arboi
Indexes:  [Date] [Thread] [Top] [All Lists]