Re: Scanning XP SP2

On Wed Jan 25 2006 at 07:53, Marc Haber wrote:

> That sounds like a sensible thing to do.

Until we change the (quick) C TCP ping (in a future 2.2.7?), you'll
have to use "extended" as the port range to get this (the new
ping_host will be fetched ny nessus-update-plugins). if this is too
slow, you can set your own shorter range, like "80,139,445,2869".

> A well-behaved router will return "host unreachable" on a ping to a
> dead host (since there won't be an ARP reply), while a host filtering
> ICMP echo request packets would result in no answer at all (router
> ARPs, gets an answer (hence, no "host unreachable" to the scanner),
> sends out the ping, no answer). Would it be possible for nessus to
> take advantage of that behavior?

Nice idea, but unrealiable, I'm afraid.
You probably can use this method to establish a list of alive hosts,
by doing any kind of double check you need, and then feed the list
into Nessus.

> However, if the gateway to the network with the filtering host is not
> well-behaved, we're lost again. And most routers rate limit "host
> unreachable" packets, so this method is flawed as well.

Right. I don't think this should be automated.
Another problem is that some firewalls answer with any kind of ICMP to
filtered ports, but some ports may still be open.
e.g. you send an ICMP echo to a firewalled web server, you get "host
unreachable". But if you send a TCP SYN to 80, you'll get a SYN ACK

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus