Security Basics mailing list archives
Re: Some Few Doubts on IIS Vuln
From: Charles Otstot <charles.otstot () ncmail net>
Date: Mon, 07 Feb 2005 13:41:15 -0500
I haven't weighed in on this topic up to now, but I haven't seen any responses that address the main requirement for determining whether you are receiving a false positive from a Nessus (or any other) scan.....
Know and understand the target system thoroughly.Not knowing how to actually execute an attack against the described hole doesn't mean you should be able to determine whether the scan really found something. While there may be some esoteric vulnerabilities found which you may not be able to adequately decipher on your own, the majority should be easily verifiable. A quick (and admittedly simple) example... One scan I checked (not a Nessus, btw) misidentified the operating system version and declared that the OS was behind on service pack levels. Knowing the current service pack level both for the OS in general and on the target system specifically; it was easy to determine that the "flaw" lay within the scan configuration and not the system. I've seen scans identify vulnerabilities against applications not installed on the target, failing to identify vulnerabilities on applications running on non-standard ports and more. In no case have I ever had to attempt to create an attack to determine whether the scan was accurate or not. Knowing the target system and the associated vulnerability, in most cases, allows me to separate the wheat from the chaff. In those instances where a result isesoteric enough that I may be unsure, I rely on further research, both on the vulnerability and on the configuration of the target to help ensure that I make the proper determination of the appropriateness of the scan finding.
Charlie kaps lock wrote:
Thanks for your reply Dave, Basically i was asking how to determine nessus results to be false positives or actual holes in network. As i percieve i think if i craft the same request for an attack ,i cud decide based on response whther its a false positives or not..but am failing to craft those requests coz i don;t know how to... like uploading a test.html file and deleting it on a webserver ..i hav no clue how to craft a equest which cud actually uplod a file and delete it.So basically how can i trsut nessus on tht. then finding the Authentication mechanism behind a given smtp server seems to be a big vulnerabilty but how cud i determine whther nessus was true bout it or not...coz i don't know how i cud actually craft a request which would help me determine the authentication mechanism or fail me. thanks for the pointer on wfetch it seems like a greattool but i still need to know 1) a good place where i cud learn crafting samerequests a s nessus seeing results to ascertain as a false positive or not. 2)or if you coudl teach me a process of how you go about deciding whther a result is false positive or not. thanks kaps --- dave kleiman <dave () isecureu com> wrote:Kaps, You did not specify what you did the NESSUS scan on, but I will take a shot that that it sounds like IIS5. 1. .IDA ISAPI can be many things, for example, the Index Service runningprovides for administrative scripts .IDA files. Installing URLScan willblock these requests, and provide you with a log of the attempt, therefore you would see what Nessus was attempting.http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-9928-7f94ef1c902a&displaylang=en 2. Wfetch will let you do those commands manually:http://download.microsoft.com/download/d/e/5/de5351d6-4463-4cc3-a27c-3e2274263c43/wfetch.exe 3. Since we do not know what mail server or what authentication it uses this might be difficult. 4. Have you visited the documentation on http://www.nessus.org/ ?? Regards, ____________________________________________ Dave Kleiman, CIFI, CISM, CISSP, ISSMP, MCSE www.SecurityBreachResponse.com -----Original Message----- From: kaps lock [mailto:secnerdkaps () yahoo com] Sent: Monday, January 31, 2005 12:29 To: security-basics () securityfocus com Subject: Some Few Doubts on IIS Vuln hi all, I did a VA scan using nESSUS and was need help in the analysis part of it and inturn learn more : 1).IDA ISAPI filter mapped What does mapped means?Could anyone tell me what exactly this filter is used for and what is a .ida extension ,i mean i know code red and all but still wud like to know what is the function of this filter and wht a .ida extension is ?an example string ....if anyone knows to test this vuln on server tht i cud use as a manual penetration tsting tip? 2)if i find a server on which u can successfull upload and delete a file say test.html with PUT and DELETE.How could i manually actually do this on the server ,basically how to craft that attack or how to go about it. 3)The mail server on a specially crafted GET request reveals the authentication mechanism?? What reuqest by Nessus made this conclusion?any tips 4)too many arguements on the ACCEPT command can crash the server..now this is surely a false positive but i cud i make it for sure? thanks all... __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/mail__________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Current thread:
- RE: Some Few Doubts on IIS Vuln dave kleiman (Feb 01)
- RE: Some Few Doubts on IIS Vuln kaps lock (Feb 07)
- Re: Some Few Doubts on IIS Vuln Charles Otstot (Feb 09)
- RE: Some Few Doubts on IIS Vuln kaps lock (Feb 07)