RE: Question on root credentials for scanning

["Hung Lee" <hlee () xogrp com>]

I believe that Shobana is referring to the fundamental difference
between network-based scanning vs. host-based scanning.

Think of it this way - You go to a doctor and ask him "Tell me if I have
cancer just by looking at me, and don't take any blood samples or stuff
like that b/c that's too intrusive."  The doctor will probably look at
you like you're crazy.  Same thing with network-based scanning vs.
host-based scanning.  This is what Mikhail meant by "inside" your hosts.
This principle also applies to firewalls, ESX/ESXi hosts, and for that
matter, any server (physical or virtual) and network appliances.

Hope this clarifies.  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Mikhail A. Utin
Sent: Thursday, September 22, 2011 2:11 PM
To: Shobana Narayanaswamy; security-basics () securityfocus com
Subject: RE: Question on root credentials for scanning

You would need to be more specific to get info you are looking for.
If you use Nmap, yes you need to start it under root (Linux/Unix)
account. Use nmapfe, and will learn faster. Plus, it will warn you about
the account.
If you mean vulnerability scanners, for Windows OS you need domain admin
level account to get "inside" your network Windows hosts.

Mikhail A. Utin, CISSP
Information Security Analyst

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Shobana Narayanaswamy
Sent: Thursday, September 22, 2011 11:59 AM
To: security-basics () securityfocus com
Subject: Question on root credentials for scanning

Hi:

I am a newbie to security and scanning. Here is my question:

Do you generally need root credentials in order for the scan to produce
detailed results? When I run a scan without root credentials, it comes
up very little info. However, when I supply root credentials, I get
several useful reports. It appears that the scanner detects the OS
version and other s/w component versions only if it is provided root
access.

Thanks


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination,
distribution or copying of it or its contents is prohibited. If you have
received this communication in error, please reply to the sender
immediately or by telephone at (617) 426-0600 and destroy all copies of
this communication and any attachments. For further information
regarding Commonwealth Care Alliance's privacy policy, please visit our
Internet web site at http://www.commonwealthcare.org.



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide
we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

This email (and any attachments) is the property of XO Group Inc. or one of its subsidiaries. It is intended only for 
the person(s) to which it is addressed and may contain information that is privileged, confidential or otherwise 
protected from disclosure. Distribution or copying of this email or the information contained herein by anyone other 
than the intended recipient(s) is strictly prohibited. If you are not an intended recipient and have received this 
email in error, please notify the sender immediately by replying to this email and destroy all electronic and paper 
copies of this message.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------