Re: ISS Internet Scanner Cannot be relied upon for conclusive

[avalon () COOMBS ANU EDU AU (Darren Reed)]

In some mail from der Mouse, sie said:
[...]
> Surely this is a bit of a no-brainer - why not just try the exploit and
> see if it works?  That's certainly what an attacker will do.

Let me hit you with another suggestion: if you know something about a
box which suggests that an attack won't work, why try it ?

This is the flip side of the problem with the "isologin" check.

Why do it at all ?  Well, when you've got X number of hours/days to get
a job done, you want it to be time well spent.

For example, if I do a port scan and cannot connect to the smtp port
and later amongst the list of things to check are various sendmail
bugs, should I still try them ?

The expectation is that if a service is meant to be available, that it
will at any time of a scan.  If a service is not available then more than
likely there is no point making further advanced checks.

My take on this current problem is that ISS doesn't gain enough intelligence
before deciding to ignore the "ioslogin" problem.  The original poster
mentioned that the system was vulnerable (although not if he exploited it
from the same machine/ip# as the scan) and according to David, it bases
it's decision on an SNMP reply.  Well, SNMP is often turned off, and I
would have hoped that for this check it could have applied the results
of the "telnet" check (which would be a definate prequisite for this
one) where the banner has been captured.  Cisco "telnet banners" are
fairly disctinctive.

Last time I had to use either Ballist/ISS I found numerous problems
which I related back to various people (they need beta testers to
be able to use proper licenses with them, not just localhost).

Darren