Bugtraq mailing list archives
Re: ISS Internet Scanner Cannot be relied upon for conclusive
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 10 Feb 1999 19:59:29 +1100
In some mail from der Mouse, sie said: [...]
Surely this is a bit of a no-brainer - why not just try the exploit and see if it works? That's certainly what an attacker will do.
Let me hit you with another suggestion: if you know something about a box which suggests that an attack won't work, why try it ? This is the flip side of the problem with the "isologin" check. Why do it at all ? Well, when you've got X number of hours/days to get a job done, you want it to be time well spent. For example, if I do a port scan and cannot connect to the smtp port and later amongst the list of things to check are various sendmail bugs, should I still try them ? The expectation is that if a service is meant to be available, that it will at any time of a scan. If a service is not available then more than likely there is no point making further advanced checks. My take on this current problem is that ISS doesn't gain enough intelligence before deciding to ignore the "ioslogin" problem. The original poster mentioned that the system was vulnerable (although not if he exploited it from the same machine/ip# as the scan) and according to David, it bases it's decision on an SNMP reply. Well, SNMP is often turned off, and I would have hoped that for this check it could have applied the results of the "telnet" check (which would be a definate prequisite for this one) where the banner has been captured. Cisco "telnet banners" are fairly disctinctive. Last time I had to use either Ballist/ISS I found numerous problems which I related back to various people (they need beta testers to be able to use proper licenses with them, not just localhost). Darren
Current thread:
- NetApp Filer software versions 5.x: potential hardware killer, (continued)
- NetApp Filer software versions 5.x: potential hardware killer Jason Downs (Feb 10)
- Netect Advisory: palmetto.ftpd - remote root overflow Jordan Ritter (Feb 09)
- Re: Netect Advisory: palmetto.ftpd - remote root overflow bugtraq mailing list account (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Mr. joej (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Casper Dik (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 10)
- sl0scan (ambiguous source portscanner) miff (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ryan Russell (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Randy Taylor (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- More Comments: Security Scanners. Craig H. Rowland (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Adam Shostack (Feb 10)
- remote fakebo shell exploit Groovy Pants Gus (Feb 11)
- AW: Security Bug in Bintec Router Firmware (CLID) Thomas Schmidt (Feb 11)
- Re: Security Bug in Bintec Router Firmware (CLID) Pascal Gienger (Feb 11)
- Seeking Policy Data Loftin C. Woodiel (Feb 11)