Penetration Testing mailing list archives
Re: Medium Scale Scanning Best Practices
From: "Erlend J. Leiknes" <nookie () online no>
Date: Wed, 16 Jan 2002 02:37:55 +0100
You could program it in python using the telnet library. Most services has a welcome message, and you could use that as a fingerprint of the version. Ofcourse services like http require you to send something before you get any useful data back (server version info etc...) but that should be very possible (write exceptions for a group of ports that need you to send data first). Since its fingerprinting you wouldnt need to remember the version, all you need to know is: what type of service is located on that port will the welcome header reveal the services-version if that is the case, then you could easly search through your scan-logs and see what services that are vurnable. (this should be done by looking at a bugtraq. You will also be able to tell when there are new deamons installed on the network, which might reveal hacked machines. For more information about how to write such application (www.python.org) You should be able to learn the language in 3-4 days. ----- Original Message ----- From: <swlodin () iquest net> To: <PEN-TEST () securityfocus com> Sent: Tuesday, January 15, 2002 1:16 PM Subject: Medium Scale Scanning Best Practices
Good day, I'm looking for advice into best practices for periodic scanning of a
network
on a medium scale. Here are my definitions: Frequency --------- Continuous - near real-time Periodic - weekly/monthly <--------- me One time - duh Scale ----- Small - a few hosts or maybe a /24 network or two Medium - many networks, up to /16 types <----------- me Large - global Internet or many /8 types Testing Activity ** ------------------- Footprinting Scanning <----------- me Enumeration Penetration ** Taken from Hacking Exposed by the Foundstone guys I have a global network of many /16 through /26 networks. I'd like to
develop
an inventory of, primarily, machine/OS/Services. I'd prefer to have this
relatively
up-to-date, but not manually performed. Ultimately, I'd like to have a
resource
that could help me identify vulnerable devices given the discovery of a
new
vulnerability rather than having to scan the entire network each time. For example, the next IIS vulnerability hits. I'd like to have a quick
answer
to the question, "what devices are vulnerable". It doesn't matter if the
answer
is the result of "list all Windows OS devices with port 80 or 443 open". What are the best practices in this area? I have a cobbled-together
solution
using nmap that I'm ready to test, but if there is a better low-cost
solution
I am interested. I've seen ndiff (nmap diff), but I'm not sure that it
would
be easy to modify that to suit my requirements. How are you dealing with this situation? Thanks! Steve --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Medium Scale Scanning Best Practices swlodin (Jan 15)
- Re: Medium Scale Scanning Best Practices Erlend J. Leiknes (Jan 16)
- Re: Medium Scale Scanning Best Practices Gerardo Richarte (Jan 17)
- Re: Medium Scale Scanning Best Practices Renaud Deraison (Jan 17)
- <Possible follow-ups>
- Re: Medium Scale Scanning Best Practices miguel . dilaj (Jan 15)
- RE: Medium Scale Scanning Best Practices Aleksander P. Czarnowski (Jan 16)
- Re: Medium Scale Scanning Best Practices John Malconian (Jan 18)
- Re: Medium Scale Scanning Best Practices Troy Davis (Jan 19)
- testing for IP address space leakage in NAT systems R P G (Jan 21)
- Re: testing for IP address space leakage in NAT systems R. DuFresne (Jan 21)
- Re: testing for IP address space leakage in NAT systems Frank (Jan 21)
- Re: testing for IP address space leakage in NAT systems Thomas Reinke (Jan 21)
(Thread continues...)
- Re: Medium Scale Scanning Best Practices Erlend J. Leiknes (Jan 16)