Re: Medium Scale Scanning Best Practices

["Erlend J. Leiknes" <nookie () online no>]

You could program it in python using the telnet library.

Most services has a welcome message, and you could use that as a fingerprint
of the version.
Ofcourse services like http require you to send something before you get any
useful data back (server version info etc...)
but that should be very possible (write exceptions for a group of ports that
need you to send data first).

Since its fingerprinting you wouldnt need to remember the version, all you
need to know is:
what type of service is located on that port
will the welcome header reveal the services-version

if that is the case, then you could easly search through your scan-logs and
see what services that are vurnable. (this should be done by looking at a
bugtraq.

You will also be able to tell when there are new deamons installed on the
network, which might reveal hacked machines.

For more information about how to write such application (www.python.org)
You should be able to learn the language in 3-4 days.

----- Original Message -----
From: <swlodin () iquest net>
To: <PEN-TEST () securityfocus com>
Sent: Tuesday, January 15, 2002 1:16 PM
Subject: Medium Scale Scanning Best Practices


> Good day,
>
> I'm looking for advice into best practices for periodic scanning of a
network
> on a medium scale.  Here are my definitions:
>
> Frequency
> ---------
> Continuous - near real-time
> Periodic - weekly/monthly <--------- me
> One time - duh
>
> Scale
> -----
> Small - a few hosts or maybe a /24 network or two
> Medium - many networks, up to /16 types <----------- me
> Large - global Internet or many /8 types
>
> Testing Activity **
> -------------------
> Footprinting
> Scanning <----------- me
> Enumeration
> Penetration
>
> ** Taken from Hacking Exposed by the Foundstone guys
>
> I have a global network of many /16 through /26 networks.  I'd like to
develop
> an inventory of, primarily, machine/OS/Services.  I'd prefer to have this
relatively
> up-to-date, but not manually performed.  Ultimately, I'd like to have a
resource
> that could help me identify vulnerable devices given the discovery of a
new
> vulnerability rather than having to scan the entire network each time.
>
> For example, the next IIS vulnerability hits.  I'd like to have a quick
answer
> to the question, "what devices are vulnerable".  It doesn't matter if the
answer
> is the result of "list all Windows OS devices with port 80 or 443 open".
>
> What are the best practices in this area?  I have a cobbled-together
solution
> using nmap that I'm ready to test, but if there is a better low-cost
solution
> I am interested.  I've seen ndiff (nmap diff), but I'm not sure that it
would
> be easy
> to modify that to suit my requirements.  How are you dealing with
> this situation?
>
> Thanks!
>
> Steve
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/