Re: Some Few Doubts on IIS Vuln

[Charles Otstot <charles.otstot () ncmail net>]

I haven't weighed in on this topic up to now, but I haven't seen any 
responses that address the main requirement for determining whether you 
are receiving a false positive from a Nessus (or any other) scan.....
Know and understand the target system thoroughly.

Not knowing how to actually execute an attack against the described hole 
doesn't mean you should be able to determine whether the scan really 
found something. While there may be some esoteric vulnerabilities found 
which you may not be able to adequately decipher on your own, the 
majority should be easily verifiable. A quick (and admittedly simple) 
example...
One scan I checked (not a Nessus, btw) misidentified the operating 
system version and declared that the OS was behind on service pack 
levels. Knowing the current service pack level both for the OS in 
general and on the target system specifically; it was easy to determine 
that the "flaw" lay within the scan configuration and not the system.
I've seen scans identify vulnerabilities against applications not 
installed on the target, failing to identify vulnerabilities on 
applications running on non-standard ports and more. In no case have I 
ever had to attempt to create an attack to determine whether the scan 
was accurate or not. Knowing the target system and the associated 
vulnerability, in most cases, allows me to separate the wheat from the 
chaff. In those instances where a result isesoteric enough that I may be 
unsure, I rely on further research, both on the vulnerability and on the 
configuration of the target to help ensure that I make the proper 
determination of the appropriateness of the scan finding.

Charlie


kaps lock wrote:

> Thanks for your reply Dave,
>
> Basically i was asking how to determine nessus results
> to be false positives or actual holes in network.
>
> As i percieve i think if i craft the same request for
> an attack ,i cud decide based on response whther its a
> false positives or not..but am failing to craft those
> requests coz i don;t know how to...
>
> like uploading a test.html file and deleting it on a
> webserver ..i hav no clue how to craft a equest which
> cud actually uplod a file and delete it.So basically
> how can i trsut nessus on tht.
>
> then finding the Authentication mechanism behind a
> given smtp server seems to be a big vulnerabilty but
> how cud i determine whther nessus was true bout it or
> not...coz i don't know how i cud actually craft a
> request which would help me determine the
> authentication mechanism or fail me.
>
> thanks for the pointer on wfetch it seems like a great
> tool but i still need to know 
> 1) a good place where i cud learn crafting same
> requests a s nessus seeing results to ascertain as a
> false positive or not.
>
> 2)or if you coudl teach me a process of how you go
> about deciding whther a result is false positive or
> not.
> thanks
> kaps
> --- dave kleiman <dave () isecureu com> wrote:
>
>  
>
> > Kaps,
> >
> > You did not specify what you did the NESSUS scan on,
> > but I will take a shot
> > that that it sounds like IIS5.
> >
> > 1.  .IDA ISAPI can be many things, for example, the
> > Index Service running
> > provides for administrative scripts .IDA files. 
> > Installing URLScan will
> > block these requests, and provide you with a log of
> > the attempt, therefore
> > you would see what Nessus was attempting.
> >
> >    
> http://www.microsoft.com/downloads/details.aspx?familyid=23d18937-dd7e-4613-
>  
>
> > 9928-7f94ef1c902a&displaylang=en
> >
> > 2.  Wfetch will let you do those commands manually:
> >
> >    
> http://download.microsoft.com/download/d/e/5/de5351d6-4463-4cc3-a27c-3e22742
>  
>
> > 63c43/wfetch.exe
> >
> > 3.  Since we do not know what mail server or what
> > authentication it uses
> > this might be difficult.
> >
> > 4.  Have you visited the documentation on
> > http://www.nessus.org/  ??
> >
> > Regards,
> >
> > ____________________________________________
> > Dave Kleiman, CIFI, CISM, CISSP, ISSMP, MCSE
> >
> > www.SecurityBreachResponse.com
> >
> >
> > -----Original Message-----
> > From: kaps lock [mailto:secnerdkaps () yahoo com]
> > Sent: Monday, January 31, 2005 12:29
> > To: security-basics () securityfocus com
> > Subject: Some Few Doubts on IIS Vuln
> >
> >
> > hi all,
> > I did a VA scan using nESSUS and was need help in
> > the analysis part of it
> > and inturn learn more :
> >
> > 1).IDA ISAPI filter mapped
> >   What does mapped means?Could anyone tell me what
> > exactly this filter is
> > used for and what is a .ida extension ,i mean i know
> > code red and all but
> > still wud like to know what is the function of this
> > filter and wht a .ida
> > extension is ?an example string ....if anyone knows
> > to test this vuln on
> > server tht i cud use as a manual penetration tsting
> > tip?
> >
> > 2)if i find a server on which u can successfull
> > upload and delete a file say
> > test.html with PUT and DELETE.How could i manually
> > actually do this on the
> > server ,basically how to craft that attack or how to
> > go about it.
> >
> > 3)The mail server on a specially crafted GET request
> > reveals the
> > authentication mechanism??
> > What reuqest by Nessus made this conclusion?any tips
> >
> > 4)too many arguements on the ACCEPT command can
> > crash the server..now this
> > is surely a false positive but i cud i make it for
> > sure?
> >
> > thanks all...
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Take Yahoo! Mail with you! Get it on your mobile
> > phone.
> > http://mobile.yahoo.com/mail
> >
> >
> >
> >    
>
>
>
>                 
> __________________________________ 
> Do you Yahoo!? 
> Read only the mail you want - Yahoo! Mail SpamGuard. 
> http://promotions.yahoo.com/new_mail 
>