Bugtraq mailing list archives
Re: ISS Internet Scanner Cannot be relied upon for conclusive
From: na98jen () STUDENT HIG SE (Joel Eriksson)
Date: Fri, 12 Feb 1999 17:26:04 +0100
On Wed, 10 Feb 1999, Darren Reed wrote:
In some mail from der Mouse, sie said: [...]Surely this is a bit of a no-brainer - why not just try the exploit and see if it works? That's certainly what an attacker will do.Let me hit you with another suggestion: if you know something about a box which suggests that an attack won't work, why try it ?
Bannerchecking is a good example of this. But the problem is that banners are often changed to add an extra layer of protection, as many attackers rely on this to determine whether a box is vulnerable or not, to avoid "wasting time".. (Scriptkiddies does not though, since they try the exploit anyway, even if the exploit is written for a totally different architecture.. ;-) Why should a securityscanner do the same mistakes as an attacker often does? The determined attackers would find these holes..
For example, if I do a port scan and cannot connect to the smtp port and later amongst the list of things to check are various sendmail bugs, should I still try them ?
This I agree with though. It all goes down to what methods you use to "determine" whether some attacks are useless to try, and if these methods can be relied on to make a conclusion on whether it's useless to make an exploit attempt. (Which I think the scanner should do, whenever possible) Another problem appears when one realizes that services not always is available on the same TCP/UDP portnumbers (SMTP obviously is though). Maybe this is changed for exactly the same reason as before, adding an extra layer of security.. And for local securitychecks, path/file names certainly can vary, this is a tough one to implement in a scanner satisfactory.. Cryptographical checksums is not of any use when the program was not from a binary distribution, but configured and compiled from source. This was not meant as criticism against Darren's posting. Rather some general opinions on securityscanners as a concept.
Darren
/ Joel Eriksson
Current thread:
- Netect Advisory: palmetto.ftpd - remote root overflow, (continued)
- Netect Advisory: palmetto.ftpd - remote root overflow Jordan Ritter (Feb 09)
- Re: Netect Advisory: palmetto.ftpd - remote root overflow bugtraq mailing list account (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Mr. joej (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Casper Dik (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 10)
- sl0scan (ambiguous source portscanner) miff (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Netect Advisory: palmetto.ftpd - remote root overflow Jordan Ritter (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ryan Russell (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Randy Taylor (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- More Comments: Security Scanners. Craig H. Rowland (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Adam Shostack (Feb 10)
- remote fakebo shell exploit Groovy Pants Gus (Feb 11)
- AW: Security Bug in Bintec Router Firmware (CLID) Thomas Schmidt (Feb 11)
- Re: Security Bug in Bintec Router Firmware (CLID) Pascal Gienger (Feb 11)
- Seeking Policy Data Loftin C. Woodiel (Feb 11)