Penetration Testing mailing list archives

Re: Medium Scale Scanning Best Practices

From: Renaud Deraison <deraison () cvs nessus org>
Date: Fri, 18 Jan 2002 00:19:01 +0100


On Tue, Jan 15, 2002 at 07:16:07AM -0500, swlodin () iquest net wrote:

[...]

I'm looking for advice into best practices for periodic scanning of a network
on a medium scale.  Here are my definitions:
** Taken from Hacking Exposed by the Foundstone guys

I have a global network of many /16 through /26 networks.  I'd like to develop
an inventory of, primarily, machine/OS/Services.  I'd prefer to have this relatively
up-to-date, but not manually performed.  Ultimately, I'd like to have a resource
that could help me identify vulnerable devices given the discovery of a new
vulnerability rather than having to scan the entire network each time.

For example, the next IIS vulnerability hits.  I'd like to have a quick answer
to the question, "what devices are vulnerable".  It doesn't matter if the answer
is the result of "list all Windows OS devices with port 80 or 443 open".

What are the best practices in this area?  I have a cobbled-together solution
using nmap that I'm ready to test, but if there is a better low-cost solution
I am interested.  I've seen ndiff (nmap diff), but I'm not sure that it would
be easy
to modify that to suit my requirements.  How are you dealing with
this situation?


What you want is to use Nessus 1.0.10 with the experimental features on,
or Nessus 1.1.x. 
When you set up a scan, activate the "save knowledge base" option, and
scan your networks. The good thing about this is that as Nessus
knowledge bases store "facts" about the remote hosts, you can
interrogate them after a scan.

When the next vulnerability hits, you can easily grep through the files
in the knowledge base to query for some facts.

You want the list of IIS servers listening on port 80 :

# cd /usr/local/var/nessus/users/<yourlogin>/kbs
# egrep -l "www/banner/80=.*IIS.*" *
10.163.156.9
10.163.156.12
# 


You want to get the list of Solaris hosts with tcp port 515 open :
# egrep -l "Ports/tcp/515" `egrep -l "Host/OS=Solaris" *`
10.163.156.10
#

As the KBs are stored in individual files, you may prefer to use
ReiserFS if you plan to scan a big network, rather than ext[23],
and you may want to write cleaner queries, but you get the idea.


                                -- Renaud

-- 
Renaud Deraison
The Nessus Project
http://www.nessus.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Medium Scale Scanning Best Practices swlodin (Jan 15)
- Re: Medium Scale Scanning Best Practices Erlend J. Leiknes (Jan 16)
  - Re: Medium Scale Scanning Best Practices Gerardo Richarte (Jan 17)
- Re: Medium Scale Scanning Best Practices Renaud Deraison (Jan 17)
- <Possible follow-ups>
- Re: Medium Scale Scanning Best Practices miguel . dilaj (Jan 15)
- RE: Medium Scale Scanning Best Practices Aleksander P. Czarnowski (Jan 16)
- Re: Medium Scale Scanning Best Practices John Malconian (Jan 18)
  - Re: Medium Scale Scanning Best Practices Troy Davis (Jan 19)
  - testing for IP address space leakage in NAT systems R P G (Jan 21)
    - Re: testing for IP address space leakage in NAT systems R. DuFresne (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Frank (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Thomas Reinke (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Gamble (Jan 22)
    - Re: testing for IP address space leakage in NAT systems Iván Arce (Jan 22)

(Thread continues...)