Penetration Testing mailing list archives

Re: Vulnerability Scanning

From: H Carvey <keydet89 () yahoo com>
Date: 29 Feb 2004 12:21:33 -0000

In-Reply-To: <web-28675167 () gator darkhorse com>

After reviewing some scan results and finding a number of false positives from nessus (primarly in XP hosts), I began 
to become a 
bit more concerned than I already was.
This is in no way reflecting upon nessus's ability to find vulnerabilities and I truely believe all scanners have 
these issues.


You may be right.

The question is, what does everyone else do about this?


Back in '99, while working for a security consulting company, I came up with the idea to develop a tool that would 
retrieve and store raw data from systems, rather than returning simply the "decision".  

We'd run into issues with ISS's Internet Scanner.  One in particular was the reporting of the AutoAdminLogon Registry 
value.  According to MS, this was only an issue if the value was set to "1".  In this instance, the Admin password 
would appear in the Registry in plain text (doh!).  Scanning one particular domain, ISS "found" 22 systems w/ 
AutoAdminLogon set, but only one system had the value of "1"...the others had the value set to "0", no password, and 
when rebooted would not automatically log into the admin account.  In this case, the customer was fully aware of the 
situation...had we gone with the ISS report, w/o verifying it in any way, we'd lost a great deal of credibility.  The 
tool I wrote pulled the data from the Registry and we were able to see what the real values were and respond 
accordingly.

So what else can we do? Check the registry manually, this is an option but very time consuming, does
anyone actually do this???


Perl provides the necessary functionality to retrieve this information remotely, as long as you have the appropriate 
permissions.  What we ended up doing was including, in the contract, the requirement for temporary domain admin 
accounts for the assessment.  In addition to providing us with the necessary level of access, this also allowed us to 
see first-hand what procedures were used when creating (and removing) accounts. 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Vulnerability Scanning simonis (Mar 01)
- <Possible follow-ups>
- Re: Vulnerability Scanning H Carvey (Mar 01)
  - Re: Vulnerability Scanning R. DuFresne (Mar 01)
- Re: Vulnerability Scanning BRIAN HUNTER (Mar 01)
- RE: Vulnerability Scanning Rob Shein (Mar 01)
- RE: Vulnerability Scanning Haseeb Chaudhary (Mar 02)