Re: [PEN-TEST] Network Access Device Scanning

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

Carv,

Good answer, but if one looks at the typical commercial scanners available,
they have about 4 checks for Network Access Devices, and that is about it.

On some of the Network Access Devices, Telnet is not an option (as in the
case of a CSU/DSU set with no password) or a APC UPS which has http, ftp,
and tftp default on but not telnet.

SNMP is good to a point is the community strings and access control lists
have not been set (usually public, private and no access control list).

What the ideal would be is to create a scanner that could properly identify
a Network Access Device, once it had identified it, go through a list of
vulnerabilities, exploits, and Industry Best Practices check (ACL LINT or
something  like that), and produce a report similiar to a commercially
available scanner.

This would be a useful tool when engaged to conduct a security assessment
on a large Service Provider with big pipes (i.e. Foundry, High End Cisco,
Lucent Switches).

The info should be split into two parts:

Unresponsive Hosts
Responsive Hosts with info

At 11:49 AM 9/10/00 +0000, H Carvey wrote:
> Mark,
>
> I would think that you have a couple of options
> available to you:
>
> 1.  Using Perl, create a script using Net::Telnet
> that accesses the devices.  I believe that there
> is even a Cisco-specific Perl module that may work
> for you.  Assuming that this information is part
> of an internal vulnerability assessment, there
> should be no problem getting the necessary
> passwords from the network admins...and that
> information (ie, passwords strength, if the
> password varies between systems, etc) can also
> assist your assessment.
>
> 2.  Using Perl, create a script using
> Net::SNMP...and collect the necessary information
> from MIB-II.  If you need info from
> vendor-specific MIBs, that info can go into a db
> table of some sort.
>
> Carv