Penetration Testing mailing list archives
Re: [PEN-TEST] Network Access Device Scanning
From: H Carvey <keydet89 () YAHOO COM>
Date: Mon, 11 Sep 2000 11:27:08 -0000
Good answer, but if one looks at the typical
commercial scanners available,
they have about 4 checks for Network Access
Devices, and that is about it.
Correct...I felt the same way about commercial scanners against Windows, which led to the decision to "roll my own", as it were.
On some of the Network Access Devices, Telnet is
not an option (as in the
case of a CSU/DSU set with no password) or a APC
UPS which has http, ftp,
and tftp default on but not telnet.
Knowing this makes it easier to write a custom scanner.
SNMP is good to a point is the community strings
and access control lists
have not been set (usually public, private and
no access control list).
Hhhhmmm...okay, I'm beginning to see where you're going with this. I have done vulnerability assessments as a cooperative exercise, meaning that when you go on-site, you work closely with the network and system admins to thoroughly review network device and host configurations. Host-based scanners for NT are run with an Admin account, for Linux, you get a username and password, as well as the root password to "su"...that sort of thing. My assumption was that you would get the list of "read" community strings in use...
What the ideal would be is to create a scanner
that could properly identify
a Network Access Device, once it had identified
it, go through a list of
vulnerabilities, exploits, and Industry Best
Practices check (ACL LINT or
something like that), and produce a report
similiar to a commercially
available scanner.
I don't know about the report writing capability...I hate to leave that part to an automagical piece of software...but the rest of it sounds interesting. I've been toying with a small side project on NT...writing a scanner similar to the one's available (SAINT, SARA, etc) using nmapNT as a starting point. While nmapNT is a pale shadow of it's Linux-based cousin (allegedly due to a broken LibnetNT.dll), the concept is there... Using a Linux platform w/ nmap and Perl (and maybe even expect), such a scanner is entirely feasible. The scanner would be instantiated to call an object that performed the necessary nmap scanning up front to ID the device (I don't know if the necessary signatures Foundry BIG IRONs, Alteons, etc are included w/ nmap), and then call the necessary objects to perform the scanning. Certain objects, such as SNMP, will be common to all scans...the modular approach would allow you to update one module w/o affecting the others...
This would be a useful tool when engaged to
conduct a security assessment
on a large Service Provider with big pipes (i.e.
Foundry, High End Cisco,
Lucent Switches).
Definitely. I'd volunteer to work on it, if I had access to the necessary platforms, and devices... Carv
Current thread:
- Re: [PEN-TEST] Network Access Device Scanning H Carvey (Sep 10)
- Re: [PEN-TEST] Network Access Device Scanning Teicher, Mark (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Network Access Device Scanning H Carvey (Sep 11)
- Re: [PEN-TEST] Network Access Device Scanning Teicher, Mark (Sep 11)