Re: [PEN-TEST] Network Access Device Scanning

[H Carvey <keydet89 () YAHOO COM>]

> Good answer, but if one looks at the typical 
commercial scanners available,
> they have about 4 checks for Network Access 
Devices, and that is about it.
>

Correct...I felt the same way about commercial 
scanners against Windows, which led to the 
decision to "roll my own", as it were.

> On some of the Network Access Devices, Telnet is 
not an option (as in the
> case of a CSU/DSU set with no password) or a APC 
UPS which has http, ftp,
> and tftp default on but not telnet.

Knowing this makes it easier to write a custom 
scanner. 

> SNMP is good to a point is the community strings 
and access control lists
> have not been set (usually public, private and 
no access control list).
>

Hhhhmmm...okay, I'm beginning to see where you're 
going with this.  I have done vulnerability 
assessments as a cooperative exercise, meaning 
that when you go on-site, you work closely with 
the network and system admins to thoroughly review 
network device and host configurations.  
Host-based scanners for NT are run with an Admin 
account, for Linux, you get a username and 
password, as well as the root password to 
"su"...that sort of thing.

My assumption was that you would get the list of 
"read" community strings in use...

> What the ideal would be is to create a scanner 
that could properly identify
> a Network Access Device, once it had identified 
it, go through a list of
> vulnerabilities, exploits, and Industry Best 
Practices check (ACL LINT or
> something  like that), and produce a report 
similiar to a commercially
> available scanner.

I don't know about the report writing 
capability...I hate to leave that part to an 
automagical piece of software...but the rest of it 
sounds interesting.  

I've been toying with a small side project on 
NT...writing a scanner similar to the one's 
available (SAINT, SARA, etc) using nmapNT as a 
starting point.  While nmapNT is a pale shadow of 
it's Linux-based cousin (allegedly due to a broken 
LibnetNT.dll), the concept is there...

Using a Linux platform w/ nmap and Perl (and maybe 
even expect), such a scanner is entirely feasible.  
The scanner would be instantiated to call an 
object that performed the necessary nmap scanning 
up front to ID the device (I don't know if the 
necessary signatures Foundry BIG IRONs, Alteons, 
etc are included w/ nmap), and then call the 
necessary objects to perform the scanning.  
Certain objects, such as SNMP, will be common to 
all scans...the modular approach would allow you 
to update one module w/o affecting the others...

> This would be a useful tool when engaged to 
conduct a security assessment
> on a large Service Provider with big pipes (i.e. 
Foundry, High End Cisco,
> Lucent Switches).

Definitely.  I'd volunteer to work on it, if I had 
access to the necessary platforms, and devices...

Carv