mailing list archives
Re: [PEN-TEST] Network Access Device Scanning
From: H Carvey <keydet89 () YAHOO COM>
Date: Mon, 11 Sep 2000 11:27:08 -0000
Good answer, but if one looks at the typical
commercial scanners available,
they have about 4 checks for Network Access
Devices, and that is about it.
Correct...I felt the same way about commercial
scanners against Windows, which led to the
decision to "roll my own", as it were.
On some of the Network Access Devices, Telnet is
not an option (as in the
case of a CSU/DSU set with no password) or a APC
UPS which has http, ftp,
and tftp default on but not telnet.
Knowing this makes it easier to write a custom
SNMP is good to a point is the community strings
and access control lists
have not been set (usually public, private and
no access control list).
Hhhhmmm...okay, I'm beginning to see where you're
going with this. I have done vulnerability
assessments as a cooperative exercise, meaning
that when you go on-site, you work closely with
the network and system admins to thoroughly review
network device and host configurations.
Host-based scanners for NT are run with an Admin
account, for Linux, you get a username and
password, as well as the root password to
"su"...that sort of thing.
My assumption was that you would get the list of
"read" community strings in use...
What the ideal would be is to create a scanner
that could properly identify
a Network Access Device, once it had identified
it, go through a list of
vulnerabilities, exploits, and Industry Best
Practices check (ACL LINT or
something like that), and produce a report
similiar to a commercially
I don't know about the report writing
capability...I hate to leave that part to an
automagical piece of software...but the rest of it
I've been toying with a small side project on
NT...writing a scanner similar to the one's
available (SAINT, SARA, etc) using nmapNT as a
starting point. While nmapNT is a pale shadow of
it's Linux-based cousin (allegedly due to a broken
LibnetNT.dll), the concept is there...
Using a Linux platform w/ nmap and Perl (and maybe
even expect), such a scanner is entirely feasible.
The scanner would be instantiated to call an
object that performed the necessary nmap scanning
up front to ID the device (I don't know if the
necessary signatures Foundry BIG IRONs, Alteons,
etc are included w/ nmap), and then call the
necessary objects to perform the scanning.
Certain objects, such as SNMP, will be common to
all scans...the modular approach would allow you
to update one module w/o affecting the others...
This would be a useful tool when engaged to
conduct a security assessment
on a large Service Provider with big pipes (i.e.
Foundry, High End Cisco,
Definitely. I'd volunteer to work on it, if I had
access to the necessary platforms, and devices...