mailing list archives
Re: [PEN-TEST] Network Access Device Scanning
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Mon, 11 Sep 2000 09:38:30 -0700
At 11:27 AM 9/11/00 +0000, H Carvey wrote:
Correct...I felt the same way about commercial
scanners against Windows, which led to the
decision to "roll my own", as it were.
There are several large Service Providers that would be interested in this
type of tool, since it would provide them a POP inventory utility when
devices are commissioned and de-commissioned on a daily, weekly, monthly
As most Service Providers have high turnover with NOC type people and
> On some of the Network Access Devices, Telnet is
not an option (as in the
> case of a CSU/DSU set with no password) or a APC
UPS which has http, ftp,
> and tftp default on but not telnet.
Knowing this makes it easier to write a custom
Most of the information is available from the various vendor web pages and
information published on the various web pages.
> SNMP is good to a point is the community strings
and access control lists
> have not been set (usually public, private and
no access control list).
Hhhhmmm...okay, I'm beginning to see where you're
going with this. I have done vulnerability
assessments as a cooperative exercise, meaning
that when you go on-site, you work closely with
the network and system admins to thoroughly review
network device and host configurations.
Host-based scanners for NT are run with an Admin
account, for Linux, you get a username and
password, as well as the root password to
"su"...that sort of thing.
Yes, cooperative exercises are usually the case when examining Network
Access Devices, because there is no real commercial tool available to do
this for you.
I don't know about the report writing
capability...I hate to leave that part to an
automagical piece of software...but the rest of it
Seagate Crystal Report 8, can handle almost any type of data feed.
I've been toying with a small side project on
NT...writing a scanner similar to the one's
available (SAINT, SARA, etc) using nmapNT as a
starting point. While nmapNT is a pale shadow of
it's Linux-based cousin (allegedly due to a broken
LibnetNT.dll), the concept is there...
The concept has been documented in the X.700 management model, just no one
has really implemented at a commercial level.
Most of the signatures or protocols are freely available from the Vendors,
since they publish their MIBS.. :)
I have some of the major pieces already completed, needs a front end to
make it pleasingly and attractive to the Service Providers.
Definitely. I'd volunteer to work on it, if I had
access to the necessary platforms, and devices...
The answer to this question, is that one does not need access to the
necessary platforms, only beefing up the os-fingerprint file would be the
only real work.. :)
The viability of this tool, is that there is a need for it for both service
providers and high end security service companies. :)