Before I even start I want to point out that I am NOT product bashing! ISS's products provide the average administrator a good way to audit his/her own network. But there have been numerous companies pop up using only ISS products to provide security audits and security expertise. This is inadequate. Granted if someone doesn't use Internet Scanner for at least part of an audit, they better be real good ....err REAL good. ISS Internet scanner for example: Granted ISS never claims to test for all known vulnerabilities. This is no surprise, new holes are out everyday. But my problem is that of the vulnerabilities that Internet Scanner says that it is testing, I have found a few that it DOESN'T even though it says it is. Example 'Router Checks' I wanted to scan my network to see if I had any routers that were vulnerable to the old ioslogon bug. After a quick scan, I found none. I knew this wasn't right, there was one somewhere I hadn't upgraded yet. After testing by hand I found it. I talked to ISS about this for a while, after sending logs and talking to the engineers their reply was 'well snmp is disabled ....' The rest of their reply was something about how this vulnerability was related to snmp therefor Internet Scanner couldn't scan for it. This is WRONG. After some testing this is what was found. Internet Scanner only tests for this bug if it can either gain access to a shell (by guessing the telnet password), or by getting snmp access to get the IOS version information. Based upon this, Internet Scanner determines whether or not the router is vulnerable. This is WRONG. This same holds true to all router checks except ascend udp kill. My follow up question, How many other vulnerabilities does Internet Scanner say it will scan, but really doesn't? ISS: Either be very very clear that you are not 'really' scanning for these vulnerabilities, or just scan for them. Sorry for the long message, but I wanted to be clear, and its late .... JoeJ Mr_JoeJat_private ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:59 PDT