In some mail from der Mouse, sie said: [...] > Surely this is a bit of a no-brainer - why not just try the exploit and > see if it works? That's certainly what an attacker will do. Let me hit you with another suggestion: if you know something about a box which suggests that an attack won't work, why try it ? This is the flip side of the problem with the "isologin" check. Why do it at all ? Well, when you've got X number of hours/days to get a job done, you want it to be time well spent. For example, if I do a port scan and cannot connect to the smtp port and later amongst the list of things to check are various sendmail bugs, should I still try them ? The expectation is that if a service is meant to be available, that it will at any time of a scan. If a service is not available then more than likely there is no point making further advanced checks. My take on this current problem is that ISS doesn't gain enough intelligence before deciding to ignore the "ioslogin" problem. The original poster mentioned that the system was vulnerable (although not if he exploited it from the same machine/ip# as the scan) and according to David, it bases it's decision on an SNMP reply. Well, SNMP is often turned off, and I would have hoped that for this check it could have applied the results of the "telnet" check (which would be a definate prequisite for this one) where the banner has been captured. Cisco "telnet banners" are fairly disctinctive. Last time I had to use either Ballist/ISS I found numerous problems which I related back to various people (they need beta testers to be able to use proper licenses with them, not just localhost). Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:42 PDT