You could program it in python using the telnet library. Most services has a welcome message, and you could use that as a fingerprint of the version. Ofcourse services like http require you to send something before you get any useful data back (server version info etc...) but that should be very possible (write exceptions for a group of ports that need you to send data first). Since its fingerprinting you wouldnt need to remember the version, all you need to know is: what type of service is located on that port will the welcome header reveal the services-version if that is the case, then you could easly search through your scan-logs and see what services that are vurnable. (this should be done by looking at a bugtraq. You will also be able to tell when there are new deamons installed on the network, which might reveal hacked machines. For more information about how to write such application (www.python.org) You should be able to learn the language in 3-4 days. ----- Original Message ----- From: <swlodinat_private> To: <PEN-TESTat_private> Sent: Tuesday, January 15, 2002 1:16 PM Subject: Medium Scale Scanning Best Practices > Good day, > > I'm looking for advice into best practices for periodic scanning of a network > on a medium scale. Here are my definitions: > > Frequency > --------- > Continuous - near real-time > Periodic - weekly/monthly <--------- me > One time - duh > > Scale > ----- > Small - a few hosts or maybe a /24 network or two > Medium - many networks, up to /16 types <----------- me > Large - global Internet or many /8 types > > Testing Activity ** > ------------------- > Footprinting > Scanning <----------- me > Enumeration > Penetration > > ** Taken from Hacking Exposed by the Foundstone guys > > I have a global network of many /16 through /26 networks. I'd like to develop > an inventory of, primarily, machine/OS/Services. I'd prefer to have this relatively > up-to-date, but not manually performed. Ultimately, I'd like to have a resource > that could help me identify vulnerable devices given the discovery of a new > vulnerability rather than having to scan the entire network each time. > > For example, the next IIS vulnerability hits. I'd like to have a quick answer > to the question, "what devices are vulnerable". It doesn't matter if the answer > is the result of "list all Windows OS devices with port 80 or 443 open". > > What are the best practices in this area? I have a cobbled-together solution > using nmap that I'm ready to test, but if there is a better low-cost solution > I am interested. I've seen ndiff (nmap diff), but I'm not sure that it would > be easy > to modify that to suit my requirements. How are you dealing with > this situation? > > Thanks! > > Steve > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 11:04:32 PST