From: Ivan Arce (ivan.arce@coresecurity.com)
Date: Tue Jan 10 2006 - 20:24:19 EST
offset wrote:
> Greetings,
>
> My goal is to determine ways to speed up network vulnerability scans
> on a number of /20 networks (but not at the expense of accuracy)
>
> Given the goal above, anyone have experience testing accuracy and
> speed for host detection and full port scans using various network
> scanners (ie, unicorn versus nmap)?
...
> Looking to find most efficient methods of the following, assume
> stealth is not the goal, but accuracy is 1. host up detection
> (detecting ports (ie, 80, 443)), mark for followup later (queue for
> full scan) 2. full port SYN scan on detected hosts (TCP only) 3.
> vulnerability analysis based on host/port information
This is quite an interesing topic. First, I would say that it depends on
what your are trying to achieve...are you doing a complete assessment?
are you doing a penetration test? are you just doing a vulnerability
scan? do you have a time constrain for the entire project?
I am asking this because:
If you are doing a complete assessment then it is reasonable to try to
scan ALL ports. Then again if your assessment includes/allows
exploitation you may not need to scann all ports just those needed to
sucessfully compromise some hosts and then assess further and more
accurately from those compromised hosts, this will speed up the process.
If you are doing a vulnerability scan then it is only reasonable to scan
the ports for which you have vulnerability checks in your scanner,
all other port information will be of no use by your scanner and
therefore you'd be just wasting precious time/bandwidth lloking for it.
The same may apply to penetration testing. If you have a predefined set
of tools and exploits that you'll use then just scan for the information
that those tools and exploit need in order to work.
I said this is an interesting topic because the purely-pragmatic (and
some would say skript-kidish) approach I just proposed is generally
counter-intuitive to most security experts and consultants. Security
experts, consultants and individuals with an engineering/sciences
background generally tend to look at the big picture and all the
possible details before starting their analysis, engaging in the work
and deriving conclusions. This is inline with their search for a
complete *understanding* of the system under scrutiny in order to do a
good job and provide excellent results, but this a quasi-philosophical
stance for many (among which I include myself). Sometimes we lack a more
pragmatic view; we dont need to completly understand the whole system in
order to get the job done efficiently and with high quality standards,
we just need what we need to get the job done :)
Just sometimes seeking complete understanding of a security system is
just a self-serving goal with limited practical value.
What we learned while developing automated penetration testing
*software* is that sometimes it is useless or not worth the effort to
obtain a lot of information that no other component in the system will
need to use.
That doesnt apply to a team of experts that would go through all the
information, investigate it further and use all their experience and
intangible expertise and knowledge to identify new threats or to trigger
new ideas but nonetheless even such a team does not need to have all the
information in stage 1 in order to start moving to stage 2
(speacially if stealthness is not an important goal)
There are some ideas related to this in the presentation that Gerardo
Richarte and myself did at the PacSec conference in 2003 (from slides
30+) and in other resources of the Attack Plannig project at Corelabs:
http://www.coresecurity.com/corelabs/projects/attack_planning.php
-ivan
--- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce@coresecurity.com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:22 EDT