nCircle.com >> 360 Security >> VERT

« VERT Challenge #1 Update #2 | Main | April Patch Tuesday, Take 2 »

Iterative Scanning

RSnake over at ha.ckers.org discusses his ideas on a topic he calls "iterative scanning". His idea is that one should take into account what information they already know. He concludes that, during an assessment, one should not run a check for a vulnerability if you have already know that the vulnerability cannot be present on the remote server. For example, there is no reason to an exploit on an IIS server when the vulnerability only affects instances of Apache.

He's absolutely right of course. There is no reason to even try to check for an IIS vulnerability when you already know that the remote web server is Apache. A solution for this was implemented at nCircle for this problem years ago. Before checking to see if a vulnerability is present on a computer, we try to ascertain whether or not it is even possible for the vulnerability to be present on the server.

There are many advantages to doing things this way. First, it speed things up significantly. Instead of enumerating through the entire list of known SMTP vulnerabilities, you can just focus on the ones that affect Sendmail if that is what is presently running. Secondly, it minimizes false positives. There is no absolutely no chance that a check for a Postfix vulnerability will fire in the above example.

Of course, fingerprinting can be both easy and difficult depending on the protocol. However, even with the high cost of entry, the benefits to determining what is running prior to performing any form a vulnerability scan outweighs the cost. I'm really glad that others in the industry have started to get on that bandwagon.

Posted by Ryan Poppa on March 28, 2007 11:24 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/191

Comments (2)

Ross Brown:

Ryan,

Iterative scanning is the best way to perform an both comprehensive and less 'noisy' scan and to avoid generating pointless, clogging traffic. As you know, we've been doing this for years as well, so I gotta ask - who doesn't do this? I honestly only track a couple of credible competitors, so I'd love to know who is still firing packet cannons at everything with an IP address if you know of examples.

RB

Posted by Ross Brown | March 28, 2007 3:27 PM

Posted on March 28, 2007 15:27

Ryan Poppa:

Ross,

I have no idea. I know that a lot of small and very specialized tools still use the brute force method.

However, I am not privy to any information about whether or not any other 'credible' competitors do it as well. The post was meant to be a generalization on the topic in general. It was not meant to point fingers at anyone in particular. :)

Posted by Ryan Poppa | March 28, 2007 9:47 PM

Posted on March 28, 2007 21:47

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on March 28, 2007 11:24 AM.

The previous post in this blog was VERT Challenge #1 Update #2.

The next post in this blog is April Patch Tuesday, Take 2.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]