[nexpose-users] How to scan hosts that do not reply to ICMP pings?

Mark Manning mark.manning at gmail.com
Fri May 7 09:26:23 PDT 2010 

One of the nice things (as you already know) about the Nexpose Express
is they allow you to customize the templates through the web
interface.  But in Nexpose Community you can't.

If you setup the site to use the Aggressive Discovery builtin template
this will find hosts using TCP connects to alternative ports.  But
this is a scan mostly related to discovery and not vulnerability.

Stop me if this is against the EULA but the XML that holds the
configuration settings for things like Full Audit is located under
C:\program files\rapid7\nexpose\shared\scanTemplates\builtin
or
/opt/rapid7/nexpose/shared/scanTemplates/builtin

If one were to change the checkhosts section of Full Audit to look like this:
  <CheckHosts timeout="1000" retries="4" sendDelay="5">
    <icmpHostCheck enabled="1"/>
    <TCPHostCheck enabled="1">
<portList>21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100</portList>
    </TCPHostCheck>
  </CheckHosts>

I don't have the right environment right now to test though so let us know.

--Mark



On Fri, May 7, 2010 at 12:13 PM, Will Vandevanter
<Will_Vandevanter at rapid7.com> wrote:
> Hey Matthew,
>
>
>
>   Adjusting your nmap conifguration should allow you to do host discovery
> using a method other than ICMP. Specifically, the -PS/PA/PU/PY[portlist]
> flag in nmap will determine if a device is alive using TCP SYN/ACK, UDP, and
> SCTP respectively to the given portlist.
>
>
>
> -Will
>
>
> ________________________________
> From: nexpose-users-bounces at lists.rapid7.com
> [nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
> [watcher60 at gmail.com]
> Sent: Friday, May 07, 2010 11:45 AM
> To: nexpose-users at lists.rapid7.com
> Subject: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>
> Apologies if this has been asked before I did try searching for an answer as
> I'm sure its a common Q.
>
> I understand nexpose community edtion does not allow you to edit the scan
> templates to alter the host detection setting which is set  to require  a
> reply to a icmp ping to ensure the target is alive. Is there anyway in the
> community version to workaround this ?- I did try using the msf console to
> import a nmap scan but it appears it still pings the target to see if it is
> alive.
>
> thanks
>
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
>
>

More information about the nexpose-users mailing list