[nexpose-users] How to scan hosts that do not reply to ICMP pings?

Ty Bailey Ty_Bailey at rapid7.com
Fri May 7 11:25:17 PDT 2010 

Yeah XP is not a supported OS : http://community.rapid7.com/redmine/projects/nexpose/wiki/General_FAQ

Ty Bailey
Manager of Account Services

-----Original Message-----
From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
Sent: Friday, May 07, 2010 2:19 PM
To: Mark Manning
Cc: nexpose-users at lists.rapid7.com
Subject: Re: [nexpose-users] How to scan hosts that do not reply to ICMP pings?

Afraid no dice (believe btw I'd need to change the icmphostcheck value
to 0 for false)

It could be down to me running this on xp but I get the following in the log:

Metasploit-12010-05-07T17:40:19 Raw sockets are not available.
Changing port scan method to "Full Connect"
Metasploit-12010-05-07T17:40:19 Pinger is using: icmp[on]
tcp[21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100]
udp[off] sendDelay[5] retries[4] responseWait[1000]
Metasploit-12010-05-07T17:40:25 RawSock ERROR:
java.net.SocketException: Failure in sendto on raw socket: 10004
	at com.rapid7.net.EthernetInterface.send(Native Method)
	at com.rapid7.net.EthernetInterface.send(Unknown Source)
	at com.rapid7.net.Pinger.C(Unknown Source)
	at com.rapid7.net.Pinger.B(Unknown Source)
	at com.rapid7.net.Pinger.pingHosts(Unknown Source)
	at com.rapid7.nexpose.plugin.net.JessPinger.jessPing(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.rapid7.thread.ThreadedCall.invokeCall(Unknown Source)
	at com.rapid7.thread.ThreadedCall.B(Unknown Source)
	at com.rapid7.thread.ThreadedCallRunner.executeCall(Unknown Source)
	at com.rapid7.thread.ThreadedCallRunner.run(Unknown Source)

I'm wondering if the simpliest solution is to simply turn off the host
checking for the pentest profile (if possible) which I presume is this
setting:

<DeviceDiscovery>
  <networkDiscovery enabled="1"/>

All this said if there is an offical way to achieve this I'm all ears




On 7 May 2010 17:26, Mark Manning <mark.manning at gmail.com> wrote:
>
> One of the nice things (as you already know) about the Nexpose Express
> is they allow you to customize the templates through the web
> interface.  But in Nexpose Community you can't.
>
> If you setup the site to use the Aggressive Discovery builtin template
> this will find hosts using TCP connects to alternative ports.  But
> this is a scan mostly related to discovery and not vulnerability.
>
> Stop me if this is against the EULA but the XML that holds the
> configuration settings for things like Full Audit is located under
> C:\program files\rapid7\nexpose\shared\scanTemplates\builtin
> or
> /opt/rapid7/nexpose/shared/scanTemplates/builtin
>
> If one were to change the checkhosts section of Full Audit to look like this:
>  <CheckHosts timeout="1000" retries="4" sendDelay="5">
>    <icmpHostCheck enabled="1"/>
>    <TCPHostCheck enabled="1">
> <portList>21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100</portList>
>    </TCPHostCheck>
>  </CheckHosts>
>
> I don't have the right environment right now to test though so let us know.
>
> --Mark
>
>
>
> On Fri, May 7, 2010 at 12:13 PM, Will Vandevanter
> <Will_Vandevanter at rapid7.com> wrote:
> > Hey Matthew,
> >
> >
> >
> >   Adjusting your nmap conifguration should allow you to do host discovery
> > using a method other than ICMP. Specifically, the -PS/PA/PU/PY[portlist]
> > flag in nmap will determine if a device is alive using TCP SYN/ACK, UDP, and
> > SCTP respectively to the given portlist.
> >
> >
> >
> > -Will
> >
> >
> > ________________________________
> > From: nexpose-users-bounces at lists.rapid7.com
> > [nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
> > [watcher60 at gmail.com]
> > Sent: Friday, May 07, 2010 11:45 AM
> > To: nexpose-users at lists.rapid7.com
> > Subject: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
> >
> > Apologies if this has been asked before I did try searching for an answer as
> > I'm sure its a common Q.
> >
> > I understand nexpose community edtion does not allow you to edit the scan
> > templates to alter the host detection setting which is set  to require  a
> > reply to a icmp ping to ensure the target is alive. Is there anyway in the
> > community version to workaround this ?- I did try using the msf console to
> > import a nmap scan but it appears it still pings the target to see if it is
> > alive.
> >
> > thanks
> >
> > _______________________________________________
> > http://community.rapid7.com/redmine/projects/nexpose/wiki
> > https://mail.metasploit.com/mailman/listinfo/nexpose-users
> >
> >
_______________________________________________
http://community.rapid7.com/redmine/projects/nexpose/wiki
https://mail.metasploit.com/mailman/listinfo/nexpose-users

More information about the nexpose-users mailing list