[nexpose-users] How to scan hosts that do not reply to ICMP pings?

Steve Tornio steve at vitriol.net
Fri May 7 11:36:04 PDT 2010 

I have run into the same issue while comparing Nexpose community
edition to my Nessus installation.  The community edition will not
scan hosts that do not reply to icmp echo requests, and the available
documentation points to scan templates as the solution.  Scan
templates can not, of course, be modified in the community edition.

I think the original poster's question is valid, and has a simple
yes/no answer.  Is rapid7 going to make it possible to scan hosts with
the community edition which do not reply to icmp, or not?

On Fri, May 7, 2010 at 1:25 PM, Ty Bailey <Ty_Bailey at rapid7.com> wrote:
> Yeah XP is not a supported OS : http://community.rapid7.com/redmine/projects/nexpose/wiki/General_FAQ
>
> Ty Bailey
> Manager of Account Services
>
> -----Original Message-----
> From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
> Sent: Friday, May 07, 2010 2:19 PM
> To: Mark Manning
> Cc: nexpose-users at lists.rapid7.com
> Subject: Re: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>
> Afraid no dice (believe btw I'd need to change the icmphostcheck value
> to 0 for false)
>
> It could be down to me running this on xp but I get the following in the log:
>
> Metasploit-12010-05-07T17:40:19 Raw sockets are not available.
> Changing port scan method to "Full Connect"
> Metasploit-12010-05-07T17:40:19 Pinger is using: icmp[on]
> tcp[21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100]
> udp[off] sendDelay[5] retries[4] responseWait[1000]
> Metasploit-12010-05-07T17:40:25 RawSock ERROR:
> java.net.SocketException: Failure in sendto on raw socket: 10004
>        at com.rapid7.net.EthernetInterface.send(Native Method)
>        at com.rapid7.net.EthernetInterface.send(Unknown Source)
>        at com.rapid7.net.Pinger.C(Unknown Source)
>        at com.rapid7.net.Pinger.B(Unknown Source)
>        at com.rapid7.net.Pinger.pingHosts(Unknown Source)
>        at com.rapid7.nexpose.plugin.net.JessPinger.jessPing(Unknown Source)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:597)
>        at com.rapid7.thread.ThreadedCall.invokeCall(Unknown Source)
>        at com.rapid7.thread.ThreadedCall.B(Unknown Source)
>        at com.rapid7.thread.ThreadedCallRunner.executeCall(Unknown Source)
>        at com.rapid7.thread.ThreadedCallRunner.run(Unknown Source)
>
> I'm wondering if the simpliest solution is to simply turn off the host
> checking for the pentest profile (if possible) which I presume is this
> setting:
>
> <DeviceDiscovery>
>  <networkDiscovery enabled="1"/>
>
> All this said if there is an offical way to achieve this I'm all ears
>
>
>
>
> On 7 May 2010 17:26, Mark Manning <mark.manning at gmail.com> wrote:
>>
>> One of the nice things (as you already know) about the Nexpose Express
>> is they allow you to customize the templates through the web
>> interface.  But in Nexpose Community you can't.
>>
>> If you setup the site to use the Aggressive Discovery builtin template
>> this will find hosts using TCP connects to alternative ports.  But
>> this is a scan mostly related to discovery and not vulnerability.
>>
>> Stop me if this is against the EULA but the XML that holds the
>> configuration settings for things like Full Audit is located under
>> C:\program files\rapid7\nexpose\shared\scanTemplates\builtin
>> or
>> /opt/rapid7/nexpose/shared/scanTemplates/builtin
>>
>> If one were to change the checkhosts section of Full Audit to look like this:
>>  <CheckHosts timeout="1000" retries="4" sendDelay="5">
>>    <icmpHostCheck enabled="1"/>
>>    <TCPHostCheck enabled="1">
>> <portList>21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100</portList>
>>    </TCPHostCheck>
>>  </CheckHosts>
>>
>> I don't have the right environment right now to test though so let us know.
>>
>> --Mark
>>
>>
>>
>> On Fri, May 7, 2010 at 12:13 PM, Will Vandevanter
>> <Will_Vandevanter at rapid7.com> wrote:
>> > Hey Matthew,
>> >
>> >
>> >
>> >   Adjusting your nmap conifguration should allow you to do host discovery
>> > using a method other than ICMP. Specifically, the -PS/PA/PU/PY[portlist]
>> > flag in nmap will determine if a device is alive using TCP SYN/ACK, UDP, and
>> > SCTP respectively to the given portlist.
>> >
>> >
>> >
>> > -Will
>> >
>> >
>> > ________________________________
>> > From: nexpose-users-bounces at lists.rapid7.com
>> > [nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
>> > [watcher60 at gmail.com]
>> > Sent: Friday, May 07, 2010 11:45 AM
>> > To: nexpose-users at lists.rapid7.com
>> > Subject: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>> >
>> > Apologies if this has been asked before I did try searching for an answer as
>> > I'm sure its a common Q.
>> >
>> > I understand nexpose community edtion does not allow you to edit the scan
>> > templates to alter the host detection setting which is set  to require  a
>> > reply to a icmp ping to ensure the target is alive. Is there anyway in the
>> > community version to workaround this ?- I did try using the msf console to
>> > import a nmap scan but it appears it still pings the target to see if it is
>> > alive.
>> >
>> > thanks
>> >
>> > _______________________________________________
>> > http://community.rapid7.com/redmine/projects/nexpose/wiki
>> > https://mail.metasploit.com/mailman/listinfo/nexpose-users
>> >
>> >
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
>

More information about the nexpose-users mailing list