[nexpose-users] How to scan hosts that do not reply to ICMP pings?

Steve Tornio steve at vitriol.net
Fri May 7 14:59:12 PDT 2010 

To be clear on the exact nature of this, the default Full Audit (for
example) discovery check uses ICMP and TCP port 80 to discover hosts.
Many (most?) host firewalls drop filtered traffic, and so both of
these checks come back with a dead host.  In my experience, most
firewalled hosts in a corporate environment will still listen on
either TCP port 22 or 445, depending on the type of system, and
checking those ports results in many more found hosts.

Even without the explicit permission to create scan templates, the
community edition could be more useful by including these additional
ports.

On Fri, May 7, 2010 at 1:25 PM, Ty Bailey <Ty_Bailey at rapid7.com> wrote:
> Yeah XP is not a supported OS : http://community.rapid7.com/redmine/projects/nexpose/wiki/General_FAQ
>
> Ty Bailey
> Manager of Account Services
>
> -----Original Message-----
> From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
> Sent: Friday, May 07, 2010 2:19 PM
> To: Mark Manning
> Cc: nexpose-users at lists.rapid7.com
> Subject: Re: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>
> Afraid no dice (believe btw I'd need to change the icmphostcheck value
> to 0 for false)
>
> It could be down to me running this on xp but I get the following in the log:
>
> Metasploit-12010-05-07T17:40:19 Raw sockets are not available.
> Changing port scan method to "Full Connect"
> Metasploit-12010-05-07T17:40:19 Pinger is using: icmp[on]
> tcp[21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100]
> udp[off] sendDelay[5] retries[4] responseWait[1000]
> Metasploit-12010-05-07T17:40:25 RawSock ERROR:
> java.net.SocketException: Failure in sendto on raw socket: 10004
>        at com.rapid7.net.EthernetInterface.send(Native Method)
>        at com.rapid7.net.EthernetInterface.send(Unknown Source)
>        at com.rapid7.net.Pinger.C(Unknown Source)
>        at com.rapid7.net.Pinger.B(Unknown Source)
>        at com.rapid7.net.Pinger.pingHosts(Unknown Source)
>        at com.rapid7.nexpose.plugin.net.JessPinger.jessPing(Unknown Source)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>        at java.lang.reflect.Method.invoke(Method.java:597)
>        at com.rapid7.thread.ThreadedCall.invokeCall(Unknown Source)
>        at com.rapid7.thread.ThreadedCall.B(Unknown Source)
>        at com.rapid7.thread.ThreadedCallRunner.executeCall(Unknown Source)
>        at com.rapid7.thread.ThreadedCallRunner.run(Unknown Source)
>
> I'm wondering if the simpliest solution is to simply turn off the host
> checking for the pentest profile (if possible) which I presume is this
> setting:
>
> <DeviceDiscovery>
>  <networkDiscovery enabled="1"/>
>
> All this said if there is an offical way to achieve this I'm all ears
>
>
>
>
> On 7 May 2010 17:26, Mark Manning <mark.manning at gmail.com> wrote:
>>
>> One of the nice things (as you already know) about the Nexpose Express
>> is they allow you to customize the templates through the web
>> interface.  But in Nexpose Community you can't.
>>
>> If you setup the site to use the Aggressive Discovery builtin template
>> this will find hosts using TCP connects to alternative ports.  But
>> this is a scan mostly related to discovery and not vulnerability.
>>
>> Stop me if this is against the EULA but the XML that holds the
>> configuration settings for things like Full Audit is located under
>> C:\program files\rapid7\nexpose\shared\scanTemplates\builtin
>> or
>> /opt/rapid7/nexpose/shared/scanTemplates/builtin
>>
>> If one were to change the checkhosts section of Full Audit to look like this:
>>  <CheckHosts timeout="1000" retries="4" sendDelay="5">
>>    <icmpHostCheck enabled="1"/>
>>    <TCPHostCheck enabled="1">
>> <portList>21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100</portList>
>>    </TCPHostCheck>
>>  </CheckHosts>
>>
>> I don't have the right environment right now to test though so let us know.
>>
>> --Mark
>>
>>
>>
>> On Fri, May 7, 2010 at 12:13 PM, Will Vandevanter
>> <Will_Vandevanter at rapid7.com> wrote:
>> > Hey Matthew,
>> >
>> >
>> >
>> >   Adjusting your nmap conifguration should allow you to do host discovery
>> > using a method other than ICMP. Specifically, the -PS/PA/PU/PY[portlist]
>> > flag in nmap will determine if a device is alive using TCP SYN/ACK, UDP, and
>> > SCTP respectively to the given portlist.
>> >
>> >
>> >
>> > -Will
>> >
>> >
>> > ________________________________
>> > From: nexpose-users-bounces at lists.rapid7.com
>> > [nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
>> > [watcher60 at gmail.com]
>> > Sent: Friday, May 07, 2010 11:45 AM
>> > To: nexpose-users at lists.rapid7.com
>> > Subject: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>> >
>> > Apologies if this has been asked before I did try searching for an answer as
>> > I'm sure its a common Q.
>> >
>> > I understand nexpose community edtion does not allow you to edit the scan
>> > templates to alter the host detection setting which is set  to require  a
>> > reply to a icmp ping to ensure the target is alive. Is there anyway in the
>> > community version to workaround this ?- I did try using the msf console to
>> > import a nmap scan but it appears it still pings the target to see if it is
>> > alive.
>> >
>> > thanks
>> >
>> > _______________________________________________
>> > http://community.rapid7.com/redmine/projects/nexpose/wiki
>> > https://mail.metasploit.com/mailman/listinfo/nexpose-users
>> >
>> >
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
>

More information about the nexpose-users mailing list