[nexpose-users] How to scan hosts that do not reply to ICMP pings?

Ty Bailey Ty_Bailey at rapid7.com
Mon May 10 04:37:35 PDT 2010 

Hey Matthew,

Just a heads up. I looked into it and you should be getting a NeXposeVM License in the next 2 - 3 Days. Let us know if there are any hiccups.

Ty Bailey


-----Original Message-----
From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
Sent: Sunday, May 09, 2010 3:38 AM
To: nexpose-users at lists.rapid7.com
Subject: Re: [nexpose-users] How to scan hosts that do not reply to ICMP pings?

I do agree port 22 would cover most *nix hosts & 445 most windows if
coming from the LAN, externally I would think TCP 443/HTTPS should
also be added for enviroments where HTTP is being blocked.

I worked round the issue by disabling host checking by editing the
template to disable both TCP & ICMP checks:

   icmpHostCheck enabled="0"/>
    <TCPHostCheck enabled="0">

This said I best re-apply for a key & get *nix vm running to do a correct test.


Side note to anyone from Rapid7 if reading - Back in November I
requested a trail of the NexposeVM from rapid7 using my works email
address, I was never sent any response bar later that month a survey
for feedback, which I filled in stating I never recieved the trial. As
I presume you only allow one trial request per email address is there
anyway I can be given a trial to test?


On 7 May 2010 22:59, Steve Tornio <steve at vitriol.net> wrote:
> To be clear on the exact nature of this, the default Full Audit (for
> example) discovery check uses ICMP and TCP port 80 to discover hosts.
> Many (most?) host firewalls drop filtered traffic, and so both of
> these checks come back with a dead host.  In my experience, most
> firewalled hosts in a corporate environment will still listen on
> either TCP port 22 or 445, depending on the type of system, and
> checking those ports results in many more found hosts.
>
> Even without the explicit permission to create scan templates, the
> community edition could be more useful by including these additional
> ports.
>
> On Fri, May 7, 2010 at 1:25 PM, Ty Bailey <Ty_Bailey at rapid7.com> wrote:
>> Yeah XP is not a supported OS : http://community.rapid7.com/redmine/projects/nexpose/wiki/General_FAQ
>>
>> Ty Bailey
>> Manager of Account Services
>>
>> -----Original Message-----
>> From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
>> Sent: Friday, May 07, 2010 2:19 PM
>> To: Mark Manning
>> Cc: nexpose-users at lists.rapid7.com
>> Subject: Re: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>>
>> Afraid no dice (believe btw I'd need to change the icmphostcheck value
>> to 0 for false)
>>
>> It could be down to me running this on xp but I get the following in the log:
>>
>> Metasploit-12010-05-07T17:40:19 Raw sockets are not available.
>> Changing port scan method to "Full Connect"
>> Metasploit-12010-05-07T17:40:19 Pinger is using: icmp[on]
>> tcp[21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100]
>> udp[off] sendDelay[5] retries[4] responseWait[1000]
>> Metasploit-12010-05-07T17:40:25 RawSock ERROR:
>> java.net.SocketException: Failure in sendto on raw socket: 10004
>>        at com.rapid7.net.EthernetInterface.send(Native Method)
>>        at com.rapid7.net.EthernetInterface.send(Unknown Source)
>>        at com.rapid7.net.Pinger.C(Unknown Source)
>>        at com.rapid7.net.Pinger.B(Unknown Source)
>>        at com.rapid7.net.Pinger.pingHosts(Unknown Source)
>>        at com.rapid7.nexpose.plugin.net.JessPinger.jessPing(Unknown Source)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at com.rapid7.thread.ThreadedCall.invokeCall(Unknown Source)
>>        at com.rapid7.thread.ThreadedCall.B(Unknown Source)
>>        at com.rapid7.thread.ThreadedCallRunner.executeCall(Unknown Source)
>>        at com.rapid7.thread.ThreadedCallRunner.run(Unknown Source)
>>
>> I'm wondering if the simpliest solution is to simply turn off the host
>> checking for the pentest profile (if possible) which I presume is this
>> setting:
>>
>> <DeviceDiscovery>
>>  <networkDiscovery enabled="1"/>
>>
>> All this said if there is an offical way to achieve this I'm all ears
>>
>>
>>
>>
>> On 7 May 2010 17:26, Mark Manning <mark.manning at gmail.com> wrote:
>>>
>>> One of the nice things (as you already know) about the Nexpose Express
>>> is they allow you to customize the templates through the web
>>> interface.  But in Nexpose Community you can't.
>>>
>>> If you setup the site to use the Aggressive Discovery builtin template
>>> this will find hosts using TCP connects to alternative ports.  But
>>> this is a scan mostly related to discovery and not vulnerability.
>>>
>>> Stop me if this is against the EULA but the XML that holds the
>>> configuration settings for things like Full Audit is located under
>>> C:\program files\rapid7\nexpose\shared\scanTemplates\builtin
>>> or
>>> /opt/rapid7/nexpose/shared/scanTemplates/builtin
>>>
>>> If one were to change the checkhosts section of Full Audit to look like this:
>>>  <CheckHosts timeout="1000" retries="4" sendDelay="5">
>>>    <icmpHostCheck enabled="1"/>
>>>    <TCPHostCheck enabled="1">
>>> <portList>21,22,23,25,80,88,110,111,135,139,143,220,264,389,443,445,449,524,585,636,993,995,1433,1521,1723,3389,8080,9100</portList>
>>>    </TCPHostCheck>
>>>  </CheckHosts>
>>>
>>> I don't have the right environment right now to test though so let us know.
>>>
>>> --Mark
>>>
>>>
>>>
>>> On Fri, May 7, 2010 at 12:13 PM, Will Vandevanter
>>> <Will_Vandevanter at rapid7.com> wrote:
>>> > Hey Matthew,
>>> >
>>> >
>>> >
>>> >   Adjusting your nmap conifguration should allow you to do host discovery
>>> > using a method other than ICMP. Specifically, the -PS/PA/PU/PY[portlist]
>>> > flag in nmap will determine if a device is alive using TCP SYN/ACK, UDP, and
>>> > SCTP respectively to the given portlist.
>>> >
>>> >
>>> >
>>> > -Will
>>> >
>>> >
>>> > ________________________________
>>> > From: nexpose-users-bounces at lists.rapid7.com
>>> > [nexpose-users-bounces at lists.rapid7.com] On Behalf Of Matthew Whitehead
>>> > [watcher60 at gmail.com]
>>> > Sent: Friday, May 07, 2010 11:45 AM
>>> > To: nexpose-users at lists.rapid7.com
>>> > Subject: [nexpose-users] How to scan hosts that do not reply to ICMP pings?
>>> >
>>> > Apologies if this has been asked before I did try searching for an answer as
>>> > I'm sure its a common Q.
>>> >
>>> > I understand nexpose community edtion does not allow you to edit the scan
>>> > templates to alter the host detection setting which is set  to require  a
>>> > reply to a icmp ping to ensure the target is alive. Is there anyway in the
>>> > community version to workaround this ?- I did try using the msf console to
>>> > import a nmap scan but it appears it still pings the target to see if it is
>>> > alive.
>>> >
>>> > thanks
>>> >
>>> > _______________________________________________
>>> > http://community.rapid7.com/redmine/projects/nexpose/wiki
>>> > https://mail.metasploit.com/mailman/listinfo/nexpose-users
>>> >
>>> >
>> _______________________________________________
>> http://community.rapid7.com/redmine/projects/nexpose/wiki
>> https://mail.metasploit.com/mailman/listinfo/nexpose-users
>> _______________________________________________
>> http://community.rapid7.com/redmine/projects/nexpose/wiki
>> https://mail.metasploit.com/mailman/listinfo/nexpose-users
>>
>
_______________________________________________
http://community.rapid7.com/redmine/projects/nexpose/wiki
https://mail.metasploit.com/mailman/listinfo/nexpose-users

More information about the nexpose-users mailing list