RE: Port Scanner Reports

• Previous message: NewYork User: "Re: Sniffing on a switch"
• In reply to: Ian: "Re: Port Scanner Reports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <pentest@fishnet.co.uk>, <pen-test@securityfocus.com>
Date: Wed, 2 Nov 2005 08:42:32 -0500

I have done much the same thing using UNIX based tools such as nmap and the
diff command to footprint network services and compare reports. We scripted
it to notify us of any changes to the footprint files of the services on
subnets / servers we targeted to be part of the process.

We also used the same tool to monitor our router configurations, each day
for any changes. Each day our script would run and pull the previous config
file and compare it to the current configuration running on the router.

With a little imagination you can do a lot of things such as baseline
network services. We did find rogue services by the way.

It worked great ... Good luck Daniel, I'd be interested in seeing your final
product.

Richard Zaluski
CISO, Security and Infrastructure Services
iVOLUTION Technologies Incorporated
905.309.1911
866.601.4678
www.ivolution.ca
rzaluski@ivolution.ca

-----Original Message-----
From: Ian [mailto:pentest@fishnet.co.uk]
Sent: Tuesday, November 01, 2005 5:15 AM
To: pen-test@securityfocus.com
Subject: Re: Port Scanner Reports

On 30 Oct 2005 at 11:19, Daniel Miessler wrote:

<snip>

> A friend and I are writing a tool to do this right now; it's called
> netdiff, and if you'd like to be part of the test group, drop me an
> email. We're still coding it but should have something relatively
> shortly.
>
> The focus of our tool is finding both changed hosts *and* changed
> ports -- so if you have new systems pop up it'll show you, and if you
> have new ports pop up on existing systems, it'll show you those as
> well.

Hi Daniel,

Is it anything to do with this from Engarde?

http://ftp.engardelinux.org/pub/engarde/people/pax/netdiff/

<Quote>
NetDiff is a network reporting tool written in perl that runs nmap portscans
of a specified network
or networks and stores
the results to a MySQL database. It can then report the differences between
successive scans,
giving administrators a
snapshot view of recent changes on their network.
This report is very useful for network maintenance and monitoring, it will
automatically let you
know when:
o A new host is added to the network.
o A host is shut down or disconnected from the network.
o A service has stopped running.
o A new service port has been opened.
Additionally, if version and OS scanning is enabled, the report will list
those differences as well,
telling you if:
o A server daemon was upgraded or patched.
o The hostīs operating system was upgraded or changed.
</Quote>

Regards

Ian

-- 
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: NewYork User: "Re: Sniffing on a switch"
• In reply to: Ian: "Re: Port Scanner Reports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Piecing together the story of the weapons that werent ... CNN) -- Employees of the Arabic news network Al-Jazeera have been protesting ... bomb the network's headquarters in Qatar -- a report vehemently denied by the ... (soc.culture.iraq) RE: RE : Experiences with Toplayer Attack Mitigator IPS ... It will include reviews of the main players in the Network IPS market ... would like to be in Edition 2 of the report (or IDS vendors who wish to ... >> install a new security device after investing in 1 FW, IDS, ... (Focus-IDS) Re: Windows XP Pro system has slowed to a crawl... ... Sorry that it has taken me so long to report on this situation, ... Ran a complete spyware check with full version of Spyware Doctor. ... Ran a complete virus and rootkit check with PC Tools ThreatFire. ... My wife is connected to a small network with 2 other desktop computers ... (microsoft.public.windowsxp.general) Re: FOX ready to put shows online ... Fox will put TV reruns on the Internet: report NEW YORK - News ... Simpsons," and is the latest television network to take a shot at ... (rec.arts.tv) Re: better represent contacts now or Kristen will closer smell them as for you ... Others clearly report. ... made aware of the security issues of Internet transmissions for network ... device configuration files. ... in all network config files. ... (sci.crypt)