Re: AS400 Net Recon

Jon,

On Tue, 12 Feb 2008, Jon Kibler wrote:

Hi,

I have a client with AS400s on their LAN. They want a vulnerability
scan, but having been burned in the past, I want to ask before doing:
Are there any issues with scanning (nmap, nessus, etc.) AS400s?

Personally, I've never experienced availability problems while pen-testing AS/400 boxen, but since they're usually an extremely critical point of a Customer's infrastructure I'd recommend you not to perform any potentially dangerous operations on them.

For instance, I wouldn't feel comfortable with insane timing Nmap scans, and I would think twice before blindly running a Nessus scan. You should also pay special attention to brute force attacks, that might cause account lockouts or worse, depending on target's configuration.

The rule of thumb here is: don't abuse automated scanners and be gentle;)

Also, make sure that your Customer knows about the risks, so that you may agree in advance on what to test (e.g. only "stable" services?), when to test (e.g. at night or during the week-end?), and so on.

While I am at it, any good information on AS400 security? I see a few
corporately published books for sale on the net about AS400 security,
but I don't want to drop a couple of grand for a book by some
organization I am not familiar with.

This is a good starting point on AS/400 security:

http://www.venera.com/downloads.htm

I bought Shalom's "Hacking iSeries" book, and i'm very satisfied with it. Official IBM documentation and Google are your friends as well;)

Hope this helps,

--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • nessus gtk yields empty scan
    ... nessus-libnasl-2.2.9_1 Nessus Attack Scripting Language ... The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. ... the plug-ins should be updated. ... The native Unix GUI version is installed at server install time. ...
    (freebsd-hackers)
  • Re: Cross testing exploit with vulnerability scan results
    ... I have been using Nessus since years now.. ... scanner that might be temporary ... ... remember that vulnerability scanning with an automated scanner is ... else you may download 'bad code'. ...
    (Pen-Test)
  • Re: What is being a pen tester really like?
    ... Nessus is a vulnerability scanner and using it to ... conduct a test is called a vulnerability assessment. ... Security experts recommend that an annual penetration test be ... This is NOT something Nessus does, ...
    (Pen-Test)
  • Re: MBSA scanner
    ... all the suggestions on how to fix a vulnerability that a report might ... > Nessus is another example; the GPL has the same restrictions on distribution ... And also read the GPL FAQ: ...
    (Pen-Test)
  • Re: Vulnerability Assessment
    ... levels based on current patch data and such. ... Scanners have evolved through marketing to being the means to a vulnerability assessment rather than a tool of one. ... Maybe it's the "final" report that throws so many people off-- that once the report is generated the work is done and not just the job. ... You know many IT security professionals can't even tell you why Nessus runs a traceroute to each and every host in the list. ...
    (Pen-Test)