[Pauldotcom] IIS instance detection
k41zen at me.com
Mon Dec 13 22:23:20 UTC 2010
I'm saying that I have creds for both but SMB and admin shares are disabled but I do have WMI available.
I thought an Nessus local creditialed scan needed SMB and Admin shares?
On 13 Dec 2010, at 22:00, Ron Gula wrote:
> Are you saying you can login with WMI but don't have credentials to do a
> full Nessus audit?
> Passively, if you have the ability to deploy something like Tenable's
> Passive Vulnerability Scanner, it will detect any web server, unique web
> site, SSL certificates, .etc on any port as long as there is traffic to it.
> Ron Gula
> On 12/13/2010 1:54 PM, Jason Jarvis wrote:
>> Ooooo I do have WMIC :)
>> So a bit of remote WMIC code execution and some commandlinekungfu.com Fu - hmmmm.
>> On 13 Dec 2010, at 18:43, Jason Jarvis <k41zen at me.com> wrote:
>>> I have a client that needs to deploy security patches for Apache but are not 100% sure of which host houses the instance or the ports used either.
>>> My question is how can I identify 100% of the instances effectively and reasonably quietly without scanning nearly all of the ports on all the hosts?
>>> I thought of pulling the ports enabled from the host based firewall solution and scanning these with nmap. But a port could be blocked through the firewall and an instance still listening locally although not remotely accessible providing the FW is running. These do exist for tools run locally and I've seen the FW fail too so want to ensure coverage for these also.
>>> I like the idea of using Nessus (which I have) to perform a credentialed local scan of the ports listening on the server but I think this needs SMB and Admin shares enabled which I don't have.
>>> Is there another way to do this?
>>> Grateful for any ideas.
>> Pauldotcom mailing list
>> Pauldotcom at mail.pauldotcom.com
>> Main Web Site: http://pauldotcom.com
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
More information about the Pauldotcom