MS04-007 scanner update

Chris Russel russel at yorku.ca
Fri Feb 20 20:07:39 GMT 2004


Thanks to everyone who provided feedback on the scanner.

Here is a revised version which does the check on port 139 as well. That
was a pain (netbios must die) and I probably shouldn't have bothered, but
there it is. Also a non-forking, quiet mode for testing single hosts
useful for netreg or similar systems.

I have found a number of systems return neither the secure or vulnerable
signature so I've included that in the results it gives.  If anyone can
confirm any of these signatures to be unpatched NT for example please let
me know!

-- 
Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
russel at yorku.ca

On Wed, 18 Feb 2004, Christopher E. Cramer wrote:

> it is worth noting that the scanner operates by checking on port 445.
> if there is a server that isn't patched and has 445 closed or filtered,
> you'll get an error on the connection.  this does not mean that the
> system is not vulnerable - it may still be vulnerable over another port.
>
> beyond that, we've had good experiences with the scanner.
>
> for the apple systems, these aren't perchance OS X machines with virtual
> PC running and unpatched?  just a thought.
>
> -c
>
> On Wed, 2004-02-18 at 11:53, Keith Schoenefeld wrote:
> > Agreed, it works well on my networks as well.  Apparently we are getting
> > some false positives on Apple systems, but otherwise it's been extremely
> > useful.  Thanks again.
> >
> > -- KS
> >
> > Paul Dokas wrote:
> >
> > > On Mon, 16 Feb 2004 14:03:29 -0500 (EST) Chris Russel <russel at yorku.ca> wrote:
> > >
> > >>I am still awaiting info regarding it's accuracy but so far it looks good.
> > >>Please let me know any comments.
> > >
> > >
> > > Thanks for the scanner, it seem to work great!  I was able to scan 3 /16 networks
> > > in about 15 minutes with this tool.  So far, it appears to have had a nearly 100%
> > > accuracy.
> > >
> > > There's just one small diff that I had to make to get it work out of the box on my
> > > FreeBSD machine:
> > >
> > >
> > > *** 007scan.c   Wed Feb 18 10:17:54 2004
> > > --- 007scan.c.orig      Wed Feb 18 10:17:38 2004
> > > ***************
> > > *** 297,304 ****
> > >     ctimeout.tv_sec = 0;
> > >     ctimeout.tv_usec = 600000;
> > >     // receive timeout
> > > !   rtimeout.tv_sec = 1;
> > > !   rtimeout.tv_usec = 800000;
> > >
> > >     name = argv[0];
> > >
> > > --- 297,304 ----
> > >     ctimeout.tv_sec = 0;
> > >     ctimeout.tv_usec = 600000;
> > >     // receive timeout
> > > !   rtimeout.tv_sec = 0;
> > > !   rtimeout.tv_usec = 1800000;
> > >
> > >     name = argv[0];
> > >
> > >
> > >
> > > Paul
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 007scan.c
Type: text/x-csrc
Size: 16868 bytes
Desc: 
Url : http://www.dshield.org/pipermail/unisog/attachments/20040220/4fd59d1a/007scan-0003.bin


More information about the unisog mailing list