[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Microsoft Scanning Tool, Parameterhandling
- To: "mailinglist full-disclosure" <full-disclosure@lists.netsys.com>
- Subject: [Full-Disclosure] Microsoft Scanning Tool, Parameterhandling
- From: "Carsten Kiess" <mail@carstenkiess.de>
- Date: Fri, 15 Aug 2003 17:22:01 +0200
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hello,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>anyone already used the Scanning Tool from MS?
( <A
href="http://www.microsoft.com/downloads/details.aspx?FamilyID=c8f04c6c-b71b-4992-91f1-aaa785e709da&DisplayLang=en";>http://www.microsoft.com/downloads/details.aspx?FamilyID=c8f04c6c-b71b-4992-91f1-aaa785e709da&DisplayLang=en</A> )
a) The download has the same name as the patch, minor but may be
irritating and b) it seems to reverse the input parameters (see below) and
c) can maybe somebody explain why it scans an IP-Range which is not in the
specified bounds in either case? Specification is:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Targets can take any of the following
forms:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>
a.b.c.d
- IP address<BR> a.b.c.d-i.j.k.l - IP
address range<BR>
a.b.c.d/mask - IP address with CIDR
mask<BR>
host
- unqualified hostname<BR>
host.domain.com - fully-qualified domain
name<BR>
localhost - check
local machine</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>What it actually does is:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>C:\Programme\KB823980Scan>kb823980scan
213.196.135.1-213.169.135.2 <=== Input Parms 1</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Microsoft (R) KB823980 Scanner Version 1.00.0002
for 80x86<BR>Copyright (c) Microsoft Corporation 2003. All rights
reserved.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><+> Starting scan (timeout = 5000
ms)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Checking 213.169.135.2 -
213.196.135.1
<=== That's what it takes for scanning ....<BR>213.169.135.42: connection to
tcp/135 refused <=== These are the results for try
1<BR>213.169.135.87: connection to tcp/135 refused<BR>213.169.135.84: connection
to tcp/135 refused<BR>213.169.135.81: connection to tcp/135
refused<BR>213.169.135.85: connection to tcp/135 refused<BR>213.169.135.82:
connection to tcp/135 refused<BR>213.169.135.86: connection to tcp/135
refused<BR>^C<BR>C:\Programme\KB823980Scan>kb823980scan
213.196.135.2-213.169.135.1 <=== Input Parms 1</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Microsoft (R) KB823980 Scanner Version 1.00.0002
for 80x86<BR>Copyright (c) Microsoft Corporation 2003. All rights
reserved.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><+> Starting scan (timeout = 5000
ms)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Checking 213.169.135.1 -
213.196.135.2
<=== That's what it takes for scanning ....<BR>213.169.135.42: connection to
tcp/135 refused <=== These are the results for try
1<BR>213.169.135.85: connection to tcp/135 refused<BR>213.169.135.82: connection
to tcp/135 refused<BR>213.169.135.86: connection to tcp/135
refused<BR>213.169.135.87: connection to tcp/135 refused<BR>213.169.135.84:
connection to tcp/135 refused<BR>213.169.135.81: connection to tcp/135
refused<BR>^C<BR>C:\Programme\KB823980Scan></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>and d) a log-file did not show up in the current
directory as documented (not on the html-page supplied but as pgm-help when
calling w/o parms), but maybe it must be explicitly requested ...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Did I get something wrong? Nervous, tense, tired?
<g> And last:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>"Targets can be specified on the command line &
in user-specified input files.</FONT></DIV>
<DIV><FONT face=Arial size=2>...</FONT></DIV>
<DIV><FONT face=Arial size=2>kb823980scan will create a list of vulnerable
systems (unpatched as well<BR>as those with KB823980 installed) in the current
working directory. This file<BR>should be fed as input to the autopatching
script that you write. This file<BR>will be named "Vulnerable.txt" by default.
Its name can be changed with the<BR>/o switch."</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Hm. Could be used the other way round ... Has
anybody ever heard of "speeding up" a worm? Somebody who could be interested to
"sideattack" a specific site?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
Carsten</FONT></DIV></BODY></HTML>