![]() The second, or instance-mode is accessed by specifying the -t target option, which then simply scans the host specificed by target, and installs the scan results into the database. If mac-scan is run from cron, it is advantageous to use the -a limit option, which specifies a limit that is used by the rand command to skew the start time of the tool, e.g., a limit of 3600 will start mac-scan in 0-3599 seconds. Mac-scan can be operated in one of two modes first, called batch-mode, by specifying an Event Notification File (-e), Nessus Server (-s), either a Remote Agent (-r) and VLAN (-v) or Predominant Agents File (-p) and Network (-N) and community string, mac-scan will scan all hosts learned from that VLAN or network, providing the criteria mentioned above are met, e.g., next scan date is less than or equal to the current time, not in exemptions database, etc. If it fails, notification is sent to any e-mail addresses set for the event failed-audit. That is, prior to scanning a host mac-scan will attempt to retrieve the MAC and IP address tuple from the LCDB to see if it matches what mac-scan just learned. ![]() PSC Note Since mac-scan is in the right place at the right time to audit the Life Cycle Database, that is exactly what will happen if the -l switch is set. Likewise, event notification can be surpressed for a normally failed scan ( event failed-scan), by adding the nasl scan idvalue for each scan that failed to the Security Scan Exemptions database for that MAC and IP address tuple. Additional events that can trigger e-mail notification include empty-scan and scan-error.Īdditionally, mac-scan can be told to not scan a host by adding the exemption ALLfor that host’s MAC and IP address tuple (or simply that host’s MAC address) to the Security Scan Exemptions database (see below). Finally, if the MAC and IP address tuple was previously unknown ( events passed-new-scan, failed-new-scanor omitted-new-scan), or the scan failed its last two scans ( event failed-scan) for any reason, mac-scan will send e-mail to the e-mail address(es) specified in the Event Notification File (set with the -e switch). Upon receipt of the Nessus scan results, mac-scaninstalls a new entry into the Host Security Scan database. If a MAC and IP address tuple is new (i.e., it has not be previously entered into the database), or the current time is equal to or greater than the MAC and IP address tuple’s next security scan date, mac-scanqueues the host (as a target) for the Nesssus daemon running on the Nessus server to be scanned in bath mode. ![]() ![]() Next, mac-scan then SQL queries the Host Security Scan database to compare its learned MAC and IP address tuples against all previous recorded MAC and IP address tuples saved in the database. Note, this process is recursive if, e.g., a host’s default router is more than two layer-2 hops away. Regardless which reconnaissance method was used, if a bridged-ports file was specified with the -b switch and the layer-2 device (agent) and port for any learned hosts matches an agent and port tuple bridged-port, the new agent assigned to the bridged-port is then SNMP polled to request updated port information for that host. If SNMPpolling was used for reconnaissance, port information should already have been retrieved for each active host. Hence, if a predominant agents file was specificed with the -p switch and that file contains one or more predominant agents for the ICMP mapped network, then mac-scan will (for each learned host) SNMP poll (using poll-switch) each of the predominant agents in order to ascertain which layer-2 device has knowledge of any learned host, and thus, retrieve the port information for that host. If ICMP reconnaissance is used to gather active hosts, then mac-scan will not have port information for those hosts. Nmap (set only to use ICMP) can be used to collect all active hosts on a network by using the -N and -p switches. Mac-scan can use poll-switch (which uses SNMP) to retrieve a list of hosts stored in the specific layer-2 switch’s Dynamic Cam Table for a specific VLAN by using the -V and -r switches. PSC Note due to access lists set on the PostgreSQL database, dirsdb, SNMP access lists on the layer-2/3 switches, and certificate authenication on Nessus servers kgband stasi, mac-scan can (currently) only be run from the user account scanner on sport and warden. Mac-scan uses SNMP via poll-switch, or ICMP via nmap to retrieve a list of active hosts on a VLAN or network, requests scans for the list of hosts via certificate authentication from a Nessus server (set with the -s switch) and upon receipt of those scan results installs the results into a SQL-query-able database ( Security Scan History - see below). Mac-scan – Scan hosts on a VLAN or network for vulnerabilities SYNOPSIS
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |