From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: Foundstone DCOM Scanner

At about the time I sent the message below, ISS released an update to
xfrpcss.exe which apparently resolves some or most of the accuracy
problems. Of course, there's no notice of this on their web site, nor
does the executable contain any kind of version identification.

Don't get me wrong, I appreciate the efforts and generosity of the
vendors making these tools freely available. But releasing scanning
tools with major accuracy problems, followed by silent upgrades, really
does little good to the people who are trying to use these tools to save
their users, employers, and themselves.

Jerry

-----Original Message-----
From: Jerry Heidtke 
Sent: Thursday, September 11, 2003 4:39 PM
To: Jones, David H; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Foundstone DCOM Scanner



Except it mistakenly identifies lots of patched systems as still
vulnerable.

I've tested five different free tools today. Here's a summary of my
results:

KB824146Scan.exe

Microsoft's scanner. Many errors and accuracy problems. Basically
unusable.
Command line scanner with flexible input and output options, but can't
reliably
identify Windows 9x systems, systems with DCOM disabled, or some
non-standard systems.

PTms03039.exe

GUI utility from Positive Technologies (http://www.ptsecurity.com). 
Scans single addresses only, selectable target port.
Reliability unknown.

RetinaRPCDCOM.exe

GUI utility from Retina. Scans up to Class C. 
Can save output as text or csv file.
Very accurate. Currently version 1.10.

xfrpcss.exe

Command line scanner from ISS. Can scan unlimited addresses, simple
usable output.
Not very accurate. Identifies many patched systems as still vulnerable.

RPCScan2.exe

GUI utility from Foundstone. No limits of scan ranges, can read input
file.
Can save output as text or csv file.
Not very accurate. Identifies many patched systems as still vulnerable,
especially NT.

I'm looking for something that I can scan almost a whole class B, 
that is a scriptable command line scanner (STDIO) and that is accurate
enough to base decisions on about disconnecting unpatched workstations,
in order to try to protect some patient care devices that cannot legally
be patched but must (for now) remain on our production network.

I haven't seen anything yet that meets these simple requirements.

Jerry

-----Original Message-----
From: Jones, David H [mailto:Jones.David.H@...ncipal.com] 
Sent: Thursday, September 11, 2003 2:45 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Foundstone DCOM Scanner


Foundstone has released version 2 of their free scanning tool.  IMHO,
this is the best, free tool I've found to scan a class b.

http://www.foundstone.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

Powered by blists - more mailing lists