A little paper to remind that automatic tools results are always
interpretation of incoming data. Tools expect a certain behaviour from systems, and will make some
assumptions. If you do not know this, you may be fooled by false positives or worse loose your valuable
time
I Introduction.
I have often seen tutorials or even pro pentesters relying too much, if not uniquely on automatic
scanning tools. It may be due to lack of knowledge, or more often due to lack of available time.
Obviously when you have 5 week days to complete a full corporate pentest, you can only do your best,
and it won’t be perfect!
Anyway I just wanted to write a little something to remind that automatic tools results are always
interpretation of incoming data. Tools expect a certain behavior from systems, and will make some
assumptions. If you do not know this, you may be fooled by false positives or worse loose your valuable
time!
Just a quick example, when you successfully ping a machine, so you assume it’s alive. But in fact, it just
means you received and ICMP Echo Reply packet in answer to sending an ICMP Echo Request. This echo
reply could have been send by another machine than the targeted one. It can be part of a tarpit strategy!
Now let’s focus on some major features of security scan tools:
- OS fingerprinting
- Port Scanning
- Banner grabbing.
If you wish to read more about this, the document can be downloaded in a PDF format