Scanning XP SP2

["Nelson, C.M." <cmn_at_leicester.ac.uk>]

Hello,

I'm interested to see if people concur with what I have found or have
better ideas relating to scanning XP SP2 systems. I'm particularly
interested in finding and scanning XP SP2 systems that do not respond to
ping and also not wasting scanning time on IP addresses that do not
correspond to a live device. (I can assume that not every device
attached my network is supposed to be there and registered).

XP SP2 systems by default have the firewall enabled and, as a result of
having the "File and Printer Sharing" configuration checkbox unchecked,
do not respond to ping (the MS way of doing things!). It is however
possible to open a port on such a system to allow remotely initiated
connection to a service running on the system (i.e. expose a potential
vulnerability on a system that does not respond to ping). 

I want to scan my network to find such systems and also check any open
ports for vulnerabilities. If I use the Nessus ping option then XP SP2
systems, such as described above, do not respond and do not get scanned.
If I do not use ping, and use the Nessus built in port scanner, it will
take as long scanning addresses where there really are no systems as
ones where there are (I choose to scan all ports because compromises
often appear as anomalous open ports not highlighted by any Nessus
plug-ins). 

If I do not use ping, and use Nmap to portscan it completes very quickly
where an address does not correspond to a live host. In other words the
Nmap portscan doesn't waste time port scanning "thin air" like the
Nessus built in one does.  

After Nmap has run, whether it scanned a live host or not, some Nessus
plug-in tests run regardless. It seems that although Nmap completes
quickly where there is no live host, it does not convey to Nessus that
there is no point in running any plug-in. (This is the case no matter
which way the "assume unscanned ports are closed" option is set).
Fortunately, however, where the IP address being scanned does not
correspond to a real host the unnecessary Nessus plug-in tests complete
fairly quickly.

As I'm sure everyone is now aware port scanning XP SP2 systems is far
slower when the Windows firewall is on (which is now sensibly the
default situation). I have found by tweaking the Nmap timeout and
parallelism settings it is possible to get seemingly accurate and
reasonably quick portscan done.
 
--
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of
Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027