Parag Baxi

Map-like scan option profile

Discussion created by Parag Baxi on Jan 10, 2013
Latest reply on Aug 31, 2015 by andrewccm

For those of you that want to quickly update your asset tags on a regular basis, a light scan is a great way to do just that. Note this will not update all tags, only the tags for the QIDs listed below will be updated. Please find below the settings for a scan that mimics a map.

 

This scan will retrieve the following information for live hosts with minimal probing:

  1. DNS name.
  2. NetBIOS name.
  3. Live services.
  4. Operating system. (Note, will only update the Operating System tag if fingerprinting is successfully confirmed to one OS.)
  5. Traceroute (to replace "Router" column).

 

First, create a static search list to capture traceroute info.

 

Static Search List:

  1. Traceroute, QID 45006.

 

Next, create the option profile. Suggested title is "Map-like scan"

 

Option profile Scan settings:

  1. TCP Ports: None.
  2. TCP Ports, Additional: 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445.
  3. UDP Ports: None.
  4. UDP Ports, Additional: 53, 111, 135, 137, 161, 500.
  5. Vulnerability Detection: Custom, add search list with Traceroute, QID 45006.
  6. Include Basic host information checks.
  7. Performance
    1. Overall Performance: Custom
    2. External Scanners: 4
    3. Internal Scanners: 4
    4. Packet Delay --> Packet (Burst) Delay: Long
    5. Port Scanning and Host Discovery --> Intensity: Low

 

Option profile Additional settings:

  1. TCP Ports: Standard.
  2. UDP Ports: None.
  3. ICMP: Yes.

 

There are a few differences.

 

Caveats:

  1. The "A" or "Approved" column will not exist. Scans live in a different database.
  2. The "S" or "Scannable" column will not exist, but this is moot. QualysGuard will warn you that a host has not yet been added to the subscription. You can add all hosts within the range, and then delete the hosts from the subscription post-scan. You will not be charged as long as you delete the hosts you don't use from the subscription.
  3. The "L" or "Live" column refers to hosts that are alive and will exist.
  4. The "N" or "In Netblock" column will not exist. You will be able to use the Traceroute QID 45006 for any intermediary hosts.

Outcomes