AnsweredAssumed Answered

Detect and report non-responsive web ports

Question asked by tom c on May 1, 2015
Latest reply on May 7, 2015 by Robert Dell'Immagine

I have some web services that are bound to non-standard TCP ports.

These ports must be added to “Additional Ports” in option profiles .

Even so, these ports sometimes show up as “Unknown” in the IG of a VA scan because they are non-responsive with Http.

The goal is to be alerted via a sev 4 QID in reports that the assessment is incomplete due to non-responsive web ports.

Initially I want to solve this problem in normal VA scans ; maybe later in PCI scans.

 

Can QID 43432 (Possible Scan Interference) be leveraged to report those un-assessable web ports ?

QID 43432 is only sev 2 by default but could be adjusted by the QG manager to sev 4.

 

QID 43432 help says :

“The detection is usually triggered when no http services are identified on common web service ports, such as 80 & 443 (you can confirm by checking to see if service is listed as “Unknown” as part of QID 82023 Open TCP Services List in your scan results).”

 

So, if QID 43432 is included in the option profile would it detect the fact that port 11111 (for example) was found to be non-responsive with Http ?

Would QID 43432 introduce other scan slowing checks not specifically relevant to detecting non-responsive web ports ?

Or, would QID 86509 (Web Server Not Scanned for Possible Vulnerabilities) be more suitable to leverage for reporting non-responsive web ports ; how ?

 

 

Casting about for more understanding of this problem and potential solutions, there is this …

A scan result where some ‘Additional Ports’ were specified in the option profile produced this in QID 82023 and QID 45191 :

Open TCP Services List (2) QID: 82023

        1. 10.5.1.111 (websvr111.mydomain.com)

                RESULTS:

                Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port

                22 ssh SSH Remote Login Protocol ssh

                1720 netmeeting h323hostcall h323hostcall unknown

                1920 can-ferret Candle Directory Service - FERRET http

                2111 kx X over kerberos http

                9004 x11 X Window System IBM Tivoli Monitoring Agent

                7938 unknown unknown rpc

                9495 unknown unknown http

Netstat - Unix Connections (1) QID: 45191

      1. 10.5.1.111 (websvr111.mydomain.com)

RESULTS:

Local Address Local Port Remote Address Remote Port

10.5.1.111  52059 10.10.20.6 35405

127.0.0.1 33644 127.0.0.1 1920

10.5.1.111  11111 10.5.1.12 59908

… lots more ‘Local Port’ ports than show up in QID 82023 …

 

The QID 82023 list is obtained via a remote port scan whereas the QID 45191 list is obtained through the Netsat shell command.

Should I conclude that the extensive list of ‘Local Port’ ports from Netstat – including the ones that I listed in ‘Additional Ports’ of the option profile – are not listening ports and thus unresponsive to the QID 82023 remote port scan ?

Maybe a feature request is to have QG collect the QID 45191  Netstat ‘Local Port’ port list and remotely probe those with the QID 82023 remote access methods.

 

Also, I’m not sure if a Compliance Scan with Ports > Targeted Scan would help in any way with detecting un-responsive web ports.

 

Any advice or best practice on this topic ?

Outcomes