at 16:47Ĭompleted Parallel DNS resolution of 1 host. Initiating Parallel DNS resolution of 1 host.
Starting Nmap 6.47 ( ) at 16:47 GMT Daylight TimeĬompleted ARP Ping Scan at 16:47, 0.03s elapsed ( 1 total hosts ) If we open up Zenmap and run the below against our subnet (obviously replace this with your subnet and mask, or indeed, single host) in question: The reason I use Zenmap is that it provides a nice summarised output of nmap commands and supports all of the features nmap does. It has tons of really cool features, but one thing it allows for that is of particular benefit is scripting of particular scan parameters, this makes it ideal for vulnerability scanning. Sure, we can use Zenmap ↗ - Zenmap is a GUI built on top of nmap, a network scanner that can gather info on open ports, OS detection, etc.
So is there a way we can scan for vulnerabilities in a “start and forget” sort of way?
Nobody wants to manually log on to every server and check if the specific KB patch ↗ is installed though, that takes a lot of effort and time. However, this bug isn’t limited to IIS, rather anything using HTTP.sys and, of course, a HTTP server can be spun up on any port you want so we need to check for servers that have HTTP exposed on any port from 1-65535. There are a few ways to check for this, the first is obvious, check what servers have IIS installed. This article is a bit of a divergence for me, I recently had the need to scan an entire network for a particularly nasty Microsoft security vulnerability MS15-034 ↗.