Shazzam Probe result question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-11-2017 03:08 AM
Ran a data center scan over the weekend and doing some analysis now on the scan results and finding a certain IP showed no SNMP attempt despite it being defined in the scan. However its neighboring IP did have the SNMP port probe:
<result active="true" alive="true" ip_address="MY_FIRST_IP">
<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="refused" service="http"/>
<scanner name="HTTP" port="5986" portprobe="winrm" protocol="tcp" result="refused" service="winrm_ssl"/>
<scanner name="HTTP" port="5985" portprobe="winrm" protocol="tcp" result="refused" service="winrm"/>
<scanner name="SNMP" port="161" portprobe="snmp" protocol="udp" result="open" service="snmp">
<snmp_version>3</snmp_version></scanner>
<scanner name="GenericTCP" port="135" portprobe="wmi" protocol="tcp" result="refused" service="epmap"/>
<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">
<banner_text>SSH-2.0-OpenSSH_7.3
</banner_text>
<banner_bytes>.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f.37.2e.33.0d.0a.</banner_bytes></scanner>
<scanner name="BannerTCP" port="5480" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp_https"/>
<scanner name="BannerTCP" port="9443" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp6_https"/>
<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">
<host_names>MY_HOSTNAME</host_names>
</scanner>
<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>
</result>
<result active="false" alive="true" ip_address="MY_SECOND_IP">
<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="refused" service="http"/>
<scanner name="HTTP" port="5986" portprobe="winrm" protocol="tcp" result="refused" service="winrm_ssl"/>
<scanner name="HTTP" port="5985" portprobe="winrm" protocol="tcp" result="refused" service="winrm"/>
<scanner name="GenericTCP" port="135" portprobe="wmi" protocol="tcp" result="refused" service="epmap"/><
scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="refused" service="ssh"/>
<scanner name="BannerTCP" port="5480" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp_https"/>
<scanner name="BannerTCP" port="9443" portprobe="vmapp" protocol="tcp" result="refused" service="vmapp6_https"/>
</result>
The IP's are contiguous with MY_FIRST_IP being .77 in the 4th octet and MY_SECOND_IP being .76
Why does the SNMP port probe run on the first .77 IP but not the second ?
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-11-2017 10:12 AM
By default, dead and inactive IPs do not get reported.
Things to try:
- rerunning with probe parameters shazzam_report_dead or shazzam_report_inactive
- set mid.log.level = debug
- discover a single IP
- run nmap on both IPs and see if the difference in behavior sheds any light on why Shazzam might be missing it.