I have a customer that is not allowing any form of Nmap port scanning. I would like to know if, by disabling the “Use IP Fingerprinting to Identify OS:” option in discovery configuration, this will inhibit the use of any port scanning, essentially making the sweep scan a ping sweep?

There are obviously going to be side effects to this I realize, but for now I need to know if this is the net effect of turning off this option?

Many thanks in advance,
Derek.

Welcome to the forum Derek

This module in the Online Training would be a good one to work through so you understand the sequence of what is happening in the discovery process, it will also be easier to understand the effect of the discovery options.

The sweep scan is always going to be more than a ping as (as you can see in the above module) ADDM needs to determine which ports are open to know which credentials may be valid and which access methods to try.

So no strictly speaking it’s not possible to reduce ADDM to this level and there would be very little ADDM could do that ping couldn’t if you did.

Your customer is probably nervous about the more aggressive uses of protocol probes none of which ADDM uses.

The initial port connection will test which of the ports listed in the discovery options are open, that is all.

If we fail to get access then ADDM by default will try to identify the IP Stack fingerprint as this is one of the best ways of working out what an endpoint is without credentials. It does this by connecting to one open (we use one from the list) and one closed port (we use 4). No random ports are used, just the ports that we would expect robust public facing services on and only the ones we are allowed. Nothing aggressive is done. As you can imagine with ADDM in daily use all over the world we’ve settled on a technique we are very confident is as safe as we can make it.

If you disable that option then this second IP stack fingerprinting will not happen. However note that if you do you customer is going to have a very hard time working out what IPs without credentials are and if they are simply darkspace or a printer or a critical server they have missed. For most customers the risk of having an unknown server outweighs the risk of IP fingerprinting and most who turn it off in UAT turn it back on again.

As with all that we do I’d encourage you and the customer to work through the options in UAT and gain confidence in them.

Thanks for the Response Charles.

I understand that ADDM is non-aggressive only scanning ports 21, 22, 23, 80, 135, 513, and 3940 if I understand it correctly. So this really begs the question what port scanning is done during full discovery, if it is done at all based on whether or not there are credentials and assuming they work properly.

For example, a Unix host that has credentials but for whatever reason fails to work properly thus denying ADDM access, does it then proceed with a port scan or is it done regardless?

Or is a port scan part of every discovery done before any credentials are attempted? I think I read the documentation as it is only done on a first scan, but clarification on this point would be very much appreciated.

Many thanks.

Hopefully the online training module I linked you to will answer that.

If it’s not clear let me know; it’s on I wrote!

I’m having this issue also, thanks for the info!