BES Scanner Guide

 BES Scanner is designed to provide a first step in identifying computers not running the BES Client. It attempts to find computers running the BES Client by performing two network scans simultaneously. The first scan does a ping scan with OS fingerprinting to determine which computers are connected to the network and what operating system each computer may be running. The second scan attempts to determine if each computer is actively listening on the UDP port used by the BES Client. Computers not actively listening on this port are assumed to not be running the BES Client and may present a security vulnerability to the network. BES Scanner uses the open source project NMap to perform the network scans.

Installation Instructions

Download the BES Scanner below. The BES Scanner requires Windows 2000/XP/2003 to run properly. Uncompress the file 'besscanner.zip' into a folder on your computer. The contents include the executable 'besscanner.exe' which launches the BES Scanner application. The BES Scanner expects to find the directory 'besscanner_files' and its contents in the sub folder of the besscanner.exe application. The 'besscanner_files' directory contains files for NMap which besscanner needs to perform its scan.

BES Scanner - version 4.0.1 (520 KB)

Requirements

  • The BES Scanner can only run on WinXP, Win2000, and Windows 2003.
  • The BES Scanner requires winpcap libraries to work properly. These are often installed by various applications, but if you do not have them, you can download them from http://winpcap.polito.it/install/default.htm. Make sure you get version 3.0 and not the 3.1 beta! Note: If the BES Scanner is not returning any results, you likely will need to install winpcap.
  • No personal or hardware firewall should be blocking ports between you and the BES Clients, otherwise you may receive inaccurate results.

Usage Guide

  1. Selecting hosts
    This field is used to specify the hosts to be scanned. Its default value will scan the local subnet for computers running the BES Client. There are several methods to select hosts. A simple sequential scan of hosts can be specified by using a dash: 192.168.100.0-255. Using commas allows multiple ranges to be specified: 192.168.100.1,2,3,4-10,15-20. An asterisks will select all possible values, for example 192.168.100.* is equivalent to 192.168.100.0-255. These same selectors can be used to select ranges outside of the subnet. For example, 192.168.*.* will scan hosts in the class 'B' network.

  2. Enter BES port number
    The port used for network communication by the BES Client should be entered here. This port number was specified during installation of the BES Server. The default value is 52311.

  3. File output
    The output directory is used to store the results produced by NMap's network scans. These results are stored in client.log and os.log. If the options to export results to Excel or HTML formats are selected, the files will be written into the directory specified by this field. The default value for this field is the directory where besscanner is launched.

  4. Scanning Speed
    These options are used to control the speed at which the scans are performed. The polite option is the slowest and is intended to be sensitive toward bandwidth usage and network scanning detection tools. The opposite option, aggressive, is the fastest and should be used when the scan is not required to be low profile.

  5. Timeout
    The timeout field puts a fixed time limit on performing the scan. Its default value is ten minutes (600 seconds). A value of -1 will disable the time limit and allow scans to finish completely. The BES Client scan usually finishes much faster then the operating system detection scan. If the timeout is reached, a message will appear and report if either of the scans finished. If the client scan did finish, the results should contain all computers running or not running the BES Client but the operating systems of the results will be incomplete.

    Occasionally the scan will get stuck on some addresses, like a subnet gateway. The scan time out option is intended to help recover from getting hung up on these addresses.

  6. Extra Options
    1. Report computers running BES Client
      Selecting this option will create a second table in the output results of each scan. The BES Scanner is intended to find computer not running the BES Client, but it may also be useful to know the computers that are running the BES Client. Selecting this option will report on all computers.

    2. Export results to an Excel file
      Selecting this option will export the results of the scan into an Excel formatted file. The file can be found in the directory specified in the 'output file path' field and will have the name BES_Scan_Results.csv.

    3. Export results to html
      Selecting this option will export the results of the scan into an HTML formatted file. The file can be found in the directory specified in the 'output file path' field and will have the name BES_Scan_Reuslts.html.

    4. Use data from the last scan to generate results (will not perform a network scan)
      Selecting this option will use the data generated by the previous scan to produce the final results. This data is stored in client.log and os.log and BES Scanner will expect to find these files in the directory specified in 'output file path'. This option is useful for quickly recovering data rather then waiting for a new scan to be performed.

Tips and Troubleshooting

  1. Selecting Hosts
    Take care with selecting hosts. Scanning a single subnet usually takes five to ten minutes on the aggressive setting. This means that trying to scan all class 'B' subnets, 192.168.*.*, would take approximately forty three hours!

  2. Scanning speed and Scanning Prevention Software
    Networks will often have security measures to prevent network scanning because scanning techniques are often used maliciously by viruses, worms, and hackers. If you do not know what protective measures are present it is recommended that you use the 'Polite' speed option. The 'Polite' speed option will try to scan unobtrusively and avoid triggering any protective countermeasures. For example, your IP address could become blocked if the scan is presumed to be malicious, stopping both the besscanner and normal internet use.

    Even if you use the polite option, intrusion detection systems might still notice that you are doing an "NMAP Scan". If this is a problem in your network, do not use the BES Scanner or first check with the network administrator.

  3. The Operating System Scan
    The operating system scan sends a SYN packet to each host on ports 22, 23, 80, 135 and 60616. Operating system detection works best if one open and one close port can be found. Ports 22, 23, 80 and 135 are usually open for various applications like telnet or web browsing while port 60616 is a random port that is likely closed. The response to each SYN packet can be used to guess the operating system because operating systems tend to respond uniquely to SYN packets.

  4. The BES Client Scan
    The BES Client scan sends a zero length UDP packet to the port specified in 'enter BES port number' for each host. If this port is closed the operating system will automatically send a response message to say the port is closed. If the port is open and being used by the BES Client, the UDP packet will simply be dropped and no response will be given. Based on the reaction, either an operating system refusal or a no reply, the BES Scanner guesses whether the BES Client is running or not. Note: Due to the nature of this interaction, this scan should not be considered 100% accurate and will sometimes produce incorrect results.

NMap

BES Scanner is built on top of the open source project NMap, a general purpose network scanning tool. Visit their website, http://www.insecure.org/nmap, for more information on NMap.

Please contact BigFix support with any questions or problems.