Most of our servers have at least two interfaces: One for management access and one or more for service presentation, so these have the web servers etc running on them.
When scanning a server with credentials, clearly the management interface will be the one the scan runs on because that will have full access, but should I also scan the service interfaces (resulting in a number of results per server) or will all the vulnerabilities be discovered through the management IP? Bear in mind that the web servers themselevs will not be running on the management IP address.
From some very simple tests it looks like I find exactly the same vulnerabilities on both ports, but is there a “best practice” reccommendation?
Split your services and avoid binding on the global scope :: or 0.0.0.0 If the same vulnerability is discovered on both interfaces you have a setup-issue.
Hi Lukas thanks for the reply, you are quite right, the server I was testing it out does have a setup issue but if it was set up correctly, would it be necessary to scan twice?
Take the example of a simple web server. If I ran an authenticated scan on the management interface, would an unauthenticated scan on the service interface, with only port 443 open, discover anything that the authenticted scan would not?
If you run authenticated you will see from inside, but for a complete assessment you maybe wanna see both views, what is reachable (exploitable) from the external perspective, and what is under the hood.