From: Brewis, Mark (mark.brewis@eds.com)
Date: Wed Nov 24 2004 - 06:29:17 EST
Petr,
A standard -sS shouldn't give any problems, but won't give you banners. If availability is critical, then manual verification of services with Netcat is the safest option.
We have seen occasional issues with -O, -sU, -sV, and -A across a range of devices over several years.
You really can't tell how a stack/application will handle strange requests at times. Most devices are fine, occasionally you get a flaky one. Generally, the ones that fall over are the critical, custom applications that have never been tested before ;-}
I wouldn't recommend running -O as part of a generic scan. Better to run a specific scan based on open and closed ports with -O.
SuperScan doesn't do anything fancy. Sounds as though you stressed the switch and/or saturated the available bandwidth. The ICMP traffic simply got lost in the noise. This is a valid result - if a (presumably) single laptop could cause these issues, then there is a possible network DoS issue to be addressed.
You can't preclude this type of event from happening. Weird stuff happens during testing, but that's the interesting bit. At best, your actions can limit the risk, but make sure your paperwork for the test stresses residual risk, and get the customer to accept that as part of the test.
HTH
Mark
Mark Brewis
Forensic Services - EMEA
UK Information Assurance Group
EDS
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
Tel: +44 (0)1908 28 4013
Mbl: +44 (0)7989 291 648
Fax: +44 (0)1908 28 4393
E@: mark.brewis@eds.com
securityforensicsEMEA@eds.com
This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited.
Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses.
>>-----Original Message-----
>>From: Petr.Kazil@eap.nl [mailto:Petr.Kazil@eap.nl]
>>Sent: 23 November 2004 10:42
>>To: pen-test@securityfocus.com
>>Subject: Crashing services with NMAP and/or SuperScan ?
>>
>
>>> (Side question: Has anyone ever crashed a server when the dangerous
>>scans
>>> are disabled?)
>>
>>With Superscan I seem to have blown out a switch. It went
>>"red" on the HP
>>Openview screen and didn't react to ping anymore. All the
>>network traffic
>>continued - fortunately :-) As of today the admins haven't
>>been able to
>>tell me what really happened. I haven't dared to try
>>Superscan anymore -
>>although I like it's output very much - especially it's
>>checks for headers
>>and anonymous FTP and SMTP.
>>
>>Yesterday I ran nmap -sS -sV -O ... There were no problems on
>>Win2K and
>>Unix machines, but on WinNT SP5 (!) machines I seem to have
>>blown out :
>>- one Oracle TNS Listener - however the admin said
>>"everything continued to
>>function"
>>- 2 or 3 Storageworks EVA Secure Path services.
>>
>>Fortunately the admins were not upset. They looked through
>>the services on
>>the servers, looked which ones had gone "stopped" and set them back to
>>"started".
>>
>>Question:
>>Do you think that running nmap without the -sV -O options
>>could avoid this
>>and still give me enough information?
>>
>>These are always difficult situations - replications is not
>>easy (I canot
>>ask : "Can I run the scan again and see if the same thing hapens?"). I
>>can't test all OS versions on my test network. I'm not even
>>sure if I'm
>>really to blame, it could even be coincidence ...
>>
>>Of course I asked (and re-asked) before my scan: What
>>subnetwork can I scan
>>and which IP's should I avoid? Answer: We don't expect any
>>problems, just
>>take our whole subnet.
>>
>>Your comments are very welcome.
>>
>>Greetings, Petr Kazil
>>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT