From: robert@dyadsecurity.com
Date: Mon Dec 13 2004 - 11:10:47 EST
Faisal Khan(faisal@netxs.com.pk)@Mon, Dec 13, 2004 at 07:46:43PM +0500:
> What's a good industry practise whilst doing port-scanning during a
> pen-test.
To understand what your tools are really doing and have extensive
experience with this process before relying on it during a pen-test.
> Do you rely on the results of a single vendor's software or do you use
> multiple softwares?
Depends on the software. For port scanning, most people trust nmap
because of the extensive time that Fyodor and the rest of the nmap-dev
team has put into making it better.
I would say that nmap may be the one to judge your other port scanning
tools against if you are new to port scanning.
Another tool that would be good to play with is unicornscan
(http://www.unicornscan.org). Unicornscan is set up for a more
technical tester who wants to collect as much meaningful information
during the scan as possible. It has a higher learning curve at the
moment, but we have had very good feedback from those who are using it.
We will have another release out sometime before Christmas. Unicornscan
was built with scalability, accuracy, and flexibility in mind. To my
knowledge, it is currently the most accurate UDP scanner out there. The
next release will make our TCP scanning on par with our UDP scanning.
> Also, with each OEM/vendor - do you scan once or twice?
Depends on how reliable the network connection is between you and the
site you're testing. Doing logistics and controls tests ahead of time
is really important. You need to know how many packets per second can
reliably reach your destination and have a response reach you. You need
to know the overall bandwidth limitations. You need to figure out which
protocols are allowed through. You need to figure out if there is an
IPS in place. You need to find out if there is a stateful inspection
firewall in place. You need to find out if there is a DDoS mitigation
device in place .. etc etc etc. If you skip the logistics part and just
plug in a target range and go, you will tend to have inaccurate results
no matter how many times you scan.
> I need to do a scan on a Class C Address if that matters in any way.
If you are relatively new to testing, I can not emphasize enough how
important that logistics and controls phase is. Pull down the OSSTMM -
http://www.osstmm.org and walk through the logistics and controls &
systems enumeration modules. You may also want to split the 256 IP's in
your range into smaller chunks (0-63, 64-127, 128-191, 192-255) to make
sure you review the results for each chunk separately. There is nothing
like waiting multiple days to find out that your results are garbage and
you have to start over.
Robert
-- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert@dyadsecurity.com M - (949) 394-2033
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT