Re: Port Scanning.

From: Jeffrey Denton (dentonj@gmail.com)
Date: Tue Dec 14 2004 - 02:27:37 EST

• Next message: miguel.dilaj@pharma.novartis.com: "RE: Port Scanning."
• Previous message: Michael: "RE: Laptop Considerations"
• In reply to: Faisal Khan: "Port Scanning."
• Next in thread: miguel.dilaj@pharma.novartis.com: "RE: Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, 13 Dec 2004 19:46:43 +0500, Faisal Khan <faisal@netxs.com.pk> wrote:
>
> What's a good industry practise whilst doing port-scanning during a pen-test.

One common approach is to only scan ports that you have exploits for.
Or if you are limiting yourself to only using a certain exploit, only
scan for that port. This limits the chances of an IDS catching it.
The kiddies do this all of the time. If some new ftp exploit gets
released, large blocks of the internet will only be scanned for port
21.

You don't have to port scan the ports that you know are open. Some
services will log "odd" connections. If sniffing shows that a server
is running ssh, leave port 22 out of any port scans.

$ nmap -sT -p 22 192.168.1.1

For /var/log/messages:
Dec 12 11:33:22 hostname sshd[2584]: Could not write ident string to 192.168
.1.100

nmap's -F option is handy.

Use amap to find servers running on odd ports. It works well nmap's
undocumented -oM option (deprecated in 2.54BETA6).

http://www.thc.org/releases.php

> Do you rely on the results of a single vendor's software or do you use
> multiple softwares?

Why limit yourself? Someday, you will find yourself with a cmd shell
as your only foot hold behind a firewall that does a good job of
stopping port scans. Small, command line scanners such as ScanLine,
from Foundstone, become your best friend (along with pwdump, net
commands, etc.).

> Also, with each OEM/vendor - do you scan once or twice?

Things can change through out the day. Maybe they have a classroom
full of default installs that are only on during the day. Or the only
time the backup server is turned on/connected to the network is while
it's doing backups in the middle of the night. Or someone is testing
new software and you just happen to catch it. etc. When you get
stumped, start looking for changes.

Just remember, running port scans without changing the timing has a
habit of setting off IDSs. But that may be part of your user
agreement, to see if the sysadmins are sleeping at the wheel. Then
you'll run multiple port scans starting with Paranoid and work your
way up to Insane. Then note when your IP gets blocked (if it ever
does).

Also, using decoys while scanning from the inside can sometimes give
you away. Using decoys works better if you are scanning from outside
of the firewall.

dentonj

• Next message: miguel.dilaj@pharma.novartis.com: "RE: Port Scanning."
• Previous message: Michael: "RE: Laptop Considerations"
• In reply to: Faisal Khan: "Port Scanning."
• Next in thread: miguel.dilaj@pharma.novartis.com: "RE: Port Scanning."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT