Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Simple Nomad <thegnome () nmrc org>
Date: Mon, 15 Feb 1999 19:55:05 -0600 (CST)
As far as scanning goes, this boils down to a fundamental fact -- the real purpose behind port scanning and fingerprinting is to take a remote inventory of the potential security posture of a remote machine. Oh sure, it is possible that creative people have found alternate uses for such tools as nmap, but truthfully the "real" reason is as I stated it. What we do with that information is important. If we are checking our systems to secure them, then we secure them. If we are doing a penetration test, we penetrate. And if we are a black hat/script kiddie/cracker/cyber-terrorist (the media can take their pick on the label) then we r00t 'em. The MAIN reason I occassionally reverse scan (manually, mind you) is to see exactly how vulnerable the possible attacking host is. I always ASSUME the scan/probe/rootscript/attack is coming from someone else's r00ted host, although there are still a handful of very stupid people who hack from their own machine. If the attacking box is real annoying me, I might actually act upon it. Even at my day job it quicker to just add a rule to the firewall to drop the host (sometimes the entire Class C or even domain) than to track someone down. In my mind, since the only thing a reverse scan does is tell you a remote system's security posture, this implies that you wish to 1) r00t 'em before they 0wn you, or 2) confirm the remote host is a compromised hornet's nest to add to your DENY lists. In other words, casual automated reverse scanning is pointless -- unless you really plan on "doing something" with your results. Simple Nomad // "When viewed as a metaphor for the human thegnome () nmrc org // condition, the humble GNU C compiler www.nmrc.org // becomes an endless enigma." On Sun, 14 Feb 1999, Max Vision wrote:
On Sun, 14 Feb 1999, Simple Nomad wrote:Is everyone this paranoid? That they reverse scan?I am surprised at the views taken by the "general public". See the hacker vigilante polls on cnn lately? People think it's ok to strike back! But what are their criteria? Do they have a clue? There are very few cases where a connection to one's site can be authenticated to be from the apparent source. The vast majority of traffic that sysadmin are "responsive" to can be easily forged, and possibly used to frame someone. (Starting wars is *easy* and some people think it's fun. Blackhats exist.) Of the public remote Denial Of Service attacks that I am aware, more than 9 out of 10 of them are either ICMP or UDP, and almost all are one-off, fire and forget. Most DOS scripts have command line options for the source IP. Portscanning has come of age and now decoy storm methods such as sl0wscan and nmap -D have joined the ranks of ftp bounce and other proxy-based scans. With 100 source IP's how smart does one's IDS-Return-Fire system sound? Let alone reverse scanning... Limiting your concern to TCP (full handshake) "attacks" is a start, but let's say you are upset about someone checking for CGI bugs on your webserver. Consider that the source address could have been a proxy, any number of text-pushing-holes such as FTP bouncing, or even sequenced (check your boxes for susceptibility). Also the method described of limiting reverse scans to once-per-IP doesn't cut it. What about the fellow that decides to send you tickle-packets from say, everywhere. Great you've just scanned the entire internet "but it was only once per host...." Be careful with automated systems! Max
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)