Nmap Announce mailing list archives
RE: Examples of legit nmap usage?
From: Scott Hardy <shardy () etrade com>
Date: Mon, 20 Sep 1999 11:57:41 -0700
Speaking as a security person who uses nmap and who watches firewall logs scrolling by all day, I'd recommend the following: 1) Cooperate with your networking people. They can give you copies of the routers' ACLs. If you are scanning only ports left open by the routers, there shouldn't be much spamming of the logs. It will also make your scans faster, so it's a win-win situation. 2) Avoid scan types and scanned ports that may make trouble. You don't want to be making your DB server fill up its filesystem with error logs, rebooting anything or making intrusion detection agents go crazy. Avoid xmas-tree etc., and those services on those machines that may have caused headaches after your previous comprehensive scans. 3) Maybe settle for less often than bimonthly? If someone's running telnetd on a Unix machine, and there are no apparent reasons why they shouldn't, it would probably be safe to assume that they'll still be running it there in 2 weeks. Scanning a short list of ports (e.g. looking for specific trojan installs) frequently might be more acceptable politically and nearly as useful, and you could save the grand unified scans for monthly-quarterly. 4) Refer them to ftp://ftp.porcupine.org/pub/security/admin-guide-to-cracking.101.Z, Wietse Venema and Dan Farmer's paper on improving the security of your site by breaking into it. Probing your systems is absolutely vital for security. Good crackers and good security people differ mainly in whether or not the company has asked them to be doing what they are. And security people usually fix the holes instead of exploiting them. ;-) You have the responsibility of maintaining security, so you should have the right to do what's necessary.
-----Original Message----- From: Foust, Adam G. [SMTP:agfoust () tva gov] Sent: Friday, September 17, 1999 5:57 AM To: nmap-hackers () insecure org Subject: Examples of legit nmap usage? nmap has the potential of becoming an extremely useful tool for me in my job (not in the hacker sense, but in the discovery and security sense). I ran it for a while and built up a picture of our intranet WAN (with the help of a custom bit of perl and CGI programming), but now I'm being told knock it off for good based on the high amount of messages that began to accumulate in our router logs. All of our other $$$ commercial network tools have so far provided a rather piecemeal view of things, and I would like to continue to use this excellent nmap tool to augment our picture of things (particularly having an inventory of TCP services). Can anyone help me out with a good "business case" for administratively running nmap in a corporate environment? What would be the impact to routers and hosts of say automating a weekly scan on a rather large network (I won't give specifics, but I will say that if I seed nmap with a list of ping-able IP addresses it requires a couple of days to complete a single sweep)? Is using nmap in this fashion a dumb idea? Any good examples of nmap being used for network discovery in any corporations out there? Any information you can provide would be of great use. Thanks.
Current thread:
- Re: Examples of legit nmap usage?, (continued)
- Re: Examples of legit nmap usage? Andreas Kostyrka (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Thomas Reinke (Sep 17)
- Re: Examples of legit nmap usage? Ben Harris (Sep 18)
- Re: Examples of legit nmap usage? Max Vision (Sep 18)
- Re: Examples of legit nmap usage? Lamont Granquist (Sep 20)
- Re: Examples of legit nmap usage? Max Vision (Sep 21)
- IP fragment overwriting bug exploitation Lamont Granquist (Sep 21)
- reverse frag scanning patch Lamont Granquist (Sep 22)
- Re: Examples of legit nmap usage? Lamont Granquist (Sep 20)