Penetration Testing mailing list archives
Re: Port Scanning.
From: Jeffrey Denton <dentonj () gmail com>
Date: Tue, 14 Dec 2004 00:27:37 -0700
On Mon, 13 Dec 2004 19:46:43 +0500, Faisal Khan <faisal () netxs com pk> wrote:
What's a good industry practise whilst doing port-scanning during a pen-test.
One common approach is to only scan ports that you have exploits for. Or if you are limiting yourself to only using a certain exploit, only scan for that port. This limits the chances of an IDS catching it. The kiddies do this all of the time. If some new ftp exploit gets released, large blocks of the internet will only be scanned for port 21. You don't have to port scan the ports that you know are open. Some services will log "odd" connections. If sniffing shows that a server is running ssh, leave port 22 out of any port scans. $ nmap -sT -p 22 192.168.1.1 For /var/log/messages: Dec 12 11:33:22 hostname sshd[2584]: Could not write ident string to 192.168 .1.100 nmap's -F option is handy. Use amap to find servers running on odd ports. It works well nmap's undocumented -oM option (deprecated in 2.54BETA6). http://www.thc.org/releases.php
Do you rely on the results of a single vendor's software or do you use multiple softwares?
Why limit yourself? Someday, you will find yourself with a cmd shell as your only foot hold behind a firewall that does a good job of stopping port scans. Small, command line scanners such as ScanLine, from Foundstone, become your best friend (along with pwdump, net commands, etc.).
Also, with each OEM/vendor - do you scan once or twice?
Things can change through out the day. Maybe they have a classroom full of default installs that are only on during the day. Or the only time the backup server is turned on/connected to the network is while it's doing backups in the middle of the night. Or someone is testing new software and you just happen to catch it. etc. When you get stumped, start looking for changes. Just remember, running port scans without changing the timing has a habit of setting off IDSs. But that may be part of your user agreement, to see if the sysadmins are sleeping at the wheel. Then you'll run multiple port scans starting with Paranoid and work your way up to Insane. Then note when your IP gets blocked (if it ever does). Also, using decoys while scanning from the inside can sometimes give you away. Using decoys works better if you are scanning from outside of the firewall. dentonj
Current thread:
- Port Scanning. Faisal Khan (Dec 13)
- Re: Port Scanning. robert (Dec 13)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 13)
- <Possible follow-ups>
- Re: Port Scanning. miguel . dilaj (Dec 13)
- Message not available
- Re: Port Scanning. Faisal Khan (Dec 13)
- Message not available
- RE: Port Scanning. rzaluski (Dec 14)
- Re: Port Scanning. Martin Mačok (Dec 15)