Penetration Testing mailing list archives
Re: Crashing services with NMAP and/or SuperScan ?
From: "William Allsopp" <William_Allsopp () eur 3com com>
Date: Wed, 24 Nov 2004 10:41:16 +0000
One step in the quickscan is a portscan of the internal network. I've tried both nmap and Superscan. This usually brings out a lot of unexpected mail services, ftp servers, low services, web management interfaces etc.
Superscan 3 seemed to have various issues accurately detecting common network services, particularly SMTP,FTP and H.323 for some reason, even on short haul networks. Superscan 4 is marginally better, but I'd suggest Mingsweeper from hoobie.net as a good windows port scanner.
Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and Unix machines, but on WinNT SP5 (!) machines I seem to have blown out : - one Oracle TNS Listener - however the admin said "everything continued to function" - 2 or 3 Storageworks EVA Secure Path services.
I would think that your problem is with the -O flag. A lot of people have reported similar behaviour with the O/S detection.
Fortunately the admins were not upset. They looked through the services on the servers, looked which ones had gone "stopped" and set them back to "started".
That's a rare admin!
Question: Do you think that running nmap without the -sV -O options could avoid this and still give me enough information?
Most definately. You shouldn't be relying on information from the O/S detection and version modules anyway.
Of course I asked (and re-asked) before my scan: What subnetwork can I scan and which IP's should I avoid? Answer: We don't expect any problems, just take our whole subnet.
These activities carry a certain inherent risk, but in the many pen tests I've done, I've never seen a problem caused by a port scan that wasn't straight forward to correct. It really depends on your network, how you're scanning and how many simultaneous connections you feel comfortable putting across your lan.
Your comments are very welcome.
I hope this helps, you might also want to refer to Fyodor's general scanning guide: http://www.insecure.org/nmap/nmap_doc.html W.
Current thread:
- Crashing services with NMAP and/or SuperScan ? Petr . Kazil (Nov 23)
- Message not available
- Re: Crashing services with NMAP and/or SuperScan ? Peter Wood (Nov 24)
- Message not available
- RE: Crashing services with NMAP and/or SuperScan ? Jerry Shenk (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Dave McCormick (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Anders Thulin (Nov 25)
- <Possible follow-ups>
- Re: Crashing services with NMAP and/or SuperScan ? William Allsopp (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Jim Morgan (Nov 27)
- RE: Crashing services with NMAP and/or SuperScan ? Brewis, Mark (Nov 25)
- RE: Crashing services with NMAP and/or SuperScan ? Evans, Arian (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- RE: Crashing services with NMAP and/or SuperScan ? Evans, Arian (Nov 27)