One step in the quickscan is a portscan of the internal network. I've tried
both nmap and Superscan. This usually brings out a lot of unexpected mail
services, ftp servers, low services, web management interfaces etc.
Superscan 3 seemed to have various issues accurately detecting common network
services, particularly SMTP,FTP and H.323 for some reason, even on short haul
networks. Superscan 4 is marginally better, but I'd suggest Mingsweeper from
hoobie.net as a good windows port scanner.
Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and
Unix machines, but on WinNT SP5 (!) machines I seem to have blown out :
- one Oracle TNS Listener - however the admin said "everything continued to
function"
- 2 or 3 Storageworks EVA Secure Path services.
I would think that your problem is with the -O flag. A lot of people have
reported similar behaviour with the O/S detection.
Fortunately the admins were not upset. They looked through the services on
the servers, looked which ones had gone "stopped" and set them back to
"started".
That's a rare admin!
Question:
Do you think that running nmap without the -sV -O options could avoid this
and still give me enough information?
Most definately. You shouldn't be relying on information from the O/S detection
and version modules anyway.
Of course I asked (and re-asked) before my scan: What subnetwork can I scan
and which IP's should I avoid? Answer: We don't expect any problems, just
take our whole subnet.
These activities carry a certain inherent risk, but in the many pen tests I've
done, I've never seen a problem caused by a port scan that wasn't straight
forward to correct. It really depends on your network, how you're scanning and
how many simultaneous connections you feel comfortable putting across your lan.
Your comments are very welcome.
I hope this helps, you might also want to refer to Fyodor's general scanning
guide: http://www.insecure.org/nmap/nmap_doc.html
W.
