Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Crashing services with NMAP and/or SuperScan ?

from [Jerry Shenk] Network Security [Permanent Link]
Subject: RE: Crashing services with NMAP and/or SuperScan ?
Date: Wed, 24 Nov 2004 07:58:33 -0500 
Keying on your last paragraph, I have run into this and did exactly
that.  I said something like, "We really need to track down exactly what
broke, can we schedule a time for a repeat test."  

-----Original Message-----
From: Petr.Kazil@eap.nl [mailto:Petr.Kazil@eap.nl] 
Sent: Tuesday, November 23, 2004 5:42 AM
To: pen-test@securityfocus.com
Subject: Crashing services with NMAP and/or SuperScan ?








(Side question:  Has anyone ever crashed a server when the dangerous

scans

are disabled?)


L.S.

I'm doing a series of quickscans in divisions of a large organization. I
intentionally don't go deep, I just scratch the surface. So we can find
only bad security errors, nothing subtle.

One step in the quickscan is a portscan of the internal network. I've
tried
both nmap and Superscan. This usually brings out a lot of unexpected
mail
services, ftp servers, low services, web management interfaces etc.

With Superscan I seem to have blown out a switch. It went "red" on the
HP
Openview screen and didn't react to ping anymore. All the network
traffic
continued - fortunately :-) As of today the admins haven't been able to
tell me what really happened. I haven't dared to try Superscan anymore -
although I like it's output very much - especially it's checks for
headers
and anonymous FTP and SMTP.

Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and
Unix machines, but on WinNT SP5 (!) machines I seem to have blown out :
- one Oracle TNS Listener - however the admin said "everything continued
to
function"
- 2 or 3 Storageworks EVA Secure Path services.

Fortunately the admins were not upset. They looked through the services
on
the servers, looked which ones had gone "stopped" and set them back to
"started".

Question:
Do you think that running nmap without the -sV -O options could avoid
this
and still give me enough information?

These are always difficult situations - replications is not easy (I
canot
ask : "Can I run the scan again and see if the same thing hapens?"). I
can't test all OS versions on my test network. I'm not even sure if I'm
really to blame, it could even be coincidence ...

Of course I asked (and re-asked) before my scan: What subnetwork can I
scan
and which IP's should I avoid? Answer: We don't expect any problems,
just
take our whole subnet.

Your comments are very welcome.

Greetings, Petr Kazil
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Crashing services with NMAP and/or SuperScan ?, Peter Wood
Next by Date:  Re: Social Engineering ... ?, richardw
Previous by Thread:  Re: Crashing services with NMAP and/or SuperScan ?, Peter Wood
Next by Thread:  Re: Crashing services with NMAP and/or SuperScan ?, Dave McCormick
Indexes:  [Date] [Thread] [Top] [All Lists]