Petr,
A standard -sS shouldn't give any problems, but won't give you banners. If
availability is critical, then manual verification of services with Netcat is
the safest option.
We have seen occasional issues with -O, -sU, -sV, and -A across a range of
devices over several years.
You really can't tell how a stack/application will handle strange requests at
times. Most devices are fine, occasionally you get a flaky one. Generally,
the ones that fall over are the critical, custom applications that have never
been tested before ;-}
I wouldn't recommend running -O as part of a generic scan. Better to run a
specific scan based on open and closed ports with -O.
SuperScan doesn't do anything fancy. Sounds as though you stressed the switch
and/or saturated the available bandwidth. The ICMP traffic simply got lost in
the noise. This is a valid result - if a (presumably) single laptop could
cause these issues, then there is a possible network DoS issue to be addressed.
You can't preclude this type of event from happening. Weird stuff happens
during testing, but that's the interesting bit. At best, your actions can
limit the risk, but make sure your paperwork for the test stresses residual
risk, and get the customer to accept that as part of the test.
HTH
Mark
Mark Brewis
Forensic Services - EMEA
UK Information Assurance Group
EDS
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
Tel: +44 (0)1908 28 4013
Mbl: +44 (0)7989 291 648
Fax: +44 (0)1908 28 4393
E@: mark.brewis@eds.com
securityforensicsEMEA@eds.com
This email is confidential and intended solely for the use of the individual(s)
to whom it is addressed. Any views or opinions presented are solely those of
the author. If you are not the intended recipient, be advised that you have
received this email in error and that any use, dissemination, forwarding,
printing, or copying of this mail is strictly prohibited.
Precautions have been taken to minimise the risk of transmitting software
viruses, but you must carry out your own virus checks on any attachment to this
message. No liability can be accepted for any loss or damage caused by software
viruses.
-----Original Message-----
From: Petr.Kazil@eap.nl [mailto:Petr.Kazil@eap.nl]
Sent: 23 November 2004 10:42
To: pen-test@securityfocus.com
Subject: Crashing services with NMAP and/or SuperScan ?
(Side question: Has anyone ever crashed a server when the dangerous
scans
are disabled?)
With Superscan I seem to have blown out a switch. It went
"red" on the HP
Openview screen and didn't react to ping anymore. All the
network traffic
continued - fortunately :-) As of today the admins haven't
been able to
tell me what really happened. I haven't dared to try
Superscan anymore -
although I like it's output very much - especially it's
checks for headers
and anonymous FTP and SMTP.
Yesterday I ran nmap -sS -sV -O ... There were no problems on
Win2K and
Unix machines, but on WinNT SP5 (!) machines I seem to have
blown out :
- one Oracle TNS Listener - however the admin said
"everything continued to
function"
- 2 or 3 Storageworks EVA Secure Path services.
Fortunately the admins were not upset. They looked through
the services on
the servers, looked which ones had gone "stopped" and set them back to
"started".
Question:
Do you think that running nmap without the -sV -O options
could avoid this
and still give me enough information?
These are always difficult situations - replications is not
easy (I canot
ask : "Can I run the scan again and see if the same thing hapens?"). I
can't test all OS versions on my test network. I'm not even
sure if I'm
really to blame, it could even be coincidence ...
Of course I asked (and re-asked) before my scan: What
subnetwork can I scan
and which IP's should I avoid? Answer: We don't expect any
problems, just
take our whole subnet.
Your comments are very welcome.
Greetings, Petr Kazil
