Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Port Scanning.

from [miguel . dilaj] Network Security [Permanent Link]
Subject: Re: Port Scanning.
Date: Mon, 13 Dec 2004 16:24:05 +0000 
Hi Faisal,

I found that using nmap alone is usually enough, provided you use the 
proper settings. An exception is when you're dealing with a firewall 
trying to assess how exactly things interconnect, in such cases you can 
try hping2/3 or firewalk.
A short time ago I posted an answer somewhere about the most useful nmap 
settings to scan a "normal" network. IMHO:
* use a very comon source port, like 80 (-g 80)
* fragment, and be sure that nothing on YOUR side is trying to defragment 
(-f)
* use paranoid timing, to avoid overreaction from an eventual IDS (-T0)
* use SYN scan (-sS)
* use decoys if overreacting IDS are a concern, and if allowed by your 
contract! (-D {decoy1},{decoy2},...)

Then go for any advanced techniques, as required (for example ACK or 
Window scan).
You can combine OS detection to the above, scan UDP ports, etc., this will 
depend exactly on the setup of the network you're checking, and what are 
you looking for.
If you don't know what to expect, scan the entire port range, sometimes I 
found interesting things in high ports (for example a proxy, or a Java 
application server), that were not supposed to be open to the world.
Lastly, don't forget some of the most esoteric and advanced techniques, 
that are used once every solsctice, like IPID scan from probably trusted 
machines, etc.

Because some times you need to use advanced techniques, very often you 
need to scan more than once, but I also recommend (if possible) to scan 
from a completely different source IP address (example: scanning a certain 
system in Spain from my country showed 2 open ports of a proxy installed 
by the ISP, but these ports were not shown when scanned from the same 
ISP's network).

IMHO nmap is simply the best port scanner out there. But of course other 
people can have different preferences, so no flame wars on port scanners 
please ;-)
I like it on Linux more than on Windows, *somehow* I found it more 
reliable ;-)

IIRC, Fyodor is a member of this list, so perhaps he can enlighten us all 
(or send us to RTFM ;-)

Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






Faisal Khan <faisal@netxs.com.pk>
13/12/2004 14:46

 
        To:     pen-test@securityfocus.com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Port Scanning.




What's a good industry practise whilst doing port-scanning during a 
pen-test.

Do you rely on the results of a single vendor's software or do you use 
multiple softwares?

Also, with each OEM/vendor - do you scan once or twice?

I need to do a scan on a Class C Address if that matters in any way.

Faisal
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Port Scanning., Faisal Khan
Next by Date:  Re: Port Scanning., robert
Previous by Thread:  Re: Port Scanning., Jeffrey Denton
Next by Thread:  Re: Port Scanning., Faisal Khan
Indexes:  [Date] [Thread] [Top] [All Lists]