Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Port Scanning.

from [Jeffrey Denton] Network Security [Permanent Link]
Subject: Re: Port Scanning.
Date: Tue, 14 Dec 2004 00:27:37 -0700 
On Mon, 13 Dec 2004 19:46:43 +0500, Faisal Khan <faisal@netxs.com.pk> wrote:


What's a good industry practise whilst doing port-scanning during a pen-test.


One common approach is to only scan ports that you have exploits for.
Or if you are limiting yourself to only using a certain exploit, only
scan for that port.  This limits the chances of an IDS catching it.
The kiddies do this all of the time.  If some new ftp exploit gets
released, large blocks of the internet will only be scanned for port
21.

You don't have to port scan the ports that you know are open.  Some
services will log "odd" connections.  If sniffing shows that a server
is running ssh, leave port 22 out of any port scans.

$ nmap -sT -p 22 192.168.1.1

For /var/log/messages:
Dec 12 11:33:22 hostname sshd[2584]: Could not write ident string to 192.168
.1.100

nmap's -F option is handy.

Use amap to find servers running on odd ports.  It works well nmap's
undocumented -oM option (deprecated in 2.54BETA6).

http://www.thc.org/releases.php


Do you rely on the results of a single vendor's software or do you use
multiple softwares?


Why limit yourself?  Someday, you will find yourself with a cmd shell
as your only foot hold behind a firewall that does a good job of
stopping port scans.  Small, command line scanners such as ScanLine,
from Foundstone, become your best friend (along with pwdump, net
commands, etc.).


Also, with each OEM/vendor - do you scan once or twice?


Things can change through out the day.  Maybe they have a classroom
full of default installs that are only on during the day.  Or the only
time the backup server is turned on/connected to the network is while
it's doing backups in the middle of the night.  Or someone is testing
new software and you just happen to catch it.  etc.  When you get
stumped, start looking for changes.

Just remember, running port scans without changing the timing has a
habit of setting off IDSs.    But that may be part of your user
agreement, to see if the sysadmins are sleeping at the wheel.  Then
you'll run multiple port scans starting with Paranoid and work your
way up to Insane.  Then note when your IP gets blocked (if it ever
does).

Also, using decoys while scanning from the inside can sometimes give
you away.  Using decoys works better if you are scanning from outside
of the firewall.

dentonj
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Laptop Considerations, Michael
Next by Date:  RE: Port Scanning., miguel . dilaj
Previous by Thread:  Re: Port Scanning., Delron Troy
Next by Thread:  Re: Port Scanning., miguel . dilaj
Indexes:  [Date] [Thread] [Top] [All Lists]