>From: "pete" Reply-To: To: , "osstmm" Subject: RE: Penetration test report >- your comments please? Date: Wed, 30 May 2001 17:33:25 +0200 > >This pen test posted on Security Focuses' Pen-Test mailing list brings up >the question of the testing of protocols as to the OSSTMM >(http://www.osstmm.org) and the reliability of NMAP's protocol scanning. As >I apply the module "Port Scanning" the tasks for protocol identification >are a bit difficult to automate. Of course, NMAP claims to do it but I >consistantly get at least IGMP for most systems which I do have difficulty >with accepting. I use NMAP for many of the tasks in that section but hav >been hesitant on the protocol testing. Of course a bit of scripting will >automate some but while I was a bit hesitant about NMAP's results I thought >I would ask what others thought of this. > I don't think is really a problem with nmap, but with using the lack of a response to indicate that a given protocol (at whatever layer) is active. Nmap protocol scans should be no more/less reliable that UDP scans which also attempt to elicit ICMP unreachable messages. Just as the only real way to see if a UDP application is active is to send application layer data (DNS, BIND, RPC, ISAKMP) and check for some sort of response, you will need to send an IP Protocol Message (ICMP, TCP, UDP, IGMP, RSVP, GRE, AH, ESP, etc.) and look for a meaningful response. But then again, just because you get a SYN-ACK back doesn't mean a TCP server is actually listening. It could just be inetd. BTW, I do thing multicast protocols are used on Windows boxes for multimedia stuff. s d _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 18:42:32 PDT