FW: baby pen-test question

• Previous message: David Ford: "Re: binary switching, no killing"
• Next in thread: Florindo.Gallicchioat_private: "Re: FW: baby pen-test question"
• Reply: Florindo.Gallicchioat_private: "Re: FW: baby pen-test question"
• Reply: bluefur0r bluefur0r: "Re:FW: baby pen-test question"
• Reply: Anders Thulin: "Re: FW: baby pen-test question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi everyone,

I have a few “baby” questions about pen-testing / vulnerability assessment.  I say this because maybe the answers to these questions are common knowledge (probably are).  My first question is about port scanning.  Bear with me while I set up a scenario.  Well I would think backdoors in a network would generally listen on some port.  Now lets say we have some kind of listener kind of like sub 7 or whatever but home-made.  It does not have an anti-virus signature so it is not picked up by that.  I know that things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the default ports (subseven 27374, netbus 12345, etc).  If I am a hacker I am going to have the server run on a very high port number like 60,000.  So when people do audits my question is do you port scan every port (both tcp, & udp) on every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024?  Do people nmap everything (every single port on both tcp & udp)?  I would assume this must take quite a bit of time if the network is large (even small) and probably use up a lot of bandwidth (create a lot of traffic if you have a lot of people doing every port of every machine).  However I would think that you would have to do this if you were being thorough cause if you pick a range (say 1 - 30000), you happen to be wrong and the attacker has lets say some super cool Trojan that is unknown and phones home with a connection out on port 80 to some preset ip) you might be in a lot of trouble (well the companies reputation anyway).  That brings me to my next question which is about medium / large networks.  Do people scan every single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 out of 200).  Say there was a network with 2000 hosts.  Even with 4 consultants with amazing laptops it still takes time.  I realize that this is probably up to the customer but maybe what I am curious about is what happens more frequently or what do you actually suggest when the customer asks
scanning.  Is this left to run at night or something???

Anyway I am sure I will have more questions soon ☺

Public and private response welcome.

Cheers,

Leon


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Arturo \: "Abusing? MySQL 3.23.28-gamma"
• Previous message: David Ford: "Re: binary switching, no killing"
• Next in thread: Florindo.Gallicchioat_private: "Re: FW: baby pen-test question"
• Reply: Florindo.Gallicchioat_private: "Re: FW: baby pen-test question"
• Reply: bluefur0r bluefur0r: "Re:FW: baby pen-test question"
• Reply: Anders Thulin: "Re: FW: baby pen-test question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 12:04:58 PDT