Hi everyone, I have a few “baby” questions about pen-testing / vulnerability assessment. I say this because maybe the answers to these questions are common knowledge (probably are). My first question is about port scanning. Bear with me while I set up a scenario. Well I would think backdoors in a network would generally listen on some port. Now lets say we have some kind of listener kind of like sub 7 or whatever but home-made. It does not have an anti-virus signature so it is not picked up by that. I know that things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the default ports (subseven 27374, netbus 12345, etc). If I am a hacker I am going to have the server run on a very high port number like 60,000. So when people do audits my question is do you port scan every port (both tcp, & udp) on every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024? Do people nmap everything (every single port on both tcp & udp)? I would assume this must take quite a bit of time if the network is large (even small) and probably use up a lot of bandwidth (create a lot of traffic if you have a lot of people doing every port of every machine). However I would think that you would have to do this if you were being thorough cause if you pick a range (say 1 - 30000), you happen to be wrong and the attacker has lets say some super cool Trojan that is unknown and phones home with a connection out on port 80 to some preset ip) you might be in a lot of trouble (well the companies reputation anyway). That brings me to my next question which is about medium / large networks. Do people scan every single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 out of 200). Say there was a network with 2000 hosts. Even with 4 consultants with amazing laptops it still takes time. I realize that this is probably up to the customer but maybe what I am curious about is what happens more frequently or what do you actually suggest when the customer asks scanning. Is this left to run at night or something??? Anyway I am sure I will have more questions soon ☺ Public and private response welcome. Cheers, Leon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 12:04:58 PDT