Leon: Before I use any commercial scanner (both as a consultant and in my present job), I ALWAYS do an nmap sweep of varying degrees. nmap is your very best friend. Depending on certain parameters of a system (e.g., mission criticality, level of risk, accessibility by humans versus services, etc.), I will do either a "known-port" nmap scan, or a full scan (-p1-65535). UDP scans are a bit difficult to do since there's a high degree of false returns based on the nature of UDP, but I do test for the known ports. Remember that a scanner will not tell you definitively if there is a backdoor on the machine. You have to manually check on the command line using such things as netstat and such. As for testing a large network, I primarily base my efforts on the mission criticality and level of risk to determine what tests I do. Oftentimes a representative sampling works, especially if all servers in a group or network are built from the same JumpStart script (or whatever it is you can use for Microsoft servers) or manual lockdown procedure. Unfortunately, most of my clients in the past did not have commonly configured machines, so again, the principles behind risk levels and mission criticality apply. Oh - as for your comment about leaving the scan running over night: I would never, ever recommend running any automated scan against any production machine. It can result in you getting paged in the middle of the night by some support person calling you in to explain why the scan broke a production machine. This happens whether or not you were perfectly careful in the type of scan you ran. Two exceptions to my rule: wardialing and the use of the "Paranoid" setting on nmap, which takes approximately two point five lifetimes to do a Class-C. Florindo _________________________________________________________ Florindo Gallicchio * Director, Security Assessment & Compliance * Radianz * 492 River Rd. * Nutley, NJ 07110 USA * +1 973 662 3158 * florindo.gallicchioat_private |--------+-----------------------> | | "leon" | | | <leonat_private| | | m> | | | | | | 09/23/2001 | | | 09:06 PM | | | | |--------+-----------------------> >------------------------------------------------------------------------------------------------------------------------| | | | To: <pen-testat_private> | | cc: | | Subject: FW: baby pen-test question | >------------------------------------------------------------------------------------------------------------------------| Hi everyone, I have a few “baby” questions about pen-testing / vulnerability assessment. I say this because maybe the answers to these questions are common knowledge (probably are). My first question is about port scanning. Bear with me while I set up a scenario. Well I would think backdoors in a network would generally listen on some port. Now lets say we have some kind of listener kind of like sub 7 or whatever but home-made. It does not have an anti-virus signature so it is not picked up by that. I know that things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the default ports (subseven 27374, netbus 12345, etc). If I am a hacker I am going to have the server run on a very high port number like 60,000. So when people do audits my question is do you port scan every port (both tcp, & udp) on every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024? Do people nmap everything (every single port on both tcp & udp)? I would assume this must take quite a bit of time if the network is large (even small) and probably use up a lot of bandwidth (create a lot of traffic if you have a lot of people doing every port of every machine). However I would think that you would have to do this if you were being thorough cause if you pick a range (say 1 - 30000), you happen to be wrong and the attacker has lets say some super cool Trojan that is unknown and phones home with a connection out on port 80 to some preset ip) you might be in a lot of trouble (well the companies reputation anyway). That brings me to my next question which is about medium / large networks. Do people scan every single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 out of 200). Say there was a network with 2000 hosts. Even with 4 consultants with amazing laptops it still takes time. I realize that this is probably up to the customer but maybe what I am curious about is what happens more frequently or what do you actually suggest when the customer asks for advice. Especially the port scanning. Is this left to run at night or something??? Anyway I am sure I will have more questions soon ☺ Public and private response welcome. Cheers, Leon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 13:00:17 PDT