Usually you would want to scan all ports on all machines. Both UDP and TCP (I usually use nmap -sS syn scan rather than connect(-sT). I know someone's gonna yelp about that one... As for the only scanning a few machines, that all depends on what the client wants. Some want samples of only a few hosts (usually to save a few hundered dollars). You also want to run Nessus/ISS/Cops just scanning ports 1-15000, this way you have the major services covered with the mass-vuln assessment program, and ALL ports covered by nmap. Also if they own say... a few class c's you would want to nmap the whole range. I usually break it up like this. do an nmap ping sweep, start a scan without the -PO no ping flag and that will finish up fairly quickly. Then for all machines that didn't respond to ping use the -PO flag to see if there are any "hidden" machines. This takes an extensive amount of time because it's trying ports that do not even reply. Take the ranges and split it up on multiple machines... bluefur0r Op Sun, 23 Sep 2001 21:06:18 -0400 leon <leonat_private> geschreven: >Hi everyone, > >I have a few “baby” questions about pen-testing / vulnerability assessment. I say this because maybe the answers to these questions are common knowledge (probably are). My first question is about port scanning. Bear with me while I set up a scenario. Well I would think backdoors in a network would generally listen on some port. Now lets say we have some kind of listener kind of like sub 7 or whatever but home-made. It does not have an anti-virus signature so it is not picked up by that. I know that things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the default ports (subseven 27374, netbus 12345, etc). If I am a hacker I am going to have the server run on a very high port number like 60,000. So when people do audits my question is do you port scan every port (both tcp, & udp) on every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024? Do people nmap everything (every single port on both tcp & udp)? I would assume this must take quite a bit of time if the network is large (even small) and probably use up a lot of bandwidth (create a lot of traffic if you have a lot of people doing every port of every machine). However I would think that you would have to do this if you were being thorough cause if you pick a range (say 1 - 30000), you happen to be wrong and the attacker has lets say some super cool Trojan that is unknown and phones home with a connection out on port 80 to some preset ip) you might be in a lot of trouble (well the companies reputation anyway). That brings me to my next question which is about medium / large networks. Do people scan every single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 out of 200). Say there was a network with 2000 hosts. Even with 4 consultants with amazing laptops it still takes time. I realize that this is probably up to the customer but maybe what I am curious about is what happens more frequently or what do you actually suggest when the customer ask s for advice. Especially the port scanning. Is this left to run at night or something??? > >Anyway I am sure I will have more questions soon ☺ > >Public and private response welcome. > >Cheers, > >Leon > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > > ================================================================= Kies een origineel e-mailadres op www.emails.nl ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 18:22:54 PDT