leon wrote: >high port number like 60,000. So when people do audits my question is do you port scan every port >(both tcp, & udp) on every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024? The approach the port scanning is very similar to password cracking: you *can* start a brute force approach from the very beginning, but experience shows that there are more efficient ways to go about it. It's better to begin with those ports (TCP, UDP. RPC) for which you have vulnerability and exploit information -- if you get a hit, you may not need to look for anything else. Why waste further time scanning all the 65k ports if finger information reveals a user named 'ORACLE', and there is a telnet port so you can check out the well-known default password(s) to that account? Far better make the test there and then -- if you find you're in, the remaining ports aren't necessarily interesting. Or if you are lucky enough to find an ONC RPC rexd or pcnfsd server running, or other major holes open ... That's as far pen-testing goes. If you're doing an audit, that is verifying that a particular host behaves in the way some internal document says it should behave, you of course check all points you have to check. > That brings me to my next question which is about medium / large networks. Do people scan every single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 out of 200). Say there was a network with 2000 hosts. Even with 4 consultants with amazing laptops it still takes time. Again, it depends on what you're trying to do. A pen-test? or an audit? For a pen-test, begin with a basic scan for well-known vulnerabilities. (finger, default passwords, share disks, X windows, ONC RPC, various HTTP things ... ) Do a real *vulnerability* scan if at all possible, not one that says 'you may have a problem here' (Nessus is great for getting that type of responses -- I don't think I've see any ONC RPC-related response that is in any way related to reality) or a mere port scan -- you don't want to wade through hundreds of false positives. The chances are fairly good you won't have to do any further general scans -- you will get enough material to keep you busy, and probably enough material you enable you to make more targeted scans if they're required. You may want to take a look at the OSSTMM manual at www.ideahamster.org for ideas. However, don't take it as gospel truth -- there are many things left unsaid or unexplaine. It may help you get your own thinking started, however. -- Anders Thulin Anders.X.Thulinat_private 040-661 50 63 Telia ProSoft AB, Carlsgatan 6, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 10:44:24 PDT