Security Basics mailing list archives
RE: FW: Legal? Road Runner proactive scanning.[Scanned]
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 18 Mar 2004 11:35:51 -0800
I don't think that is quite an accurate analogy either. The difference is that you are only using one phone line, or "port" to call the hotel.
A better analogy would be if hotels had a standard set of extension lines that were tied to specific services that a hotel could offer.
I love it when discussions like these degrade down to 'my analogy is better'. Ok, everyone wins, mine suck, now on to the debate at hand.
When a scanner does OS detection or similar operations, more than just listening for the line to be answered is needed. It would wait for "Hello, Room Service" or something like that before disconnecting, and make its decision on what cuisine was offered by how the phone was answered.
Your overreaching, portscanners just check for open ports, they don't care about the OS, or even what server is running on the backend. For that you use a discovery application. Now, before anyone tries to lart me, the majority of scanners out there now-a-days can pull some info from the server or protocol stack to try and figure out what the host is and what the service on that port is, but that's past the discussion because that is a value add to the portscanner, not the portscanner itself.
A port scan has to communicate with the port in at least a limited way.
It has to at least receive a response to its probe in order for it to know the port is open, which satisfies a limited level of two-way communication.
Right-A-Mundo-My-Main-Macho-Main! But that doesn't mean it's communicating with the service, process or thread that the port is tied to. Basically it's just communicating with the host systems TCP/IP stack.
To me, port scanning has to be legal. It is too difficult to make it
illegal
because things get too messy. If you required the machine owner's
permission
to scan you start cutting of legitimate uses such as a program that may
offer
you different ways of connecting to a machine you have legitimate
access to
(it can check to see if you can connect via ssh, telnet, sftp, terminal
services, etc..). It is a fine line between a program determining
connection
options and a malicious port scan.
The second you get regulators or authorities involved things get complicated. I believe in the whole 'better judgment' approach to port scanning and service/ host discovery. Basically, if you system interacted with my network first I reserve the right to check out your system. Reason for this 'way-of-thinking' are that if I'm getting traffic from your system, and it's attacking my IIS server, I'll portscan, traceroute, ping and run some discovery on your system then decided if I want to talk to your ISP, you or the authorities in your area. Past that I'm not going to go 'lookin' for you. This whole thread gave me nostalgia about a similar thread on wardialing on a old BBS I used to frequent. The good ole' days, *sigh*. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Andy Blair [mailto:blai0015 () umn edu] Sent: Thursday, March 18, 2004 11:05 AM To: Shawn Jackson; gillettdavid () fhda edu; Jef Feltman; security-basics () securityfocus com Subject: Re: FW: Legal? Road Runner proactive scanning.[Scanned]
A portscan is a method of checking weather a service is accepting data
or not. It's a simple connection that closes if the port responds. A denial of Service would be flooding that port with so much traffic that it can't respond to other requests, that is not the case with a portscan. The hotel Analogy is fundamentally flawed for this argument. You wouldn't be taking with the operator, a portscan would see if you can 'phone' the hotel, then When they pick up you verified the 'port' is open. Talking with the operator is akin to communicating with the port, thus you 'browsing
the
page' and not just checking to see if the port is open. Shawn
I don't think that is quite an accurate analogy either. The difference is that you are only using one phone line, or "port" to call the hotel. A better analogy would be if hotels had a standard set of extension lines that were tied to specific services that a hotel could offer. You could dial into each extension, not knowing whether that specific hotel offered the service. If someone picked up, the line for that service is in use. You would have to actually listen to the answer or ask the person on the other line to determine if a specific service were actually offered (simulating tcp connection handshake). When a scanner does OS detection or similar operations, more than just listening for the line to be answered is needed. It would wait for "Hello, Room Service" or something like that before disconnecting, and make its decision on what cuisine was offered by how the phone was answered. A port scan has to communicate with the port in at least a limited way. It has to at least recieve a response to its probe in order for it to know the port is open, which satisfies a limited level of two-way communication. To me, port scanning has to be legal. It is too difficult to make it illegal because things get too messy. If you required the machine owner's permission to scan you start cutting of legitimate uses such as a program that may offer you different ways of connecting to a machine you have legitimate access to (it can check to see if you can connect via ssh, telnet, sftp, terminal services, etc..). It is a fine line between a program determining connection options and a malicious port scan. It is too hard to separate a legitimate jewelry store customer from one who is professionally casing the joint (inconspicuously looking at the windows and doors and walls while acting like a customer). Any law that attempts to do that will do more harm than good and will not work as intended. AB --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: FW: Legal? Road Runner proactive scanning.[Scanned], (continued)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Charles Otstot (Mar 22)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Burton M. Strauss III (Mar 15)
- RE: Legal? Road Runner proactive scanning.[Scanned] James . Fields (Mar 12)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Mitchell Rowton (Mar 16)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Young, Randy (Mar 17)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] David Gillett (Mar 18)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Jef Feltman (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] Andy Blair (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 19)
- Re: FW: Legal? Road Runner proactive scanning.[Scanned] ~Kevin DavisĀ³ (Mar 19)
- RE: FW: Legal? Road Runner proactive scanning.[Scanned] Shawn Jackson (Mar 23)
- The fallacy of analogies - Enough with throwing rocks at your windows! Burton M. Strauss III (Mar 23)