Security Basics mailing list archives

Re: Scanning--more then one side to the argument

From: "Shand" <shand () adelphia net>
Date: Wed, 30 Mar 2005 16:16:31 -0500

Example of customer scan

nmap -sV -P0 -p 1-

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-03-30 16:59 EST
Interesting ports on
(The 65522 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE      VERSION
80/tcp    filtered http
135/tcp   filtered msrpc
136/tcp   filtered profile
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
5000/tcp  open     upnp         Microsoft Windows UPnP
5241/tcp  open     unknown
7177/tcp  open     unknown
8031/tcp  open     unknown
9491/tcp  open     unknown
27374/tcp filtered subseven

Nmap run completed -- 1 IP address (1 host up) scanned in 438.716 seconds


Now I see this as a issue?

Other don't?

The filtered ones are filtered by us.

The others they have open? ( Not firewall?) ( No security?)

Sherman

----- Original Message -----From: "Steve Fletcher" <safletcher () insightbb com>

To: "'Shand'" <shand () adelphia net>; <security-basics () securityfocus com>
Sent: Wednesday, March 30, 2005 3:41 PM
Subject: RE: Scanning--more then one side to the argument

That would depend on the port and what function it serves.  For example,
you
might show port 25 as open because they have an SMTP server and it is not
behind a firewall.

Here is a definition of the different states, straight from the nmap man
page:

"The state is either "open", "filtered", or "unfiltered".  Open
means that       the target machine will accept() connections on that
port.  Filtered means that a firewall, filter, or other network obstacle
is
covering the port and preventing nmap from determining whether the port
is open.  Unfiltered means that the port is known by nmap to  be
closed  and  no firewall/filter seems to be interfering with nmap's
attempts to determine this.  Unfiltered ports are the common case and are
only shown when most of the scanned ports are in the filtered state."

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com

-----Original Message-----
From: Shand [mailto:shand () adelphia net]
Sent: Wednesday, March 30, 2005 2:33 PM
To: Steve Fletcher; security-basics () securityfocus com
Subject: Re: Scanning--more then one side to the argument

External scans.

Against customer using our internet service.

Does a port have to show as "open" or can they for usability show only as
filtered, closed?

Thoughts?

Shand

----- Original Message -----From: "Steve Fletcher" <safletcher () insightbb com>

To: "'Sherman Hand'" <shand () adelphia net>;
<security-basics () securityfocus com>
Sent: Wednesday, March 30, 2005 3:18 PM
Subject: RE: Scanning--more then one side to the argument

I have a question regarding this.  Are you talking about doing an external
scan or an internal scan?  I assume an external, because an internal scan
should show a LOT of open ports.

I would say that any open port POTENTIALLY could be a security issue
waiting
to happen, but common sense dictates that some ports must be open for
usability reasons.  Plus, if you're going to follow this line of thought,
the fact that the systems are connected to the Internet AT ALL poses a
potential risk.  Or, just being networked could be a risk.  Or, being
powered on poses a potential risk.

So, based on this, sure it COULD be a security risk waiting to happen,
but
more information needs to be gathered to determine the true extent of the
risk.  And, it must be reevaluated at regular intervals to catch new
issues
that might have come up since the last scan.  What is safe now might not
be
6 months from now.

Hope this helps.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
safletcher () insightbb com

-----Original Message-----
From: Sherman Hand [mailto:shand () adelphia net]
Sent: Wednesday, March 30, 2005 5:05 PM
To: security-basics () securityfocus com
Subject: Scanning--more then one side to the argument



There has been a on going discussion about the scanning results on our
customers.

Thought one says that "any" port on a standard nmap, showing as "open" is
a
security risk.

Thought two says, no since some things need to show in a state of open.

Should we be stating that through proactive scan, when we find any port
showing as open, that it is a security issue waiting to happen?

Or only if we can show a issue?

Thoughts?

Shand




---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE

Organizations worldwide are in need of highly qualified information securityprofessionals. Norwich University is fulfilling this demand with its MS inInformation Security offered online. Recognized by the NSA as anacademically excellent program, NU offers you the opportunity to earn yourdegree without disrupting your home or work life.


http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

Current thread:

Scanning--more then one side to the argument Sherman Hand (Mar 30)
- Re: Scanning--more then one side to the argument Barrie Dempster (Mar 31)
- RE: Scanning--more then one side to the argument Steve Fletcher (Mar 31)
- <Possible follow-ups>
- Re: Scanning--more then one side to the argument Shand (Mar 31)
  - RE: Scanning--more then one side to the argument Steve Fletcher (Mar 31)
- Re: Scanning--more then one side to the argument Shand (Mar 31)
  - RE: Scanning--more then one side to the argument Steve Fletcher (Mar 31)