FW: baby pen-test question

["leon" <leon () inyc com>]

Hi everyone,

I have a few “baby” questions about pen-testing / vulnerability assessment.  I say this because maybe the answers to 
these questions are common knowledge (probably are).  My first question is about port scanning.  Bear with me while I 
set up a scenario.  Well I would think backdoors in a network would generally listen on some port.  Now lets say we 
have some kind of listener kind of like sub 7 or whatever but home-made.  It does not have an anti-virus signature so 
it is not picked up by that.  I know that things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the 
default ports (subseven 27374, netbus 12345, etc).  If I am a hacker I am going to have the server run on a very high 
port number like 60,000.  So when people do audits my question is do you port scan every port (both tcp, & udp) on 
every host or do you just scan with the ISS or maybe just an Nmap of 1 - 1024?  Do people nmap everything (every single 
port on both tcp & udp)?  I would assume this must take quite a bit of time if the network is large (even small) and 
probably use up a lot of bandwidth (create a lot of traffic if you have a lot of people doing every port of every 
machine).  However I would think that you would have to do this if you were being thorough cause if you pick a range 
(say 1 - 30000), you happen to be wrong and the attacker has lets say some super cool Trojan that is unknown and phones 
home with a connection out on port 80 to some preset ip) you might be in a lot of trouble (well the companies 
reputation anyway).  That brings me to my next question which is about medium / large networks.  Do people scan every 
single host with things like Nessus / Insert your favorite scanner / toll here, or do they just take a sample (say 20 
out of 200).  Say there was a network with 2000 hosts.  Even with 4 consultants with amazing laptops it still takes 
time.  I realize that this is probably up to the customer but maybe what I am curious about is what happens more 
frequently or what do you actually suggest when the customer asks for advice.  Especially the port scanning.  Is this 
left to run at night or something???

Anyway I am sure I will have more questions soon ☺

Public and private response welcome.

Cheers,

Leon


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/