Re: FW: baby pen-test question

[Florindo.Gallicchio () radianz com]

Leon:

Before I use any commercial scanner (both as a consultant and in my present
job), I ALWAYS do an nmap sweep of varying degrees.  nmap is your very best
friend.  Depending on certain parameters of a system (e.g., mission
criticality, level of risk, accessibility by humans versus services, etc.),
I will do either a "known-port" nmap scan, or a full scan (-p1-65535).  UDP
scans are a bit difficult to do since there's a high degree of false
returns based on the nature of UDP, but I do test for the known ports.
Remember that a scanner will not tell you definitively if there is a
backdoor on the machine.  You have to manually check on the command line
using such things as netstat and such.

As for testing a large network, I primarily base my efforts on the mission
criticality and level of risk to determine what tests I do.  Oftentimes a
representative sampling works, especially if all servers in a group or
network are built from the same JumpStart script (or whatever it is you can
use for Microsoft servers) or manual lockdown procedure.  Unfortunately,
most of my clients in the past did not have commonly configured machines,
so again, the principles behind risk levels and mission criticality apply.

Oh - as for your comment about leaving the scan running over night:  I
would never, ever recommend running any automated scan against any
production machine.  It can result in you getting paged in the middle of
the night by some support person calling you in to explain why the scan
broke a production machine.  This happens whether or not you were perfectly
careful in the type of scan you ran.  Two exceptions to my rule: wardialing
and the use of the "Paranoid" setting on nmap, which takes approximately
two point five lifetimes to do a Class-C.

Florindo
_________________________________________________________
Florindo Gallicchio * Director, Security Assessment & Compliance *
Radianz * 492 River Rd. * Nutley, NJ 07110 USA *
+1 973 662 3158 * florindo.gallicchio () radianz com


|--------+----------------------->
|        |          "leon"       |
|        |          <leon () inyc co|
|        |          m>           |
|        |                       |
|        |          09/23/2001   |
|        |          09:06 PM     |
|        |                       |
|--------+----------------------->
  
> ------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                     
   |
  |       To:     <pen-test () securityfocus com>                                                                       
      |
  |       cc:                                                                                                           
   |
  |       Subject:     FW: baby pen-test question                                                                       
   |
  
> ------------------------------------------------------------------------------------------------------------------------|




Hi everyone,

I have a few “baby” questions about pen-testing / vulnerability assessment.
I say this because maybe the answers to these questions are common
knowledge (probably are).  My first question is about port scanning.  Bear
with me while I set up a scenario.  Well I would think backdoors in a
network would generally listen on some port.  Now lets say we have some
kind of listener kind of like sub 7 or whatever but home-made.  It does not
have an anti-virus signature so it is not picked up by that.  I know that
things like ISS, Nessus, Cybercop, Etc look for Trojans by scanning the
default ports (subseven 27374, netbus 12345, etc).  If I am a hacker I am
going to have the server run on a very high port number like 60,000.  So
when people do audits my question is do you port scan every port (both tcp,
& udp) on every host or do you just scan with the ISS or maybe just an Nmap
of 1 - 1024?  Do people nmap everything (every single port on both tcp &
udp)?  I would assume this must take quite a bit of time if the network is
large (even small) and probably use up a lot of bandwidth (create a lot of
traffic if you have a lot of people doing every port of every machine).
However I would think that you would have to do this if you were being
thorough cause if you pick a range (say 1 - 30000), you happen to be wrong
and the attacker has lets say some super cool Trojan that is unknown and
phones home with a connection out on port 80 to some preset ip) you might
be in a lot of trouble (well the companies reputation anyway).  That brings
me to my next question which is about medium / large networks.  Do people
scan every single host with things like Nessus / Insert your favorite
scanner / toll here, or do they just take a sample (say 20 out of 200).
Say there was a network with 2000 hosts.  Even with 4 consultants with
amazing laptops it still takes time.  I realize that this is probably up to
the customer but maybe what I am curious about is what happens more
frequently or what do you actually suggest when the customer asks for
advice.  Especially the port scanning.  Is this left to run at night or
something???

Anyway I am sure I will have more questions soon ☺

Public and private response welcome.

Cheers,

Leon


----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/