Penetration Testing mailing list archives
Re: Port scan causing system crashes
From: Renaud Deraison <deraison () nessus org>
Date: Thu, 12 Jun 2003 15:01:12 -0400
On Thu, Jun 12, 2003 at 11:55:26AM -0400, Clem Skorupka wrote:
I had a case where an rpc scan using nessus (I forget the particular module or if it was the nmap precursor scan, this was a couple of years ago) against some large range of ports knocked out an allegro-based embedded web server on a network switch. It didn't crash this particular switch (though one had to reboot the switch in order to bring back the web interface).
The bottom line is that as soon as you start to interfere with another host, you can never predict how it will react to actions that it has never been designed to handle, so no scan is totally risk-free[1], and it's often very hard to find the balance between a 99.9% accurate security audit and a non-intrusive one. Note that this does not only affects Nessus+Nmap, but any network vulnerability scanner. Regarding the port scan itself (which is usually what disrupts the most services), you may want to try using a SYN scan instead of a full TCP connect() scanner, this way the remote services will not "know" they are being scanned and are less likely to crash. But then again, some printers *hate* SYN scans because their IP stack is poorly written, and they may crash. When doing a scan with Nessus for the first time, I recommand the following settings : - Enter "default" as a port range. This will only scan ~ 1,500 ports on which services are usually bound to (this is equivalent to nmap -F) - Use the SYN scanner if you know you're testing a box which has a decent IP stack (mostly any non-embedded OS should withstand that) - Enable the "safe checks" options. - In Prefs->Services, change the option "Test SSL based services" from "All" to "Known SSL ports". When "All" is enabled, Nessus attempts to negociate SSL on every open port, and a lot of badly written daemons will hate that (mostly because they receive 8bit data and they're not all designed to cope with it too well). If you are scanning an ultra-fragile box, you may also want to : - Disable find_service.nes ("Misc.->Services"). This plugin attempts to do a Port<->Service mapping the less intrusively as possible, but some services may die on that (although it's quite rare). - Disable port scanning at all. But keep in mind that your audit won't be as complete as it could be - it's all a matter of finding the right balance. -- Renaud [1] Which is why we are working on a non-intrusive passive vulnerability scanner for the networks/host that can not afford any disruption. See http://www.tenablesecurity.com/docs/passive_scanning_tenable.pdf -- Renaud Deraison The Nessus Project http://www.nessus.org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Port scan causing system crashes steve . x . jones (Jun 12)
- Re: Port scan causing system crashes Helmut Springer (Jun 12)
- Re: Port scan causing system crashes Anthony Kim (Jun 12)
- Re: Port scan causing system crashes Adam Carter (Jun 13)
- <Possible follow-ups>
- RE: Port scan causing system crashes OBrien, Brennan (Jun 12)
- Re: Port scan causing system crashes MARTIN M. Bénoni (Jun 12)
- RE: Port scan causing system crashes Whiteside, Larry [contractor] (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- Re: Port scan causing system crashes Renaud Deraison (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- Re: Port scan causing system crashes Clem Skorupka (Jun 12)
- RE: Port scan causing system crashes Steve Goldsby (ICS) (Jun 12)
- Re: Port scan causing system crashes Death Star (Jun 12)
- RE: Port scan causing system crashes Brass, Phil (ISS Atlanta) (Jun 12)
- Re: Port scan causing system crashes Kevin Pietersma (Jun 13)
- FW: Port scan causing system crashes Brewis, Mark (Jun 13)
- RE: Port scan causing system crashes Martin Walker (Jun 16)
- RE: Port scan causing system crashes Death Star (Jun 16)