RE: FW: Legal? Road Runner proactive scanning.[Scanned]

["Shawn Jackson" <sjackson () horizonusa com>]

> I don't think that is quite an accurate analogy either. The difference 
> is that you are only using one phone line, or "port" to call the hotel.

> A better analogy would be if hotels had a standard set of extension 
> lines that were tied to specific services that a hotel could offer.

I love it when discussions like these degrade down to 'my analogy is
better'. Ok, everyone wins, mine suck, now on to the debate at hand.

> When a scanner does OS detection or similar operations, more than just 
> listening for the line to be answered is needed. It would wait for 
> "Hello, Room Service" or something like that before disconnecting, and 
> make its decision on what cuisine was offered by how the phone was 
> answered.

Your overreaching, portscanners just check for open ports, they don't
care about the OS, or even what server is running on the backend. For
that you use a discovery application. Now, before anyone tries to lart
me, the majority of scanners out there now-a-days can pull some info
from the server or protocol stack to try and figure out what the host
is and what the service on that port is, but that's past the discussion
because that is a value add to the portscanner, not the portscanner
itself.

> A port scan has to communicate with the port in at least a limited way.

> It has to at least receive a response to its probe in order for it to 
> know the port is open, which satisfies a limited level of two-way 
> communication.

Right-A-Mundo-My-Main-Macho-Main! But that doesn't mean it's
communicating
with the service, process or thread that the port is tied to. Basically
it's just communicating with the host systems TCP/IP stack.

> To me, port scanning has to be legal. It is too difficult to make it
illegal 
> because things get too messy. If you required the machine owner's
permission 
> to scan you start cutting of legitimate uses such as a program that may
offer 
> you different ways of connecting to a machine you have legitimate
access to 
> (it can check to see if you can connect via ssh, telnet, sftp, terminal

> services, etc..). It is a fine line between a program determining
connection 
> options and a malicious port scan.

The second you get regulators or authorities involved things get
complicated.
I believe in the whole 'better judgment' approach to port scanning and
service/
host discovery. Basically, if you system interacted with my network
first I 
reserve the right to check out your system. Reason for this
'way-of-thinking'
are that if I'm getting traffic from your system, and it's attacking my
IIS 
server, I'll portscan, traceroute, ping and run some discovery on your
system
then decided if I want to talk to your ISP, you or the authorities in
your area.
Past that I'm not going to go 'lookin' for you.

This whole thread gave me nostalgia about a similar thread on wardialing
on a 
old BBS I used to frequent. The good ole' days, *sigh*.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
             (800) 325-1199 x338



-----Original Message-----
From: Andy Blair [mailto:blai0015 () umn edu] 
Sent: Thursday, March 18, 2004 11:05 AM
To: Shawn Jackson; gillettdavid () fhda edu; Jef Feltman;
security-basics () securityfocus com
Subject: Re: FW: Legal? Road Runner proactive scanning.[Scanned]


> A portscan is a method of checking weather a service is accepting data

> or not. It's a simple connection that closes if the port responds. A 
> denial of Service would be flooding that port with so much traffic 
> that it can't respond to other requests, that is not the case with a 
> portscan. The hotel
> Analogy is fundamentally flawed for this argument. You wouldn't be
> taking with the operator, a portscan would see if you can 'phone' the
> hotel, then
> When they pick up you verified the 'port' is open. Talking with the
> operator is akin to communicating with the port, thus you 'browsing
the
> page' and not just checking to see if the port is open.
>
>  Shawn


I don't think that is quite an accurate analogy either. The difference
is that you are only using one phone line, or "port" to call the hotel.
A better analogy would be if hotels had a standard set of extension
lines that were tied to specific services that a hotel could offer. You
could dial into each extension, not knowing whether that specific hotel
offered the service. If someone picked up, the line for that service is
in use. You would have to actually listen to the answer or ask the
person on the other line to determine if a specific service were
actually offered (simulating tcp connection handshake).

When a scanner does OS detection or similar operations, more than just
listening for the line to be answered is needed. It would wait for
"Hello, Room Service" or something like that before disconnecting, and
make its decision on what cuisine was offered by how the phone was
answered.

A port scan has to communicate with the port in at least a limited way.
It has to at least recieve a response to its probe in order for it to
know the port is open, which satisfies a limited level of two-way
communication.


To me, port scanning has to be legal. It is too difficult to make it
illegal because things get too messy. If you required the machine
owner's permission to scan you start cutting of legitimate uses such as
a program that may offer you different ways of connecting to a machine
you have legitimate access to (it can check to see if you can connect
via ssh, telnet, sftp, terminal services, etc..). It is a fine line
between a program determining connection options and a malicious port
scan.

It is too hard to separate a legitimate jewelry store customer from one
who is professionally casing the joint (inconspicuously looking at the
windows and doors and walls while acting like a customer). Any law that
attempts to do that will do more harm than good and will not work as
intended.

AB


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------