Full Disclosure mailing list archives
Re: scanning
From: schanulleke.29172787 () bloglines com
Date: 12 Jun 2006 12:10:31 -0000
Believe it or not, it was a Nokia running CheckPoint NG, but not well configured. Because the network was taking a lot of traffic during normal ops so no problems (yet). However it was taken down by a broadcast "storm" earlier. I was running multiple SYN-scan sessions of nmap with agressive timing (and very low max-rtt and max-timeout and max-delay setting), so not "polite" at all. IF I was doing a pen test AND I wasn't telling anyone I would NOT be using this settings, but go "low and slow". The point that I was making tough is that pen-tests and port scans can go wrong (and if you have Murphy as your back-seat driver, they will go wrong). We have also seen packet loss when scanning some webservers over a 2 Mbps line. Also because the Nokia was taking too much CPU cycles for inspections and logging. Schanulleke --- GroundZero Security" <fd () g-0 org wrote: What kind of firewall was it ? I can't imagine that it isn't able
to handle your single connect()
requests, since what happens
if a lot of the internal client computers
have external requests?
The network would be constantly lagged and
as you
describe it, the firewall would stop responding even without
a scan. I just wonder what vendor the firewall produced.
When you use
a normal port scanner like nmap with a polite
timing and ip by ip, i doubt
this would happen. Maybe if you
use some scanner that is multithreaded
and scan's a lot of ip's
a second and do a full connect() (maybe even send
a request)
on all possible ports on as much hosts as possible, then i could
imagine your scenario. A "normal" port scan/subnet scan however, shouldn't
be any problem.
When you do a penetration test you do have 5 minutes
to wait
and we where talking about a simple port scan. I think at court
it wouldn't matter as the understanding of the scan would be the same
for them. So even if there is a very slim chance that this
actually happens
on a network, it would be hard to explain
probably. Then again all you
did theoreticaly is looking for
open services they offer to the public,
if their server is miss
configured, is that your fault ? On the other
side, the network
owner would probably respond that you shouldn't snoop
around on his servers. So this is indeed a problematic situation and
i have to admit you make a point here, although i still don't
think that
this will happen very offten :-)
----- Original Message ----- From:
<schanulleke.29172787 () bloglines com>
To: <fd () g-0 org> Sent: Monday,
June 12, 2006 12:13 PM
Subject: Re: [Full-disclosure] scanning
I was on local site with a direct ethernet connection, the client had
all
internal traffic routed via a firewall, the firewall was configured
with too
many and too complex rules. I caused too many sessions,
causing too much
logs causing the firewall to stop responding in time
and all servers to be
separated from all clients. Needless
to say this was a major finding in
my report. We have observed
the same behaviour with external facing firewalls.
Schanulleke
--- GroundZero Security" <fd () g-0 org wrote: When you say that by running a portscan you "dossed" a whole networkthen i
would say
either you are crazy or your portscanner is seriously broken
lol
I havebeen doing pen-tests since 1998 and never ever dossed
a whole Network
byaccident, especially not with a simple portscan.
-sk
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: scanning, (continued)
- Re: scanning GroundZero Security (Jun 02)
- Re: scanning ad () heapoverflow com (Jun 02)
- Re: scanning Marcos Agüero (Jun 02)
- Re: scanning Valdis . Kletnieks (Jun 02)
- Re: Fw: scanning Drew Masters (Jun 02)
- Re: Fw: scanning Lawrence Tang (Jun 02)
- Re: scanning GroundZero Security (Jun 12)