Re: Annoy Those Sub7 Scanners.

[Doug Kahler <dougak () TAMPABAY RR COM>]

the only problem with your doing this once a week or so, is ill bet 75+% of
those people are on DHCP connections. so the person's computer that your
probing a week later prob isnt the person that probed your computer. and if
your doing stupid stuff like going into their fully shared C drive and
deleting command.com, your doing it to someone that is totally innocent.


----- Original Message -----
From: "H Carvey" <keydet89 () YAHOO COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Sunday, August 27, 2000 11:09 AM
Subject: Re: Annoy Those Sub7 Scanners.


> > What we need are more trojans like fakebo.
>
> I wouldn't recommend any of the programs that open a
> port, such as NukeNabber, FakeBO, or even a deception
> toolkit.
>
> What I've done is installed Win32-snort on my NT
> system.  About once a week or so, I'll run a script
> that will pull all of the snort alerts out of my
> EventLog, and parse out the source IP addresses of the
> various scans...mostly NetBIOS name queries, but often
> Sub7 and the like.
>
> Once that is done, the script can run nmapNT against
> the system to ID open ports, fingerprint the os, etc.
> Powerful tools like Perl allow all sorts of
> flexibility with what you can do.  Now, I don't
> advocate a full-out StrikeBack capability, a la Winn
> Schwartau, but I have found that some of the scans
> have come from folks w/ Win95 machines with
> fully-shared C:\ drives.
>
> Carv
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/