Nmap Announce mailing list archives
Re: Examples of legit nmap usage?
From: Max Vision <vision () whitehats com>
Date: Sat, 18 Sep 1999 10:58:23 -0700 (PDT)
Hello, I think there are two tactics that could improve your luck here tremendously. First, don't scan for everything. I don't know if you already limit your scans, but nmap -F, or better yet nmap -p with a port list, is going to dramatically change the level of network activity, and the time it takes your scan to complete as well. In your situation, you are going to have to explain what you are looking for. How useful is it in practical terms, knowing that you don't have the time nor writeoff to do a full penetration test of your network, to scan the thousand some odd ports possible (nmap-services lists 1020 tcp ports that will be checked if you specify -F). You should limit your scan to the services that you can, youself, explain why they are interesting or should be checked for. Second, find alternate language that you can use that doesn't include port, icmp, tcp, udp, scan, etc. Refer to server security from a user standpoint, such as "people running personal webserver that shouldn't" or "I want to look at the network to determine how many Suns are likely to be vulnerable to these RPC attacks mentioned in the CERT advisory". For some reason, these fuzzier wordings can push through a lot of the red tape. The mention of CERT brings me to another idea, which is to go through all of the CERT advisories for the past couple of years, and come up with a list of ports based on the advisories. This port list is likely to get attention from Management because of the source. In my opinion, CERT is hardly a definitive resource - however they are established, and have fairly good writeups covering common security issues. If you could say you wanted to verify <blah list of services here>, then you would already have some lengthy documentation (CERT advisories) to back each one of the ports (say "services" :) that you are trying to scan (say "verify").. I have made such a list if you want it drop me an email (I needed it to justify adding some Checkpoint FW-1 rules for very primitive IDS for a client who had no IDS at all (this was before the current snort/visionids stuff)) Also you mentioned commercial scanning tools. Some of them are quite excellent, and I would be interested to hear your opinions on their shortcomings and where you applied nmap to fill the gaps (aside from OS detection). In particular ISS and Cybercop have various portscanning options (including syn, ack, fin, and even direct rpc scanning) in addition to the standard service checks (which include the CERT-related services I mention above). They excel at handling the druge of high-level assessment of large number of hosts. Personally, I feel they are very useful in scenarios such as yours, if configured correctly. But that's just my opinion :) Good luck! Max On Fri, 17 Sep 1999, Foust, Adam G. wrote:
nmap has the potential of becoming an extremely useful tool for me in my job (not in the hacker sense, but in the discovery and security sense). I ran it for a while and built up a picture of our intranet WAN (with the help of a custom bit of perl and CGI programming), but now I'm being told knock it off for good based on the high amount of messages that began to accumulate in our router logs. All of our other $$$ commercial network tools have so far provided a rather piecemeal view of things, and I would like to continue to use this excellent nmap tool to augment our picture of things (particularly having an inventory of TCP services). Can anyone help me out with a good "business case" for administratively running nmap in a corporate environment? What would be the impact to routers and hosts of say automating a weekly scan on a rather large network (I won't give specifics, but I will say that if I seed nmap with a list of ping-able IP addresses it requires a couple of days to complete a single sweep)? Is using nmap in this fashion a dumb idea? Any good examples of nmap being used for network discovery in any corporations out there? Any information you can provide would be of great use. Thanks.
Current thread:
- Examples of legit nmap usage? Foust, Adam G. (Sep 17)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 17)
- Re: Examples of legit nmap usage? David Carmean (Sep 17)
- Re: Examples of legit nmap usage? Joel Eriksson (Sep 18)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Andreas Kostyrka (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 17)
- Re: Examples of legit nmap usage? Lamont Granquist (Sep 20)
- Re: Examples of legit nmap usage? Max Vision (Sep 21)
- IP fragment overwriting bug exploitation Lamont Granquist (Sep 21)
- reverse frag scanning patch Lamont Granquist (Sep 22)
- <Possible follow-ups>
- RE: Examples of legit nmap usage? Rob Shein (Sep 17)
- RE: Examples of legit nmap usage? Scott Hardy (Sep 20)
- Re: Examples of legit nmap usage? Foust, Adam G. (Sep 21)