Re: Examples of legit nmap usage?

[Max Vision <vision () whitehats com>]

On Mon, 20 Sep 1999, Lamont Granquist wrote:
> On Sat, 18 Sep 1999, Max Vision wrote:
> > specify -F).  You should limit your scan to the services that you can,
> > youself, explain why they are interesting or should be checked for.
>
> Is this really the best idea?  If you're looking for Windoze trojans,
> then they could be listening on any port.  The thing to do it would
> seem is to -sS scan for port 135/139
> (fragile-stack-friendly-os-detection) and then scan the entire
> portrange on these machines looking for trojans.  Then ideally you
> save this info into a file and run a scan every N time units and
> compare the results with previous information.
>  
This is a good idea :)  Based on that it is far more likely that you will
find such trojans on a Windows user's PC, this approach could speed your
search considerably.

> And I've got a question as to how you go about doing forensics to
> determine if a WinNT/Win9X box has been trojaned when you find a really
> suspicious looking open port on the box?  For example, there's this Win
> box we've got on our network (which i don't admin) and which is listening
> on port 4692/udp.  The person who uses this box downloads a lot of stuff
> from the net.  I suspect this is a possible trojan, but where the hell do
> i go from here?  This might be getting a little afield of nmap discussion,
> but i think its appropriate because it'd be good to be able to back up
> nmap scans with actual solid evidence on the machine that it has been
> compromised.
I've run across several lsof type tools for NT but when I saw your post
the only one I could find is Inzider:
http://www.bahnhof.se/~winnt/toolbox/inzider/index.html

If you're ever looking for general trouble with an NT machine, the
Forensic Toolkit by NTObjectives might be worth a look:
http://www.ntobjectives.com/prod03.htm (includes how-to)
Maybe also FileMon by Sysinternals:
http://www.sysinternals.com/filemon.htm

Max