Nmap Announce mailing list archives
Re: Examples of legit nmap usage?
From: Max Vision <vision () whitehats com>
Date: Tue, 21 Sep 1999 10:31:12 -0700 (PDT)
On Mon, 20 Sep 1999, Lamont Granquist wrote:
On Sat, 18 Sep 1999, Max Vision wrote:specify -F). You should limit your scan to the services that you can, youself, explain why they are interesting or should be checked for.Is this really the best idea? If you're looking for Windoze trojans, then they could be listening on any port. The thing to do it would seem is to -sS scan for port 135/139 (fragile-stack-friendly-os-detection) and then scan the entire portrange on these machines looking for trojans. Then ideally you save this info into a file and run a scan every N time units and compare the results with previous information.
This is a good idea :) Based on that it is far more likely that you will find such trojans on a Windows user's PC, this approach could speed your search considerably.
And I've got a question as to how you go about doing forensics to determine if a WinNT/Win9X box has been trojaned when you find a really suspicious looking open port on the box? For example, there's this Win box we've got on our network (which i don't admin) and which is listening on port 4692/udp. The person who uses this box downloads a lot of stuff from the net. I suspect this is a possible trojan, but where the hell do i go from here? This might be getting a little afield of nmap discussion, but i think its appropriate because it'd be good to be able to back up nmap scans with actual solid evidence on the machine that it has been compromised.
I've run across several lsof type tools for NT but when I saw your post the only one I could find is Inzider: http://www.bahnhof.se/~winnt/toolbox/inzider/index.html If you're ever looking for general trouble with an NT machine, the Forensic Toolkit by NTObjectives might be worth a look: http://www.ntobjectives.com/prod03.htm (includes how-to) Maybe also FileMon by Sysinternals: http://www.sysinternals.com/filemon.htm Max
Current thread:
- Re: Examples of legit nmap usage?, (continued)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 17)
- Re: Examples of legit nmap usage? David Carmean (Sep 17)
- Re: Examples of legit nmap usage? Joel Eriksson (Sep 18)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Andreas Kostyrka (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 20)
- Re: Examples of legit nmap usage? Bennett Todd (Sep 17)
- Re: Examples of legit nmap usage? Lamont Granquist (Sep 20)
- Re: Examples of legit nmap usage? Max Vision (Sep 21)
- IP fragment overwriting bug exploitation Lamont Granquist (Sep 21)
- reverse frag scanning patch Lamont Granquist (Sep 22)