RE: Penetration test report - your comments please?

["samsi data" <samsidata () hotmail com>]

> From: "pete" Reply-To: To: , "osstmm" Subject: RE: Penetration test report 
> - your comments please? Date: Wed, 30 May 2001 17:33:25 +0200
>
> This pen test posted on Security Focuses' Pen-Test mailing list brings up 
> the question of the testing of protocols as to the OSSTMM 
> (http://www.osstmm.org) and the reliability of NMAP's protocol scanning. As 
> I apply the module "Port Scanning" the tasks for protocol identification 
> are a bit difficult to automate. Of course, NMAP claims to do it but I 
> consistantly get at least IGMP for most systems which I do have difficulty 
> with accepting. I use NMAP for many of the tasks in that section but hav 
> been hesitant on the protocol testing. Of course a bit of scripting will 
> automate some but while I was a bit hesitant about NMAP's results I thought 
> I would ask what others thought of this.

I don't think is really a problem with nmap, but with using the lack of a 
response to indicate that a given protocol (at whatever layer) is active.

Nmap protocol scans should be no more/less reliable that UDP scans which 
also attempt to elicit ICMP unreachable messages. Just as the only real way 
to see if a UDP application is active is to send application layer data 
(DNS, BIND, RPC, ISAKMP) and check for some sort of response, you will need 
to send an IP Protocol Message (ICMP, TCP, UDP, IGMP, RSVP, GRE, AH, ESP, 
etc.) and look for a meaningful response. But then again, just because you 
get a SYN-ACK back doesn't mean a TCP server is actually listening. It could 
just be inetd.

BTW, I do thing multicast protocols are used on Windows boxes for multimedia 
stuff.

s d
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com