Penetration Testing mailing list archives

RE: Medium Scale Scanning Best Practices

From: "Aleksander P. Czarnowski" <alekc () avet com pl>
Date: Wed, 16 Jan 2002 11:20:20 +0100

You should consider at least two different types of network scanning. First type would be to scan all your IP address
range to identify all host. While it is very time consuming you should consider scanning all TCP and UDP ports. To aid
system detection you can use nmap -O option (it can be also very time consuming, so in some cases it is wise to run two
instances of nmap; one for tcp/upd port scan and other for os detection). You can also look at tools like X and siphon
for OS detection. Siphon is very fast as it is based on passive os fingerprinting.

Results of full scan will provide you with several valuable information. Consider this: some services might not be
listen on typical ports. Scanning of all ports range can provide you with such information. If you find some strange
ports open, you can try to connect to them using tools like netcat to verify you scanning results. This process will
allow you to enumerate hosts and services and server version. After enumeration you can use nmap again (even in daily
manner) to perform quick scans for vulnerable services. As in previous post on this subject: you could also implement
nessus scanner and IDS based on snort. In terms of IIS it is a wise idea to use IISLockDown tool and URLScan, to
protect IIS web server. IIS FTP server could be quite secure (in terms of FTP server) as long as Inetpub is on separate
NTFS partition with properly setup ACLs. It is also very important to properly configure authentication option for IIS
services. You should also consider turning on logging for IIS services.

Tools like snort allows you to detect a new attacks. If you see a lot of HTTP request with strange parameters it could
be indication of an attack. One of snort rules detect packets with Intel nop instruction. nop is used in many buffer
overflows, so seeing a lot of those packets could also be some tip for you.

If you consider using free, open-source tools, I would use nmap+nessus+netcat+snort (nessus can integrate with nmap as
well as SARA, but I would say that SARA is better suited for Unix networks). For Windows networks I would also use
Winfigerprint to scan for network shares, etc. You can also use hfnetchk from Microsoft (it's not open-source but it is
free and quite useful).

Hope this helps
Best Regards,
Aleksander Czarnowski
AVET INS

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Medium Scale Scanning Best Practices swlodin (Jan 15)
- Re: Medium Scale Scanning Best Practices Erlend J. Leiknes (Jan 16)
  - Re: Medium Scale Scanning Best Practices Gerardo Richarte (Jan 17)
- Re: Medium Scale Scanning Best Practices Renaud Deraison (Jan 17)
- <Possible follow-ups>
- Re: Medium Scale Scanning Best Practices miguel . dilaj (Jan 15)
- RE: Medium Scale Scanning Best Practices Aleksander P. Czarnowski (Jan 16)
- Re: Medium Scale Scanning Best Practices John Malconian (Jan 18)
  - Re: Medium Scale Scanning Best Practices Troy Davis (Jan 19)
  - testing for IP address space leakage in NAT systems R P G (Jan 21)
    - Re: testing for IP address space leakage in NAT systems R. DuFresne (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Frank (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Thomas Reinke (Jan 21)
    - Re: testing for IP address space leakage in NAT systems Gamble (Jan 22)
    - Re: testing for IP address space leakage in NAT systems Iván Arce (Jan 22)
  - Message not available
    - Re: testing for IP address space leakage in NAT systems Chris Keladis (Jan 22)