Penetration Testing mailing list archives
Re: Port Scanning.
From: miguel.dilaj () pharma novartis com
Date: Mon, 13 Dec 2004 16:24:05 +0000
Hi Faisal, I found that using nmap alone is usually enough, provided you use the proper settings. An exception is when you're dealing with a firewall trying to assess how exactly things interconnect, in such cases you can try hping2/3 or firewalk. A short time ago I posted an answer somewhere about the most useful nmap settings to scan a "normal" network. IMHO: * use a very comon source port, like 80 (-g 80) * fragment, and be sure that nothing on YOUR side is trying to defragment (-f) * use paranoid timing, to avoid overreaction from an eventual IDS (-T0) * use SYN scan (-sS) * use decoys if overreacting IDS are a concern, and if allowed by your contract! (-D {decoy1},{decoy2},...) Then go for any advanced techniques, as required (for example ACK or Window scan). You can combine OS detection to the above, scan UDP ports, etc., this will depend exactly on the setup of the network you're checking, and what are you looking for. If you don't know what to expect, scan the entire port range, sometimes I found interesting things in high ports (for example a proxy, or a Java application server), that were not supposed to be open to the world. Lastly, don't forget some of the most esoteric and advanced techniques, that are used once every solsctice, like IPID scan from probably trusted machines, etc. Because some times you need to use advanced techniques, very often you need to scan more than once, but I also recommend (if possible) to scan from a completely different source IP address (example: scanning a certain system in Spain from my country showed 2 open ports of a proxy installed by the ISP, but these ports were not shown when scanned from the same ISP's network). IMHO nmap is simply the best port scanner out there. But of course other people can have different preferences, so no flame wars on port scanners please ;-) I like it on Linux more than on Windows, *somehow* I found it more reliable ;-) IIRC, Fyodor is a member of this list, so perhaps he can enlighten us all (or send us to RTFM ;-) Cheers, Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG Faisal Khan <faisal () netxs com pk> 13/12/2004 14:46 To: pen-test () securityfocus com cc: (bcc: Miguel Dilaj/PH/Novartis) Subject: Port Scanning. What's a good industry practise whilst doing port-scanning during a pen-test. Do you rely on the results of a single vendor's software or do you use multiple softwares? Also, with each OEM/vendor - do you scan once or twice? I need to do a scan on a Class C Address if that matters in any way. Faisal
Current thread:
- Port Scanning. Faisal Khan (Dec 13)
- Re: Port Scanning. robert (Dec 13)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 13)
- <Possible follow-ups>
- Re: Port Scanning. miguel . dilaj (Dec 13)
- Message not available
- Re: Port Scanning. Faisal Khan (Dec 13)
- Message not available
- RE: Port Scanning. rzaluski (Dec 14)
- Re: Port Scanning. Martin Mačok (Dec 15)