Penetration Testing mailing list archives
Re: Port Scanning.
From: robert () dyadsecurity com
Date: Mon, 13 Dec 2004 08:10:47 -0800
Faisal Khan(faisal () netxs com pk)@Mon, Dec 13, 2004 at 07:46:43PM +0500:
What's a good industry practise whilst doing port-scanning during a pen-test.
To understand what your tools are really doing and have extensive experience with this process before relying on it during a pen-test.
Do you rely on the results of a single vendor's software or do you use multiple softwares?
Depends on the software. For port scanning, most people trust nmap because of the extensive time that Fyodor and the rest of the nmap-dev team has put into making it better. I would say that nmap may be the one to judge your other port scanning tools against if you are new to port scanning. Another tool that would be good to play with is unicornscan (http://www.unicornscan.org). Unicornscan is set up for a more technical tester who wants to collect as much meaningful information during the scan as possible. It has a higher learning curve at the moment, but we have had very good feedback from those who are using it. We will have another release out sometime before Christmas. Unicornscan was built with scalability, accuracy, and flexibility in mind. To my knowledge, it is currently the most accurate UDP scanner out there. The next release will make our TCP scanning on par with our UDP scanning.
Also, with each OEM/vendor - do you scan once or twice?
Depends on how reliable the network connection is between you and the site you're testing. Doing logistics and controls tests ahead of time is really important. You need to know how many packets per second can reliably reach your destination and have a response reach you. You need to know the overall bandwidth limitations. You need to figure out which protocols are allowed through. You need to figure out if there is an IPS in place. You need to find out if there is a stateful inspection firewall in place. You need to find out if there is a DDoS mitigation device in place .. etc etc etc. If you skip the logistics part and just plug in a target range and go, you will tend to have inaccurate results no matter how many times you scan.
I need to do a scan on a Class C Address if that matters in any way.
If you are relatively new to testing, I can not emphasize enough how important that logistics and controls phase is. Pull down the OSSTMM - http://www.osstmm.org and walk through the logistics and controls & systems enumeration modules. You may also want to split the 256 IP's in your range into smaller chunks (0-63, 64-127, 128-191, 192-255) to make sure you review the results for each chunk separately. There is nothing like waiting multiple days to find out that your results are garbage and you have to start over. Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033
Current thread:
- Port Scanning. Faisal Khan (Dec 13)
- Re: Port Scanning. robert (Dec 13)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 22)
- Re: Port Scanning. robert (Dec 22)
- Message not available
- Re: Port Scanning. robert (Dec 13)
- <Possible follow-ups>
- Re: Port Scanning. miguel . dilaj (Dec 13)
- Message not available
- Re: Port Scanning. Faisal Khan (Dec 13)
- Message not available
- RE: Port Scanning. rzaluski (Dec 14)
- Re: Port Scanning. Martin Mačok (Dec 15)