Penetration Testing mailing list archives
RE: Crashing services with NMAP and/or SuperScan ?
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 26 Nov 2004 16:31:05 -0600
Donald, Two items: 1. Foundstone released SS4, which I believe is what you are referring to. It appeared to have the same text-file driven port/prot match system, just a much more comprehensive list of port/prots. I don't think it actually *does* anything in terms of ident; someone from FS jump in here if I'm wrong. 2. Per below, I was referring to interrogating a stack for specific responses to help identify the stack, and further interrogating a protocol to identify what it is and what functions it is offering. The discussion originated about port scanning and OS ident causing failure. This activity should normally be benign and present little risk. Regarding vulnerability scanning; you are absolutely correct. It should be common knowledge that any vulnerability scanner has the ability to crash systems with an invasive check, and for that matter, a "non-invasive" or 'safe' check, be it ISS/ISS, Qualysguard, Retina, Nessus, Foundscan, or whatever. Some of the safe checks that aren't very smart or the scan engine isn't very smart mis-identify protocols or arbitrarily scan for any vuln that matches a given open port. So you get scenarios like: say you have say a Nessus BoF check for the Cisco HTTP vuln that by default listens on tcp/2301. This check generates X amount of garbage data (400 characters if I remember) to pad the buffer before sending commands to execute. The check does not verify the protocol (HTTP), banner grab for product name, or anything intelligent like this. So now Nessus sees tcp/2301 and sends this check to what happens to be an IP-enabled terminal session bound to a VAX console, and it interprets as control characters and bang, hard halt. However if you always play safe you will also miss some of the juicy stuff. Zero-day issues I've found before were the result of a scanner breaking something and the vendor refusing to tell me exactly what their 'unsmart' check was doing to the 'wrong' product. So one has merely to fire up the sniffer and watch... HtH Arian Evans Sr. Security Engineer FishNet Security KC Office: 816.421.6611 Direct: 816.701.2045 Toll Free: 888.732.9406 Fax: 816.474.0394 http://www.fishnetsecurity.com
-----Original Message----- From: Donald Whitfield [mailto:don.whitfield () gmail com] Sent: Friday, November 26, 2004 3:23 PM To: Evans, Arian Cc: pen-test () security-focus com Subject: Re: Crashing services with NMAP and/or SuperScan ? Also, The ability to disrupt service on a production network also exists by using the Nessus Scanner (unix version - with all plugins loaded). We were able to crash 3Com and Nortel Switches by performing Intrusive scans with most plugins loaded. Donald Whitfield Sr. Network Security Engineer On Fri, 26 Nov 2004 16:20:20 -0500, Donald Whitfield <don.whitfield () gmail com> wrote:Actually, Foundstone has release a new version of SuperScanjust thisyear. We played with it during the ultimate hackingbootcamp and it'spretty sweet. The scan results can be converted to various formats just like Nessus Scan Results. On Fri, 26 Nov 2004 09:46:24 -0600, Evans, Arian <arian.evans () fishnetsecurity com> wrote:- one Oracle TNS Listener - however the admin said"everything continued tofunction" - 2 or 3 Storageworks EVA Secure Path services.I would think that your problem is with the -O flag. A lot of people have reported similar behaviour with the O/S detection.Fortunately the admins were not upset. They looked throughthe services onthe servers, looked which ones had gone "stopped" and setthem back to"started".In general point to watch on Oracle-- Oracle listeners are extremely fragile to invasive interrogation. I have brought down Oracle listners repeatedly with a variety of port scanners that do OS detection. Wish I could remember the exact Oracle versions, at least as recent as 8 and 9i, and primarily running on *nix. (Linux, AIX, and OpenVMS; of course, with VMS's own native buggy and third-party IP stacks, just about any port/vuln scanning activities is liable to bring those things down.) Interestingly I have not seen this same behavior on Oracle on Windows. Anyone else? Arian Evans Sr. Security Engineer FishNet Security KC Office: 816.421.6611 Direct: 816.701.2045 Toll Free: 888.732.9406 Fax: 816.474.0394 http://www.fishnetsecurity.com The information transmitted in this e-mail is intendedonly for the addressee and may contain confidential and/or privileged material.Any interception, review, retransmission, dissemination,or other use of, or taking of any action upon this information by persons or entitiesother than the intended recipient is prohibited by lawand may subject them to criminal or civil liability. If you received this communicationin error, please contact us immediately at 816.421.6611,and delete the communication from any computer or network system.
Current thread:
- Re: Crashing services with NMAP and/or SuperScan ?, (continued)
- Message not available
- Re: Crashing services with NMAP and/or SuperScan ? Peter Wood (Nov 24)
- Message not available
- RE: Crashing services with NMAP and/or SuperScan ? Jerry Shenk (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Dave McCormick (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Anders Thulin (Nov 25)
- Re: Crashing services with NMAP and/or SuperScan ? William Allsopp (Nov 24)
- Re: Crashing services with NMAP and/or SuperScan ? Jim Morgan (Nov 27)
- RE: Crashing services with NMAP and/or SuperScan ? Brewis, Mark (Nov 25)
- RE: Crashing services with NMAP and/or SuperScan ? Evans, Arian (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- Re: Crashing services with NMAP and/or SuperScan ? Donald Whitfield (Nov 27)
- RE: Crashing services with NMAP and/or SuperScan ? Evans, Arian (Nov 27)