RE: Crashing services with NMAP and/or SuperScan ?

["Brewis, Mark" <mark.brewis () eds com>]

Petr,

A standard -sS shouldn't give any problems, but won't give you banners.  If availability is critical, then manual 
verification of services with Netcat is the safest option. 

We have seen occasional issues with -O, -sU, -sV, and -A across a range of devices over several years.

You really can't tell how a stack/application will handle strange requests at times.  Most devices are fine, 
occasionally you get a flaky one.  Generally, the ones that fall over are the critical, custom applications that have 
never been tested before ;-}

I wouldn't recommend running -O as part of a generic scan.  Better to run a specific scan based on open and closed 
ports with -O.

SuperScan doesn't do anything fancy.  Sounds as though you stressed the switch and/or saturated the available 
bandwidth.  The ICMP traffic simply got lost in the noise.  This is a valid result - if a (presumably) single laptop 
could cause these issues, then there is a possible network DoS issue to be addressed.

You can't preclude this type of event from happening.  Weird stuff happens during testing, but that's the interesting 
bit.  At best, your actions can limit the risk, but make sure your paperwork for the test stresses residual risk, and 
get the customer to accept that as part of the test.

HTH

Mark

Mark Brewis

Forensic Services - EMEA 
UK Information Assurance Group
EDS
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.

Tel:    +44 (0)1908 28 4013
Mbl:    +44 (0)7989 291 648
Fax:    +44 (0)1908 28 4393
E@:     mark.brewis () eds com
        securityforensicsEMEA () eds com
        
This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or 
opinions presented are solely those of the author.  If you are not the intended recipient, be advised that you have 
received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly 
prohibited.

Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own 
virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software 
viruses.
  

> > -----Original Message-----
> > From: Petr.Kazil () eap nl [mailto:Petr.Kazil () eap nl]
> > Sent: 23 November 2004 10:42
> > To: pen-test () securityfocus com
> > Subject: Crashing services with NMAP and/or SuperScan ?
>
> > > (Side question:  Has anyone ever crashed a server when the dangerous
> > scans
> > > are disabled?)
> >
> > With Superscan I seem to have blown out a switch. It went 
> > "red" on the HP
> > Openview screen and didn't react to ping anymore. All the 
> > network traffic
> > continued - fortunately :-) As of today the admins haven't 
> > been able to
> > tell me what really happened. I haven't dared to try 
> > Superscan anymore -
> > although I like it's output very much - especially it's 
> > checks for headers
> > and anonymous FTP and SMTP.
> >
> > Yesterday I ran nmap -sS -sV -O ... There were no problems on 
> > Win2K and
> > Unix machines, but on WinNT SP5 (!) machines I seem to have 
> > blown out :
> > - one Oracle TNS Listener - however the admin said 
> > "everything continued to
> > function"
> > - 2 or 3 Storageworks EVA Secure Path services.
> >
> > Fortunately the admins were not upset. They looked through 
> > the services on
> > the servers, looked which ones had gone "stopped" and set them back to
> > "started".
> >
> > Question:
> > Do you think that running nmap without the -sV -O options 
> > could avoid this
> > and still give me enough information?
> >
> > These are always difficult situations - replications is not 
> > easy (I canot
> > ask : "Can I run the scan again and see if the same thing hapens?"). I
> > can't test all OS versions on my test network. I'm not even 
> > sure if I'm
> > really to blame, it could even be coincidence ...
> >
> > Of course I asked (and re-asked) before my scan: What 
> > subnetwork can I scan
> > and which IP's should I avoid? Answer: We don't expect any 
> > problems, just
> > take our whole subnet.
> >
> > Your comments are very welcome.
> >
> > Greetings, Petr Kazil