Re: ideal OS distro for network scanning?

[Andrew Simmons <asimmons () messagelabs com>]

Hi,

offset wrote:
> Greetings,
>
> Looking for information on network mapping relative performance and accuracy between different
> opensource OS distributions (ie. linux based (fedora, redhat), bsd based (openbsd, freebsd)).


I've tried several of the dedicated security liveCD Linux distributions 
but haven't found a sweet spot yet. I tend to use a generic desktop 
Linux distro I'm comfortable with for general use, and add the tools I 
need as I go. (Obviously the basics get added during initial setup, eg 
tcpdump, ethereal, nmap etc.)  Go with whatever you find best for 
general use, and work from that, adding or building whatever tools you 
need.


> I like OpenBSD's security paranoia (dont want the scanner being compromised), but I also
> understand that linux can be hardened as well, 


In the ideal world, of course, your desktop Linux, BSD (or Windows) 
machine should be hardened well enough that you wouldn't need to take 
any special  precautions... (you turn on the windows firewall, check 
inetd.conf and netstat, turn off network services, remove stuff you 
don't need, blah blah... on your desktop machine anyway, right? :)

Anyway, why would a pentest client be attacking back? Unless they're 
comprehensively owned, of course, or have perhaps have vigilantes for 
admins...


> so my second concern is the
> underlying OS skewing the results of a network scan and the ability for the OS to
> stay out of the way of the scan results.


I don't think there's a great deal of difference between what a FreeBSD 
vs Debian GNU/Linux vs Ubuntu vs OpenBSD will report seeing on the wire, 
if you're doing passive discovery. Different network stack 
implementations *will* behave differently when interacting with other 
machines, using different TTL values or payload padding and whatnot.
However AFAIK tools such as Nmap will send the same packets at targets 
whatever host OS it's running on, and interpret the results using the 
same lookup tables and algorithms when fingerprinting an OS. Likewise, 
tcpdump or Ethereal or whatever will see and report received ethernet 
frames, and their options, payload etc, whatever the host OS.

I guess performance might differ between kernels under extreme 
performance demands, but if you're dropping so much traffic you're 
missing hosts when mapping, you need better hardware, not a different OS :)


cheers,

Andrew


--
Andrew Simmons
MessageLabs Security Team

MessageLabs - Be certain

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------