Crashing services with NMAP and/or SuperScan ?

• Previous message: Chris Griffin: "Re: CEH exam & hacking exposed"
• Next in thread: Anders Thulin: "Re: Crashing services with NMAP and/or SuperScan ?"
• Reply: Anders Thulin: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Peter Wood: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: William Allsopp: "Re: Crashing services with NMAP and/or SuperScan ?"
• Reply: Jerry Shenk: "RE: Crashing services with NMAP and/or SuperScan ?"
• Reply: Dave McCormick: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Brewis, Mark: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Donald Whitfield: "Re: Crashing services with NMAP and/or SuperScan ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: pen-test@securityfocus.com
Date: Tue, 23 Nov 2004 11:41:59 +0100

> (Side question: Has anyone ever crashed a server when the dangerous
scans
> are disabled?)

L.S.

I'm doing a series of quickscans in divisions of a large organization. I
intentionally don't go deep, I just scratch the surface. So we can find
only bad security errors, nothing subtle.

One step in the quickscan is a portscan of the internal network. I've tried
both nmap and Superscan. This usually brings out a lot of unexpected mail
services, ftp servers, low services, web management interfaces etc.

With Superscan I seem to have blown out a switch. It went "red" on the HP
Openview screen and didn't react to ping anymore. All the network traffic
continued - fortunately :-) As of today the admins haven't been able to
tell me what really happened. I haven't dared to try Superscan anymore -
although I like it's output very much - especially it's checks for headers
and anonymous FTP and SMTP.

Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and
Unix machines, but on WinNT SP5 (!) machines I seem to have blown out :
- one Oracle TNS Listener - however the admin said "everything continued to
function"
- 2 or 3 Storageworks EVA Secure Path services.

Fortunately the admins were not upset. They looked through the services on
the servers, looked which ones had gone "stopped" and set them back to
"started".

Question:
Do you think that running nmap without the -sV -O options could avoid this
and still give me enough information?

These are always difficult situations - replications is not easy (I canot
ask : "Can I run the scan again and see if the same thing hapens?"). I
can't test all OS versions on my test network. I'm not even sure if I'm
really to blame, it could even be coincidence ...

Of course I asked (and re-asked) before my scan: What subnetwork can I scan
and which IP's should I avoid? Answer: We don't expect any problems, just
take our whole subnet.

Your comments are very welcome.

Greetings, Petr Kazil

• Previous message: Chris Griffin: "Re: CEH exam & hacking exposed"
• Next in thread: Anders Thulin: "Re: Crashing services with NMAP and/or SuperScan ?"
• Reply: Anders Thulin: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Peter Wood: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: William Allsopp: "Re: Crashing services with NMAP and/or SuperScan ?"
• Reply: Jerry Shenk: "RE: Crashing services with NMAP and/or SuperScan ?"
• Reply: Dave McCormick: "Re: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Brewis, Mark: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Evans, Arian: "RE: Crashing services with NMAP and/or SuperScan ?"
• Maybe reply: Donald Whitfield: "Re: Crashing services with NMAP and/or SuperScan ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]