Re: Crashing services with NMAP and/or SuperScan ?

From: Anders Thulin (Anders.Thulin_at_tietoenator.com)
Date: 11/24/04

  • Next message: Al Smolkin: "Re: CEH exam & hacking exposed" 
    Date: Wed, 24 Nov 2004 08:46:05 +0100
To: Petr.Kazil@eap.nl

    Petr.Kazil@eap.nl wrote:

    > Qugiestion:
    > Do you think that running nmap without the -sV -O options could avoid this
    > and still ve me enough information?

       Depends on what 'enough' is. It's usually best to save -sV or -O
    until you really need them, rather than apply them to everything that's
    there. -sV (application fingerprinting) sends data to ports without any
    means of knowing that that service on that port is robust enough to
    withstand such probing. It's not quite the same as those robustness
    tests that essentially sent random data to various Unix utilities and
    watched them for signs of discomfort, but close.

       Send an SNMP request to any other UDP service -- can you say for
    certain that it will survive? It should ... but then this is the real
    world. There's no knowing just how fragile a network or system is,
    unless you test.

       There are POP servers on VMS that won't take a reset TCP session for
    reason enough to close the session, but instead hang on until they're
    shot down, and until then load the system more than they should
    (not a good thing to have on a billing system). There is Win95-based
    electro-cardiogram reader controlling software that dies at the mere
    mention of a scan.

       You have identified possible vulnerabilities with your scans, though
    perhaps not those you were looking for. An intruder on the network --
    or indeed any random person with a port scanner -- would do the same
    damage under less controlled circumstances. An interesting question
    remains: do those crashes indicate *serious* vulnerabilities? Buffer
    overflows? Could you inject hostile code, and take over the systems?
    Should these systems perhaps be protected more actively? 

    -- 
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63	
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
  • Next message: Al Smolkin: "Re: CEH exam & hacking exposed"

    Relevant Pages

    • port of NetBSDs audit-packages (and an update of pkg_install)
      ... I want to port NetBSD's security/audit-packages to FreeBSD. ... The idea is that you just synchronize a file with known vulnerabilities, ... and a script in periodic/security warns you when you have a vulnurable ...
      (freebsd-hackers)
    • FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast [REVISED]
      ... FreeBSD only: NO ... 2001-05-28 v1.1 Note vulnerabilities in versions prior to 1.3.10 ... The icecast software, versions prior to 1.3.10, contains multiple ... Upgrade your entire ports collection and rebuild the icecast port. ...
      (FreeBSD-Security)
    • Re: gaim or aim on 5.4 amd64 ?
      ... > some security issues, thus portaudit prevents You from installing it. ... Portaudit merely reports on security vulnerabilities in the ports. ... Portaudit will not prevent the install of a vulnerable port. ...
      (freebsd-questions)
    • Force install vulnerable port
      ... How can I override portaudit when trying to install a port with ... vulnerabilities like jdk? ... My temp. ...
      (freebsd-questions)
    • Re: Firewall or IDS
      ... I don't mean to say that there are special IIS port 443 ... The vulnerabilities are basically the same as the usual ... attacks - HTTP traffic over 443 is encrypted so they have no idea what I'm ...
      (Focus-Microsoft)