RE: Crashing services with NMAP and/or SuperScan ?

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 11/24/04

  • Next message: Dave McCormick: "Re: Crashing services with NMAP and/or SuperScan ?"
    To: <Petr.Kazil@eap.nl>, <pen-test@securityfocus.com>
    Date: Wed, 24 Nov 2004 07:58:33 -0500
    
    

    Keying on your last paragraph, I have run into this and did exactly
    that. I said something like, "We really need to track down exactly what
    broke, can we schedule a time for a repeat test."

    -----Original Message-----
    From: Petr.Kazil@eap.nl [mailto:Petr.Kazil@eap.nl]
    Sent: Tuesday, November 23, 2004 5:42 AM
    To: pen-test@securityfocus.com
    Subject: Crashing services with NMAP and/or SuperScan ?

    > (Side question: Has anyone ever crashed a server when the dangerous
    scans
    > are disabled?)

    L.S.

    I'm doing a series of quickscans in divisions of a large organization. I
    intentionally don't go deep, I just scratch the surface. So we can find
    only bad security errors, nothing subtle.

    One step in the quickscan is a portscan of the internal network. I've
    tried
    both nmap and Superscan. This usually brings out a lot of unexpected
    mail
    services, ftp servers, low services, web management interfaces etc.

    With Superscan I seem to have blown out a switch. It went "red" on the
    HP
    Openview screen and didn't react to ping anymore. All the network
    traffic
    continued - fortunately :-) As of today the admins haven't been able to
    tell me what really happened. I haven't dared to try Superscan anymore -
    although I like it's output very much - especially it's checks for
    headers
    and anonymous FTP and SMTP.

    Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and
    Unix machines, but on WinNT SP5 (!) machines I seem to have blown out :
    - one Oracle TNS Listener - however the admin said "everything continued
    to
    function"
    - 2 or 3 Storageworks EVA Secure Path services.

    Fortunately the admins were not upset. They looked through the services
    on
    the servers, looked which ones had gone "stopped" and set them back to
    "started".

    Question:
    Do you think that running nmap without the -sV -O options could avoid
    this
    and still give me enough information?

    These are always difficult situations - replications is not easy (I
    canot
    ask : "Can I run the scan again and see if the same thing hapens?"). I
    can't test all OS versions on my test network. I'm not even sure if I'm
    really to blame, it could even be coincidence ...

    Of course I asked (and re-asked) before my scan: What subnetwork can I
    scan
    and which IP's should I avoid? Answer: We don't expect any problems,
    just
    take our whole subnet.

    Your comments are very welcome.

    Greetings, Petr Kazil


  • Next message: Dave McCormick: "Re: Crashing services with NMAP and/or SuperScan ?"

    Relevant Pages

    • Crashing services with NMAP and/or SuperScan ?
      ... I'm doing a series of quickscans in divisions of a large organization. ... One step in the quickscan is a portscan of the internal network. ... With Superscan I seem to have blown out a switch. ... Fortunately the admins were not upset. ...
      (Pen-Test)
    • Re: Do not use free firewalls !
      ... How about nmap? ... Or foundstone's Superscan? ... I've scanned my network from the outside with those, and so far everything looks to be in order. ... Do you have an example of a program which is able to circumvent a firewall? ...
      (comp.security.firewalls)
    • Re: static IP addresses
      ... Some like Nmap and Superscan also allow to scan each IP for open ports. ... > I have come into a network that has static IP ...
      (microsoft.public.windows.server.networking)
    • Different Outputs using different Portscanners...
      ... Superscan in windows ... enabled, but nmap didnt.. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
      (Security-Basics)
    • Re: Crashing services with NMAP and/or SuperScan ?
      ... Superscan 3 seemed to have various issues accurately detecting common network ... You shouldn't be relying on information from the O/S detection ... you might also want to refer to Fyodor's general scanning ...
      (Pen-Test)