Re: Port Scanning.

From: Faisal Khan (
Date: 12/13/04

  • Next message: Jaysen E. Sweeting: "RE: Laptop Considerations"
    Date: Mon, 13 Dec 2004 21:50:59 +0500


    Thanks for the detailed post. I was just reaffirming my own gut feeling.
    Only bummer is doing a good scan on a Class C - takes up a few hours.
    Besides the client has lots of security gear, the funny thing is sometimes
    the firewalls sense that someone is doing a port scan, other times - it
    does not. But the main reason to do it a few times is

    (a) To be sure about it - rather than basing an entire pen-test on a single
    report of port scan.
    (b) Client will most likely ask for multiple scan reports
    (c) The IPS devices in their network sometimes will block the port scanner
    and sometimes allow it to function based on the originating IP. This is why
    we have to resort to multiple IPs from various (read: different) Class C
    addresses - in the hope that the IPS devices do not temporarily blacklist
    our IPs from where the scan is taking place.


    At 09:24 PM 12/13/2004, wrote:
    >Hi Faisal,
    >I found that using nmap alone is usually enough, provided you use the
    >proper settings. An exception is when you're dealing with a firewall
    >trying to assess how exactly things interconnect, in such cases you can
    >try hping2/3 or firewalk.
    >A short time ago I posted an answer somewhere about the most useful nmap
    >settings to scan a "normal" network. IMHO:
    >* use a very comon source port, like 80 (-g 80)
    >* fragment, and be sure that nothing on YOUR side is trying to defragment
    >* use paranoid timing, to avoid overreaction from an eventual IDS (-T0)
    >* use SYN scan (-sS)
    >* use decoys if overreacting IDS are a concern, and if allowed by your
    >contract! (-D {decoy1},{decoy2},...)
    >Then go for any advanced techniques, as required (for example ACK or
    >Window scan).
    >You can combine OS detection to the above, scan UDP ports, etc., this will
    >depend exactly on the setup of the network you're checking, and what are
    >you looking for.
    >If you don't know what to expect, scan the entire port range, sometimes I
    >found interesting things in high ports (for example a proxy, or a Java
    >application server), that were not supposed to be open to the world.
    >Lastly, don't forget some of the most esoteric and advanced techniques,
    >that are used once every solsctice, like IPID scan from probably trusted
    >machines, etc.
    >Because some times you need to use advanced techniques, very often you
    >need to scan more than once, but I also recommend (if possible) to scan
    >from a completely different source IP address (example: scanning a certain
    >system in Spain from my country showed 2 open ports of a proxy installed
    >by the ISP, but these ports were not shown when scanned from the same
    >ISP's network).
    >IMHO nmap is simply the best port scanner out there. But of course other
    >people can have different preferences, so no flame wars on port scanners
    >please ;-)
    >I like it on Linux more than on Windows, *somehow* I found it more
    >reliable ;-)
    >IIRC, Fyodor is a member of this list, so perhaps he can enlighten us all
    >(or send us to RTFM ;-)
    >Miguel Dilaj (Nekromancer)
    >Vice-President of IT Security Research, OISSG
    >Faisal Khan <>
    >13/12/2004 14:46
    > To:
    > cc: (bcc: Miguel Dilaj/PH/Novartis)
    > Subject: Port Scanning.
    >What's a good industry practise whilst doing port-scanning during a
    >Do you rely on the results of a single vendor's software or do you use
    >multiple softwares?
    >Also, with each OEM/vendor - do you scan once or twice?
    >I need to do a scan on a Class C Address if that matters in any way.

    Faisal Khan, CEO
    Net Access Communication
    Systems (Private) Limited

    Network Security - Secure Web Hosting
    Managed Internet Services - Secure Email
    Dedicated Servers - Reseller Hosting

    Visit for more information.

  • Next message: Jaysen E. Sweeting: "RE: Laptop Considerations"

    Relevant Pages

    • RE: Printing from Win9x clients stops
      ... > and make sure this software does not interfere with SBS Server. ... > clients, please disable it and try again. ... Create a local printer and redirect the port to the network server. ...
    • RE: SBS 2003, ISA 2004
      ... ISA and IIS try listening on these two ports. ... by default the Web Proxy is listening on port 8080 ... of the local network adapter. ... Microsoft CSS Online Newsgroup Support ...
    • Re: ERS 8600, simple setup, IP, VLANs, etc.
      ... management port is just used to hang an IP address to. ... associated with an interface, such as a VLAN. ... fairly functionally homogenous network), but something that is ... or OS virtuallization - except that networks have been doing this kind of ...
    • network slowness/freez-up since update 10/11
      ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...
    • network slowness/freez-up since update 10/11
      ... network problems: first the network is slow (even within a few ... network - but not the rest of the system - just locks up (can't ping ... OHCI version 1.0, legacy support ... <Parallel port bus> on ppc0 ...