RE: Port Scanning.

From: rzaluski (rzaluski_at_ivolution.ca)
Date: 12/14/04

  • Next message: Vic N: "RE: Fwd: Article Announcement - Demystifying Penetration Testing" 
    To: "'Piskovatskov, Alexey'" <Alexey.Piskovatskov@bindview.com>, "'Faisal Khan'" <faisal@netxs.com.pk>, <pen-test@securityfocus.com>
Date: Mon, 13 Dec 2004 23:53:32 -0500

    Port scanning is only part of it. If you are using manual or automated
    tools you still need to VERIFY that the port number associated with the
    protocol is indeed what it advertises to be. Nmap for instance blindly
    Accepts that port 22 is associated with SSH but it this fact? You should
    always verify the port protocol to ensure that this is the case.

    For instance running nmap output through amap.
    - amap interrogates the protocol bound to the number

    For instance you can do the following :
    Step 1. Scan the target host and produce a machine-readable output file. In
    this case it is "nmap.output"
    nmap -sS 10.21.1.5 -oM output.nmap

    ----------------------------------------------------

    Step 2 use this output file as input for amap.
    Amap -I nmap.output

    .........sample output............................

    amap -i output.nmap
    amap v4.7 (www.thc.org) started at 2004-12-14 00:50:02 - APPLICATION MAP
    mode

    Protocol on 10.21.1.5:22/tcp matches ssh
    Protocol on 10.21.1.5:22/tcp matches ssh-openssh
    Protocol on 10.21.1.5:443/tcp matches http
    Protocol on 10.21.1.5:443/tcp matches http-apache-2
    Protocol on 10.21.1.5:80/tcp matches http
    Protocol on 10.21.1.5:25/tcp matches smtp
    Protocol on 10.21.1.5:80/tcp matches http-apache-2

    .... you get the idea

    As you can see amap also found that we are running an apache server ;-)

    amap is a good tool that can be downloaded from
    http://www.thc.org/releases.php

    Richard Zaluski
    CISO, Security and Infrastructure Services
    iVolution Technologies Incorporated
    905.309.1911
    866.601.4678
    905.524.8450 (Pager)
    www.ivolution.ca
    rzaluski@ivolution.ca

    -----Original Message-----
    From: Piskovatskov, Alexey [mailto:Alexey.Piskovatskov@bindview.com]
    Sent: Monday, December 13, 2004 11:24 AM
    To: Faisal Khan; pen-test@securityfocus.com
    Subject: RE: Port Scanning.

    There's good document by NIST on this subject:
    http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
    Because nature of the scanners to report false positives/negatives,
    using multiple vendors and/or free tools is appropriate.

    Best,

    Alexey

    -----Original Message-----
    From: Faisal Khan [mailto:faisal@netxs.com.pk]
    Sent: Monday, December 13, 2004 8:47 AM
    To: pen-test@securityfocus.com
    Subject: Port Scanning.

    What's a good industry practise whilst doing port-scanning during a
    pen-test.

    Do you rely on the results of a single vendor's software or do you use
    multiple softwares?

    Also, with each OEM/vendor - do you scan once or twice?

    I need to do a scan on a Class C Address if that matters in any way.

    Faisal

    Faisal Khan, CEO
    Net Access Communication
    Systems (Private) Limited
    ________________________________

    Network Security - Secure Web Hosting
    Managed Internet Services - Secure Email
    Dedicated Servers - Reseller Hosting

    Visit www.netxs.com.pk for more information.

  • Next message: Vic N: "RE: Fwd: Article Announcement - Demystifying Penetration Testing"