Re: Crashing services with NMAP and/or SuperScan ?

From: William Allsopp (William_Allsopp@eur.3com.com)
Date: Wed Nov 24 2004 - 05:41:16 EST


>One step in the quickscan is a portscan of the internal network. I've tried
>both nmap and Superscan. This usually brings out a lot of unexpected mail
>services, ftp servers, low services, web management interfaces etc.

Superscan 3 seemed to have various issues accurately detecting common network
services, particularly SMTP,FTP and H.323 for some reason, even on short haul
networks. Superscan 4 is marginally better, but I'd suggest Mingsweeper from
hoobie.net as a good windows port scanner.

>Yesterday I ran nmap -sS -sV -O ... There were no problems on Win2K and
>Unix machines, but on WinNT SP5 (!) machines I seem to have blown out :
>- one Oracle TNS Listener - however the admin said "everything continued to
>function"
>- 2 or 3 Storageworks EVA Secure Path services.

I would think that your problem is with the -O flag. A lot of people have
reported similar behaviour with the O/S detection.

>Fortunately the admins were not upset. They looked through the services on
>the servers, looked which ones had gone "stopped" and set them back to
>"started".

That's a rare admin!

>Question:
>Do you think that running nmap without the -sV -O options could avoid this
>and still give me enough information?

Most definately. You shouldn't be relying on information from the O/S detection
and version modules anyway.

>Of course I asked (and re-asked) before my scan: What subnetwork can I scan
>and which IP's should I avoid? Answer: We don't expect any problems, just
>take our whole subnet.

These activities carry a certain inherent risk, but in the many pen tests I've
done, I've never seen a problem caused by a port scan that wasn't straight
forward to correct. It really depends on your network, how you're scanning and
how many simultaneous connections you feel comfortable putting across your lan.

>Your comments are very welcome.

I hope this helps, you might also want to refer to Fyodor's general scanning
guide: http://www.insecure.org/nmap/nmap_doc.html

W.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT