Re: Crashing services with NMAP and/or SuperScan ?

From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Wed Nov 24 2004 - 02:46:05 EST


Petr.Kazil@eap.nl wrote:

> Qugiestion:
> Do you think that running nmap without the -sV -O options could avoid this
> and still ve me enough information?

   Depends on what 'enough' is. It's usually best to save -sV or -O
until you really need them, rather than apply them to everything that's
there. -sV (application fingerprinting) sends data to ports without any
means of knowing that that service on that port is robust enough to
withstand such probing. It's not quite the same as those robustness
tests that essentially sent random data to various Unix utilities and
watched them for signs of discomfort, but close.

   Send an SNMP request to any other UDP service -- can you say for
certain that it will survive? It should ... but then this is the real
world. There's no knowing just how fragile a network or system is,
unless you test.

   There are POP servers on VMS that won't take a reset TCP session for
reason enough to close the session, but instead hang on until they're
shot down, and until then load the system more than they should
(not a good thing to have on a billing system). There is Win95-based
electro-cardiogram reader controlling software that dies at the mere
mention of a scan.

   You have identified possible vulnerabilities with your scans, though
perhaps not those you were looking for. An intruder on the network --
or indeed any random person with a port scanner -- would do the same
damage under less controlled circumstances. An interesting question
remains: do those crashes indicate *serious* vulnerabilities? Buffer
overflows? Could you inject hostile code, and take over the systems?
Should these systems perhaps be protected more actively?

-- 
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63	
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT