I was thinking more of scans which do not disrupt the QoS for the target.
Granted, this wouldn't constitute a very robust scan but, if you haven't
been asked to do it and you disrupt/crash the server, that crosses the line.
Because I wouldn't ever attempt to test for things like buffer overflows
unless I was explicitly asked to do so, I didn't consider those in my
argument. I don't in any way advocate or condone posting scan results
publicly.
Would it make a difference if I scanned ports 1-1024 with a port scanner vs.
first using a browser to see if you had a HTTP daemon running on any port,
then a FTP client on every port to see about a FTP daemon, etc, etc.? I'm
not trying to be a smart@$$ or anything, I just like philosophical
discussion, especially when I can get a techie angle in there too :) To take
this further, let's say I was going to have an ISP host my corporate site.
Would it be unethical or illegal to perform a non-intrusive scan of the
server(s) in question to get an idea of whether they had their equipment
somewhat secure. Granted, I wouldn't be able to do stack smashes, password
interrogations, etc. but, on the other hand it's in my interest to know
something more than, "we have redundant OC3 lines and 24 hour tech support."
For a more thorough test I would, of course, make a formal request. Your
thoughts?
As you say, "do some complete, non-subtle port scans on federal or state
government networks ...". I actually have done this and the response is
usually pretty quick. In my defense, I had proxy authority to do so, so once
I explained myself everything was fine. Unfortunately, my experience has
been that the response typically comes from the networking group, not server
admins, and only after you start analyzing the interfaces on their routers
:) There aren't many server admins, especially in the NT "world", who have a
clue about how to log queries into specific ports or accounts. This is not
so true in the *NIX world where I think most admins have a better
understanding of their systems and tools are more readily available. Only
recently have intrusion detection tools similar to Tripwire and the like
been made as readily available for Win32 systems.
Regards,
Steve
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 05, 2000 7:33 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Security holes revisited
> Not to mention the fact that you don't actually have to utilize a
> vulnerability to know that it is there. Vulnerabilities all
> have signatures or characteristics that make them visible without
> doing anything illegal at all, unless you want to argue that having
> your router route traffic to the machine in question constitutes
> improper use of your private property. Anyway, there are numerous
> tools out there that will not only scan a machine for vulnerabilities
> and report back what they are, but also how they work, and how they
> can be fixed. In my opinion, this is like driving by a house with
> all the doors wide open and then leaving a note saying, "Hey, <silly
> person>! You left your doors wide open." As long as they don't take
> your TV or tell their friend to do so nothing has changed. I feel
> that a lot of the anger and rant following this sort of thing stems
> from pure embarrassment. Get over it and learn to tighten up the ship.
> If it's that critical it shouldn't be scannable to begin with.
This is one of the rare times I have to disagree with you. Not all
vulnerabilities are simply a matter of scanning, and scanning itself,
carried to its extreme, is an intrusion. Following your analogy, a complete
system scan (say all ports from 1-65k, attempts to communicate with IPC
listeners, OS/service identification, etc) wouldn't be like someone driving
by my house, but more like someone walking through my house and looking in
the clothes hamper! Even if they didn't touch anything, they've gone where
they shouldn't. I'm not the only one who feels this way: do some complete,
non-subtle port scans on federal or state government networks, and see how
long it takes for the hostmaster for your IP address range to get an email
(The answer: less than 10 minutes).
In any case, there are lots of vulnerabilities which do require more than
scanning; buffer overflows, for instance, require that you send malformed
data, and if the overflow condition exists, the vulnerable service may crash
itself or the OS. Or, you might consider linked vulnerabilities, where the
outer one might be easily scanned, but the inner one requires that you
exploit the outer one. For example, my web server is vulnerable, and my
database is vulnerable from the web server. So, someone gets a list of
credit card numbers out and hands them to me. Finally, if you follow your
scanning example to its logical extreme, then denial of service attacks are
just fine; they don't take advantage of any target vulnerabilities.
I don't know; it sounds like crime to me.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
