> Would it make a difference if I scanned ports 1-1024 with a
> port scanner vs. first using a browser to see if you had a
> HTTP daemon running on any port, then a FTP client on every
> port to see about a FTP daemon, etc, etc.? I'm not trying to
> be a smart@$$ or anything, I just like philosophical
> discussion, especially when I can get a techie angle in there
> too :)
I'd argue that it depends on intent. Since I can't determine what's inside
your head, I'd judge your intent based on my observation of your behavior.
I'm more likely to see a port scan, and I'm more likely to suspect malice,
than if you used an HTTP client to connect to an HTTP service, etc.
Deep down in your black little heart, though, you could certainly be one of
the most malicious, yet supremely patient, criminal minds, and I just
wouldn't know it. That's a problem we can't solve. We have to judge intent
by observed behavior.
> To take this further, let's say I was going to have an ISP host my
> corporate site. Would it be unethical or illegal to perform a
> non-intrusive scan of the server(s) in question to get an idea
> of whether they had their equipment somewhat secure. Granted,
> I wouldn't be able to do stack smashes, password interrogations,
> etc. but, on the other hand it's in my interest to know something
> more than, "we have redundant OC3 lines and 24 hour tech support."
> For a more thorough test I would, of course, make a formal
> request. Your thoughts?
We've already discussed ethics. It may be legal or illegal, depending on
your arrangement with your host. If that arrangement doesn't cover port
scans, be prepared to explain yourself (and if you can, do it in advance).
> As you say, "do some complete, non-subtle port scans on
> federal or state government networks ...". I actually have
> done this and the response is usually pretty quick. In my
> defense, I had proxy authority to do so, so once I explained
> myself everything was fine. Unfortunately, my experience has
> been that the response typically comes from the networking
> group, not server admins, and only after you start analyzing
> the interfaces on their routers :) There aren't many server
> admins, especially in the NT "world", who have a clue about
> how to log queries into specific ports or accounts. This is not
> so true in the *NIX world where I think most admins have a better
> understanding of their systems and tools are more readily
> available. Only recently have intrusion detection tools similar
> to Tripwire and the like been made as readily available for
> Win32 systems.
The network admins are in the best position to do this; they're the ones
with the tools to notice scans across multiple addresses, and they can
monitor all the network traffic through one or two points through which it
will all cross.
As for NT server admins, guilty as charged. Many NT sysadmins don't know
very much, but that's the appeal of NT - you don't have to know very much,
and I think that's a good thing, generally.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
