Home page logo

basics logo Security Basics mailing list archives

Re: Yet another thread on the legality of port scanning
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 18 Mar 2004 13:29:30 -0500

David Gillett wrote:

 Portscans don't discover services, just ports.
Semantics - I was trying to stay within the scope of the previous messages, which were straying wildly away from port scanning.

Anyway, with the latest version of nmap, a port scan can do service discovery. It all depends on what the returning packets include. Again, this is semantical and not relevant to the topic at hand, really.

If CNN wants to provide an anonymous FTP service, they're likely to put it on ftp://ftp.cnn.com . www.cnn.com should almost certainly
be dedicated to web service, and any FTP service running on that box
is *probably* only intended for distribution of content updates to
the web site; if it accepts anonymous connections, that's more likely
by mistake than by design.  "Reasonable man" says that if they have
an intended anonymous FTP site, that's not where it is.

My point was that hostname doesn't dictate accessability. If I name my website http://www.yournotauthorized.com, your "reasonable man" hypothesis would dictate that people should never visit my website -- what if my business is Not Authorized Security, Inc. and I focused on detecting intrusions?

My point isn't whether anon FTP servers should be placed on web servers nor whether that's a good or normal idea. Suffice it to say that it happens frequently enough and that enough website anf FTP server FQDNs *DON'T* begin with www that your "reasonable man" assertions are left in a situation that is far too vague to be useful.

By that thinking, http://isc.sans.org/ or ftp://mirrors.kernel.org should be offlimits, but they aren't.

Also, the assumption you're making is that "reasonable man" understands the standards that we're talking about. A "reasonable man" (aka, most users) can still be both reasonable and ignorant. Expecting them to understand this concept when we ourselves don't follow it is unreasonable.

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]