Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: NMAP brings down Exchange Cluster?
From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Fri, 6 May 2011 18:07:47 -0400

With your command line parameters Nmap is not establishing a full tcp connection, let alone sending any data to server 
software.

These half open tcp sessions are quickly cleaned up, so the instability couldn't be caused by a syn flood either.

On 2011-05-06, at 9:48 AM, "Siegle, Christopher J." <Christopher.Siegle () klgates com> wrote:

Here are the ports nmap found on one of the cluster machines.  RPC is suspect, but that assumes that nmap is creating 
an endpoint and testing.  I'm not sure it does that.
 
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
6001/tcp open  X11:1

From: Hani Benhabiles [mailto:kroosec () gmail com] 
Sent: Friday, May 06, 2011 9:18 AM
To: Siegle, Christopher J.
Cc: Michael Pattrick; nmap-dev () insecure org
Subject: Re: NMAP brings down Exchange Cluster?

It would be also interesting if you could provide some packet capture or check it yourself and tell more about at 
what parts of the scan the problems do occur.

--Hani

On Fri, May 6, 2011 at 2:10 PM, Siegle, Christopher J. <Christopher.Siegle () klgates com> wrote:
I asked if we could test this against our secondary data center.  I'll share results if the test actually occurs.  
Have you seen this happen before?  What did nmap do to create such a problem?

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Michael Pattrick
Sent: Friday, May 06, 2011 8:58 AM
To: Siegle, Christopher J.
Cc: nmap-dev () insecure org
Subject: Re: NMAP brings down Exchange Cluster?

Both an interesting and testable assertion! Do these crashes occur mid scan? If so, you could be partially to 
blame(along with whoever configured such a delicate exchange installation). If not, try to give up scanning for a few 
weeks, Nmap is off the hook if more infrastructure problems occur.

The command line parameter you gave are quite benign, and shouldn't be capable of taking down any server. So I doubt 
Nmap it to blame.

-M

On 2011-05-05, at 9:18 AM, "Siegle, Christopher J." <Christopher.Siegle () klgates com> wrote:

Hi nmappers.

Recently, my infrastructure peers have asserted that my use of nmap to scan our data center has caused various 
problems including bringing down FOLB clusters (Exchange servers).  Although I think this is highly unlikely, I 
wanted to get some feedback on this issue.

I am using the following command line switches:

-T3
-sS
-F
-O
-oX

sometimes d4

I appreciate your time.

==================================
Christopher J. Siegle "Chris"
Software Architect
K&L Gates, LLP
K&L Gates Center
210 Sixth Avenue
Pittsburgh, PA 15222-2613 (412) 355-8659
mailto:christopher.siegle () klgates com

This electronic message contains information from the law firm of K&L Gates LLP.  The contents may be privileged 
and confidential and are intended for the use of the intended addressee(s) only.  If you are not an intended 
addressee, note that any disclosure, copying, distribution, or use of the contents of this message is prohibited.  
If you have received this e-mail in error, please contact me at Christopher.Siegle () klgates com 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]