On Sat, 18 Sep 1999, Max Vision wrote:
> specify -F). You should limit your scan to the services that you can,
> youself, explain why they are interesting or should be checked for.
Is this really the best idea? If you're looking for Windoze trojans, then
they could be listening on any port. The thing to do it would seem is to
-sS scan for port 135/139 (fragile-stack-friendly-os-detection) and then
scan the entire portrange on these machines looking for trojans. Then
ideally you save this info into a file and run a scan every N time units
and compare the results with previous information.
And I've got a question as to how you go about doing forensics to
determine if a WinNT/Win9X box has been trojaned when you find a really
suspicious looking open port on the box? For example, there's this Win
box we've got on our network (which i don't admin) and which is listening
on port 4692/udp. The person who uses this box downloads a lot of stuff
from the net. I suspect this is a possible trojan, but where the hell do
i go from here? This might be getting a little afield of nmap discussion,
but i think its appropriate because it'd be good to be able to back up
nmap scans with actual solid evidence on the machine that it has been
compromised.
--
Lamont Granquist lamontg_at_genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg_at_raven.genome.washington.edu | pgp -fka
Received on Sep 20 1999
Intro
