Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Nmap/netwag problem.
From: Pete Herzog <lists () isecom org>
Date: Wed, 10 Aug 2005 21:10:06 +0200


Anyway. a 'full connect' scan (one that performs the complete three-way
handshake will _always_ (?) be the most reliable.
My sugeestion is to perform either a nmap connect scan on the ports from
both results or to manually telnet to the ports and see the response.

I have to disagree with you here.  A full connect scan is not the most
reliable.  There are many security defensive processes now which require
proper protocol queries to provide a response- I see this very often
with web ports.  If you send anything other than a http request, you
will not see a service behind the web port.

The best method for scanning is always to verify responses of a service
behind the ports by using the proper protocol.  Barring that, verify the
types of packets which return, the consistency of their return, delays
in return, and the TTLs.  But using telnet to visit a non-telnet port is
no longer a reliable method.

Depending on the responses to various types and configurations of
packets within enumeration, you will be able to narrow down ports to
those which respond predictably, those which don't, and those which
respond oddly or under peculiar circumstances.  Then you re-focus your
test on that information.  You shouldn't care about the tool and which
one is right.  Care about the process and if how you are looking for it
is right.  If your process is sound and you know how to investigate
properly, you'll stop wondering which tool to believe.  *Sigh*  Me, I
blame the tools and techniques classes for all this misinformation about
testing. I wish they'd stop teaching crappy ethical hacking classes with
loads of tools (but you get to keep the CD set of a billion tools you
don't need too!!) and start focusing on teaching the process.  Too much
bad information out there on how to test.  Which reminds me: OSSTMM 3.0
RC8 was just released for review.  Final release is set at RC12 so grab
that when you can.  You can get some good professional testing insight
from there.


Pete Herzog - Managing Director
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]