Re: Yet another thread on the legality of port scanning

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

David Gillett wrote:

>  Portscans don't discover services, just ports.
>  
Semantics - I was trying to stay within the scope of the previous 
messages, which were straying wildly away from port scanning.

Anyway, with the latest version of nmap, a port scan can do service 
discovery.  It all depends on what the returning packets include.  
Again, this is semantical and not relevant to the topic at hand, really.

>  If CNN wants to provide an anonymous FTP service, they're likely 
> to put it on ftp://ftp.cnn.com .  www.cnn.com should almost certainly
> be dedicated to web service, and any FTP service running on that box
> is *probably* only intended for distribution of content updates to
> the web site; if it accepts anonymous connections, that's more likely
> by mistake than by design.  "Reasonable man" says that if they have
> an intended anonymous FTP site, that's not where it is.
>
>  

My point was that hostname doesn't dictate accessability.  If I name my 
website http://www.yournotauthorized.com, your "reasonable man" 
hypothesis would dictate that people should never visit my website -- 
what if my business is Not Authorized Security, Inc. and I focused on 
detecting intrusions?

My point isn't whether anon FTP servers should be placed on web servers 
nor whether that's a good or normal idea.  Suffice it to say that it 
happens frequently enough and that enough website anf FTP server FQDNs 
*DON'T* begin with www that your "reasonable man" assertions are left in 
a situation that is far too vague to be useful.

By that thinking, http://isc.sans.org/ or ftp://mirrors.kernel.org 
should be offlimits, but they aren't.

Also, the assumption you're making is that "reasonable man" understands 
the standards that we're talking about.  A "reasonable man" (aka, most 
users) can still be both reasonable and ignorant.  Expecting them to 
understand this concept when we ourselves don't follow it is unreasonable. 

            -Barry



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------