Security Basics mailing list archives

Re: Nmap Online


From: Sean Swayze <sean.swayze () gmail com>
Date: Fri, 8 Dec 2006 20:19:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Shain,

Thanks for your input and rebuttal. I'm not convinced with your comparison
however. Webmail and nmap are decidedly different and although the
potential for abuse of webmail is apparent it is not as potentially harmful as an open nmap scan facility. While it's true that both have the potential for DoS the real truth is that Webmail is an acceptable risk and those issues
with respect to spam can be mitigated with proper configuration.

I agree that this is a security-basics list, and it's a good thing that David had the foresight to publish the existence of his nmap service so that admins and security personnel would get a heads up so as to block spurious scans from his domain. I still maintain that even in the beginning stages of a security administrator's career path that they would have already completed the ground
work that would allow them to install and configure nmap for themselves.
It's true we don't all have the time to RTFM but that's what separates a true
security admin from a wannabe.

I do agree that like gasoline, there are many benign uses for network scanning tools, and the existence of these tools is in and of itself 'risky' but it's a risk that is necessary for exactly the benign uses. I would submit that making this scanner available to all and sundry would undo the fact that it takes some effort, knowledge, and persistence to get nmap compiled and installed. The average script kiddie might not have the wherewithal to complete such a task, but now has a fully functional vulnerability scanner at their disposal without the exposure and trouble that it would normally entail. Furthermore, given that it's a publicly available service, it could be quite difficult to trace back to the user that requested
the scan, yet it would be quite clear where the scan was coming from.

I stick by my original assessment.

Best.

Sean Swayze


On 8-Dec-06, at 5:33 PM, Shain Singh wrote:

Sean Swayze wrote:

I concur with Craig. Making nmap available through a publicly
available service
can only allow for two or three things:

1. Increase the exposure of innocent networks to
vulnerability scanning.

<snip>


Any security personnel or pen-testers that are out there that can't
configure nmap,
or won't aren't worth the effort of providing this free service for.

Valid points, but this list is not only for 'those in the know' but also for people who may be still in their infancy stage with tools such as nmap. Also, does this mean that anyone wishing to offer a free webmail service should abstain because of their well meaning intentions having potential for
being abused for generating spam?

I don't necessarily advocate a bunch of sites sprouting with online scanning tools, but having them around is not necessarily a bad thing. Stopping abuse of a tools is not mitigated by "making it easier" to use I believe - if you don't do it, someone else will anyways. If anything the fact that a site like that has been posted to this list it gives administrators the option of
taking extra measures for the said domain/netblock.


--
Shaineel Singh
MakePeace Media LTD

http://mpm.org.au/shsingh
pgp id:  0xA9D8D351
fp: 38 0D A8 C8 74 A2 33 5E CE 0E 5A FA D5 A0 04 7C

This message was written entirely with recycled electrons.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFeg8t5CKNk9e5yFQRAlH/AJ0YydiL8lta1pQwNritj/+9j3P1MgCfeFkS
2ZVxOWEDyTqhGL/jWwjj1iM=
=9/ST
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------


Current thread: