Text 22213, 71 rader
Skriven 2006-01-12 21:48:30 av Matt Bedynek (1:106/1)
  Kommentar till text 22088 av SHANNON TALLEY (1:275/311)
Ärende: Editor's censorship
===========================
Hello SHANNON.

12 Jan 06 06:28, you wrote to PAUL SANDERS:

 ST> If a person wanted, for instance, to hack into a webserver and look
 ST> for vulnerabilities,

 ST> .. one would do a deep port scan on port '80'.

There is no such thing as a 'deep port scan'.  A port scan is simply a port
scan for open ports.  The originating host attempts to connect to a range of
ports to see if it can establish a 3-way handshake and that data is logged. 
The connection is opened then immediately closed. In port scans, no data is
sent by the originating host.  It might log anything you send, for example,
smtp, ftp, or binkp banners; to get version numbers.

 ST> In doing so, one might actually cause either the webserver or the
 ST> operating system to error ..

If someone were to open 1000+ simotaneous portscans, it could consume a decent
amount of resources, but I never seen a system crash from it.   If something is
that fragile, it should not be on the internet because getting hacked in
inevitable.

 ST> Once individual issues were identified, additional scanning of
 ST> specific addresses within those regions can identify specific
 ST> vulnerabilities and then one could begin to exploit -- using what?
 ST> More scanning software AND other software tools!

Did Michiel conduct a port scan or a vulnerability scan?  There is a big
difference.  A vulnerability scan has a catalog of known vulnerabilities, will
try them against the host, and log the attack response.  Depending on the
response, the originating host can determine if the destination host is
vulnerable and later use this knowledge to gain privileged access.  For
example, a vulnerability against IIS that is sucessful might give a '200 OK'
versus a '400 Bad request' or '404 Not found'; or might not respond at all,
which might be the indication of a crash.

 ST> The question is, at what point is this "port scan" considered
 ST> 'hacking'?  According to the Industry, the momoent something was
 ST> started that sets off an alarm on the system OR endangers the
 ST> integrity of the system is when the hacking begins.

It is considered suspicious, but most do nothing about port scans, believe it
or not.

 ST> Systems get port scanned all the time, especially large corporations

That they do, but majority of the port scans are also some idiot playing with
scanning tools for the first time, and scan large portions of the internet.

 ST> "I" run a BBS and "I" can't afford those twenty thousand dollar
 ST> routers they have to protect my network.

There are tools for linux or freebsd do this for free.  I looked at them once
but considered the gains insignificant.  A skilled intruder will simply find
another way to gain entry.  So, i devote my energy on what I consider more
important avenues of security.

 ST> .. although the port scan was a precursor.

Not necessarily.

Matt

e-mail: matt [at] thunderdome.us | icq: 16568532 | yahoo: mbedynek

"to be loved is fortunate, but to be hated is to achieve distinction"

---
 * Origin: ..::[ high speed feeds - http://fido.thunderdome.us/ ]::.. (1:106/1)