Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: testing port scanners on a large scale - legally

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Aug 2007
    Posts
    23

    Default testing port scanners on a large scale - legally

    Is anyone familiar with the specific laws (in the US) regarding port scanning?

    I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

    The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by heyaz View Post
    Is anyone familiar with the specific laws (in the US) regarding port scanning?

    I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

    The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

    (You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by swc666 View Post
    I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

    (You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)
    I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

    What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

    What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.
    That's a very good idea and something that I'm going to start putting into practice.
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  7. #7
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    Quote Originally Posted by streaker69 View Post
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

    Also, kinda off topic, but has anyone gotten SO rules to work on snort?

    I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by anubis2k7 View Post
    I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

    Also, kinda off topic, but has anyone gotten SO rules to work on snort?

    I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them
    You're right, I don't report anything unless it's from the US or Canada, and sometimes the UK. Anywhere else, you'll never get any response from them.

    Although, if you do find that the Netblock owner is a US company reporting to them sometimes work.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Quote Originally Posted by heyaz View Post

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?
    Idea is to stop thinking about it now. Before you get in trouble. The only thing that comes to mind is a honeynet. It will take some time to set it up. If you wanted to simulate a large scale network then I would think a honeynet would be you're best option. Then theres the question of internal and external scanning. Also, are you scanning for a specific port or just being all around loud. There is a methology to scanning. What tools are you looking at for scanning? I'm sure someone knows which one is the fastest. FTP scanner, SQL? Talk to me.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  10. #10
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Why not just stick with nmap. That gives you probably the best freedom to choose
    any option you might like thus it gives quite good results. There are of course, insane
    fast scanners out there, they are also highly detective, but they work No names :P

    Keep in mind that i've somehow experienced that if you can't ping it looks like that with
    some scanners, it will actually take a little longer to scan. I don't know exactly why, and
    i don't need a longer correction to understand exactly why xD
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •