Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: testing port scanners on a large scale - legally

  1. #1
    Just burned his ISO
    Join Date
    Aug 2007
    Posts
    23

    Default testing port scanners on a large scale - legally

    Is anyone familiar with the specific laws (in the US) regarding port scanning?

    I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

    The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by heyaz View Post
    Is anyone familiar with the specific laws (in the US) regarding port scanning?

    I'm very interested in testing the speed and accuracy of different port scanners on different operating systems. I have a lab with several physical boxes as well as VMware, but you just can't accurately simulate a large scale network with that (I'm talking 1000+ hosts).

    The only time I really get to test enumeration tools on this kind of scale is when I'm actually on a paid pen testing job, but it's hard to really research and fine tune the parameters when you're on the clock. I've had issues in the past with large networks (10000+ hosts) and scans not being as fast or accurate as I would like, but I obviously can't simulate this kind of network at home.

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

    (You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by swc666 View Post
    I spend an hour a day sometimes myself reporting nmap scan hits and other probes that I get on my IDS, writing to the appropriate abuse @'s

    (You'll rarely hear back from them unless you report a logged intrusion, but for the most part they take the appropriate action)
    I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

    What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    I keep a list of IP's that I've reported and occasionally check to see if that IP offends again. It's very seldom I have to report someone a second time.

    What's even more fun than reporting the offender to their ISP is reporting them to the Netblock owner, which many times is not the ISP. Netblock owners don't like to find out that ISP's aren't doing their part in preventing attacks.
    That's a very good idea and something that I'm going to start putting into practice.
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  7. #7
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by spankdidly View Post
    What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...
    Snort and other (classified ) network traffic logging tools
    dd if=/dev/swc666 of=/dev/wyze

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by spankdidly View Post
    What do you guys use to capture stuff like that? I have a smoothwall box that blocks basically anything, but I never check it...
    I use Snort as well with a Passive Tap between my router and my firewall.

    @swc, do you have OinkMaster configured?

    I did write my own interface into the SnortDB a while ago that had a report generator and a form letter. I basically had a "One Click Bitch" button that once I selected an offender, I'd click the button and it would generate everything I needed for a report.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by streaker69 View Post
    I use Snort as well with a Passive Tap between my router and my firewall.

    @swc, do you have OinkMaster configured?

    I did write my own interface into the SnortDB a while ago that had a report generator and a form letter. I basically had a "One Click Bitch" button that once I selected an offender, I'd click the button and it would generate everything I needed for a report.
    Yep... Oink + Barnyard are configured. My tap is also working very well now (many thanks goto Streaker69 for his help!), and I sometimes run Wireshark at various points on my LAN to see if there's traffic other than DHCP and ARP on my machines.

    The One Click Bitch button sounds very efficient!
    dd if=/dev/swc666 of=/dev/wyze

  10. #10
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    Quote Originally Posted by streaker69 View Post
    There really is not a law against port scanning, but you would probably be in violation of the TOS/AUP of your ISP, therefore it should be verboten to even do it, plus you need to keep in mind that there are bastards out there (like me) that look for such activity and then report it to the appropriate people just to have their accounts canceled.
    I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

    Also, kinda off topic, but has anyone gotten SO rules to work on snort?

    I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •