Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: testing port scanners on a large scale - legally

  1. #11
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by anubis2k7 View Post
    I don’t bother reporting scans originating from asia, since it is pointless. Do you report scans coming from Europe? When you report, what do you say in your email? I generally say that “we have detected one of your IPs scanning our network…here is the log file…please don’t let it happen again.” I’d like to say “if we catch you again, we’ll take more aggressive measures” but I don’t know 1) if I can legally say that 2) if it’s helpful to threaten them

    Also, kinda off topic, but has anyone gotten SO rules to work on snort?

    I would recommend to anyone who has the time and resources to set up an IDS system and use it to test the various tools on backtrack, since it will enable you to 1) see the various attacks/scans packet by packet and 2) how to defend against them
    You're right, I don't report anything unless it's from the US or Canada, and sometimes the UK. Anywhere else, you'll never get any response from them.

    Although, if you do find that the Netblock owner is a US company reporting to them sometimes work.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  2. #12
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Quote Originally Posted by heyaz View Post

    Although full port scans are most likely against the TOS of most ISPs, not to mention just plain rude - I am wondering if it is feasible (and/or legal) to do a small subset (maybe 5-10 ports) on blocks of IPs over the internet.

    Any ideas?
    Idea is to stop thinking about it now. Before you get in trouble. The only thing that comes to mind is a honeynet. It will take some time to set it up. If you wanted to simulate a large scale network then I would think a honeynet would be you're best option. Then theres the question of internal and external scanning. Also, are you scanning for a specific port or just being all around loud. There is a methology to scanning. What tools are you looking at for scanning? I'm sure someone knows which one is the fastest. FTP scanner, SQL? Talk to me.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  3. #13
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Why not just stick with nmap. That gives you probably the best freedom to choose
    any option you might like thus it gives quite good results. There are of course, insane
    fast scanners out there, they are also highly detective, but they work No names :P

    Keep in mind that i've somehow experienced that if you can't ping it looks like that with
    some scanners, it will actually take a little longer to scan. I don't know exactly why, and
    i don't need a longer correction to understand exactly why xD
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  4. #14
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    One word: scanrand

    As I wrote in a post a couple of months ago, it has been shown in the past to be capable of scanning entire class B nets (65K+ hosts) with 8000 hits in 4 secs. It uses 'inverse SYN cookies' to accomplish this speed with no effort to retain the state of the sessions.

    You'll have to play around with it, as I've never used it outside of my LAN. If you have permission to use this on a large scale network, please post your experiences!
    dd if=/dev/swc666 of=/dev/wyze

  5. #15
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    +65'000 hosts in 4 secs? Even with only checking f.ex. port 80 or maybe some other port,
    it seems high unlikely that one should be able to scan that fast. Except if your computer is
    a monster machine and you are using it inside a lan then i might believe it.
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •