sniffer/promisc detector

Thu Jan 22 10:47:24 UTC 2004

I started such scan 10 - 20 minutes ago; it did not completed yet, so I do
not have exact time  (it is DSL -> 100 Mbit link + firewall).

But you results shows just what I am saying - 99% of all attacks was caused
by automated tools, and non-standard ports effectively blocks all such
attacks. I agree to spend some time and set up non-standard ports (and even
explain them to customers), if I decrease rate of attacks 100 - 1000 times
(what really happen if ports are non-standard). If you are not a bank, do
not  host IRC server, and are not SCO, attack rate decreases to absolute 0.
If you run nmap -p1-65000 in automated tool (with 10 minutes / host, and
usually much more), you will scan Internet forever.

So, it pay off.

----- Original Message ----- 
From: "Fyodor" <fyodor at insecure.org>
To: "Alexei Roudnev" <alex at relcom.net>
Cc: "Ruben van der Leij" <ruben-nanog at nutz.nl>; <nanog at merit.edu>
Sent: Thursday, January 22, 2004 1:12 AM
Subject: Re: sniffer/promisc detector

>
> On Wed, Jan 21, 2004 at 09:04:40AM -0800, Alexei Roudnev wrote:
> >
> > Please, do it:
> >
> > time nmap -p 0-65535 $target
> >
> > You will be surprised (and nmap will not report applications; to test a
> > response, multiply time at 5 ). And you will have approx. 40% of packets
> > lost.
> >
> > Practically, nmap is useless for this purpose.
>
> Oh, really?  I'll do a quick test of your theory that Nmap will be
> slow with a 65K port scan, miss 40% of the open ports due to packet
> loss, and not be able to report the application/services running on
> the port.  I may be biased, but anyone who wants to can reproduce this
> test (at the risk of pissing off SCO, who admittedly are rather
> litigous).  To be even more fair, I'll run the scan from a
> 128kbps-upstream aDSL line:
>
> # nmap -sSV -T4 -O -p0-65535 apollo.sco.com
> WARNING:  Scanning "port 0" is supported, but unusual.
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-01-22 00:49
PST
> Interesting ports on apollo.sco.com (216.250.128.35):
> (The 65524 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE    VERSION
> 0/tcp     filtered unknown
> 21/tcp    open     ftp        WU-FTPD 2.1WU(1)+SCO-2.6.1+-sec
> 22/tcp    open     ssh        SSH 1.2.22 (protocol 1.5)
> 199/tcp   open     smux?
> 457/tcp   open     http       NCSA httpd 1.3
> 615/tcp   open     http       NCSA httpd 1.5
> 1035/tcp  filtered unknown
> 1521/tcp  open     oracle-tns Oracle DB Listener 2.3.4.0.0 (for SCO System
V/386)
> 13722/tcp open     inetd      inetd (failed to exec
/usr/openv/netbackup/bin/bpjava-msvc: No such file or directory)
> 13782/tcp open     inetd      inetd (failed to exec
/usr/openv/netbackup/bin/bpcd: No such file or directory)
> 13783/tcp open     inetd      inetd (failed to exec /usr/openv/bin/vopied:
No such file or directory)
> 64206/tcp open     unknown
> Device type: general purpose
> Running: SCO UnixWare
> OS details: SCO UnixWare 7.0.0 or OpenServer 5.0.4-5.0.6
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 501.897 seconds
> #
>
> So the full 65K port scan, plus OS and version detection took a little
> over 8 minutes over a relatively slow connection.  I ran it several
> times to ensure ports weren't being missed.  A quick test from my
> colocated machine took 3 minutes.  And it isn't like I had to watch
> the whole time -- I was surfing a porn site in another window while it
> ran.  The services would have still been detected on different ports
> as the same probes are done.  I don't think using nonstandard ports
> will help against any but the most marginal attackers and worms.  But
> if those are a serious problem, perhaps more time should be spent
> patching rather than moving vulnerable services to unusual ports.
>
> I am not saying you won't get _any_ benefit at all from this
> obfuscation, but I seriously doubt it will be worth the headaches.  If
> ports don't have to be reachable from the outside, filter them at
> your firewall/router.  If outsiders do need to reach the ports, moving
> them around will just be a pain in the @#$ for those legitimate
> users.  You'll find that your own users are the ones port scanning you
> in order to locate the services you've hidden.
>
> Cheers,
> Fyodor
> http://www.insecure.org
>
> PS:  Yes, the scan would have been much slower if that host had a
> "default deny" policy, but would not have been outrageous.  You are
> permitted to scan "scanme.insecure.org" to test that scenario.  The
> time taken is not unreasonable, when I run 65K scans against large
> heavily filtered networks, I usually just let it run overnight.