sniffer/promisc detector

• Previous message (by thread): sniffer/promisc detector
• Next message (by thread): sniffer/promisc detector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+++ Alexei Roudnev [22/01/04 09:05 -0800]:

> My results vary from 15 minuts to 1 hour.

Mine too. So nmap sucks if you want to quickly identify daemons running on
strange ports. No big deal. This discussion wasn't about nmap to start with.
The point of the discussion was wether it made sense to run services on
non-standard ports to deter cr4x0rs. And I feel it doesn't.

However: nmap can be tweaked, if you want to operate with an axe.

The default timeout per port is 5 seconds. You could shorten that. You could
pre-scan networks, to find only interesting ports, and version-scan those.
You could scan large subnets in parallel. You could re-write parts of it, or
start from scratch. 

As long as a sshd yells "SSH-1.99" at you the moment you connect to it's
port there's no hiding sshd.

A well-tuned iptables or equivalent, on the other hand, might hide the
presence of daemons completely for anyone except the designated users. How
is that for obscurity? Unless you're coming from one of a very few
permissible hosts, and connect to a specific IP on the machine you will get
a normal RST, and think the port is unused. Even H4x0rsc4n Pr0 won't tell
you that port is actually a way in, unless you happen to scan it from the
right machine.


-- 

Ruben van der Leij

• Previous message (by thread): sniffer/promisc detector
• Next message (by thread): sniffer/promisc detector
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]