OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: smarkacz (smarkaczANATHEMA.EU.ORG)
Date: Sat Jan 13 2001 - 16:00:53 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Simple Nomad <thegnomeNMRC.ORG> wrote:
    > I think that if I were some smart scanning dude or dudette out there, and
    > a scanning pattern was "identified" as a "misconfigured device", I'd
    > probably make sure my port scan duplicated this type of traffic.

    That's pretty obvious. But in case of 18245>21536 packets, there's
    almost no gain.. of course, you can send such packets to every IP in
    my network and get me alarmed when you hit a machine which doesn't run
    an HTTP server. Or you can just use them to OS-fingerprint HTTP
    servers my firewall protects. But then - why don't you use port 80 for
    your scans? It *is* open and probably you can also know if my firewall
    filters are stateful or not. What more can you get from port 21536
    scans?

    > If I wanted to be REALLY evil, I could do the following:
    > 1. Scan large sections of the Internet with a forged source address and
    > several decoys with nmap.
    > 2. Wait for someone on this list to say something about it, or optionally
    > say something about it myself.
    > 3. I post a message from my day job stating "oh I spoke to blahblahblah
    > about this and it is a misconfigured device/reported to the ISP/whatever".

    Nice idea. :)

    > As a security-conscious kind of guy, I am surprised by the tone of this
    > list which seems to trust every message posted to it. Certainly I am not
    > the first person to think of this type of thing. There has always been the
    > argument on Bugtraq that the bad guys read Bugtraq, I think one should
    > assume the same here.

    OK, nobody has to trust me. Or anyone. But it doesn't mean you can
    assume anyone posting here to be a bad guy. Some people would lie
    here, some'd just be wrong. But you know all this stuff, I won't
    repeat. Just verify what you read here before trusting it. 

    -- 
*** smarkacz (smarkaczanathema.eu.org)  --  Jacek P. Szymański
No jasne, jak człowiek sepleni to zadowoli się i linuksem. To właśnie
taki niedorobiony system co zauważa dokładnie każdy poza linuksiarzami.
                                            -- Piotr Trzcionkowski