OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: DOS on inetd w/ nmap
From: John Bock (john.bockMARCHFIRST.COM)
Date: Tue Apr 25 2000 - 10:04:28 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>Perhaps there is a way to make nmap
>"low-and-slow"?

Have you tried using any of the timing options?
- From the man page:

       TIMING OPTIONS
              Generally Nmap does a good job at adjusting for
              Network characteristics at runtime and scanning as
              fast as possible while minimizing that chances of
              hosts/ports going undetected. However, there are
              same cases where Nmap's default timing policy may
              not meet your objectives. The following options
              provide a fine level of control over the scan tim-
              ing:

       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
              These are canned timing policies for conveniently
              expressing your priorities to Nmap. Paranoid mode
              scans very slowly in the hopes of avoiding detec-
              tion by IDS systems. It serializes all scans (no
              parallel scanning) and generally waits at least 5
              minutes between sending packets. Sneaky is simi-
              lar, except it only waits 15 seconds between send-
              ing packets. Polite is meant to ease load on the
              network and reduce the chances of crashing
              machines. It serializes the probes and waits at
              least 0.4 seconds between them. Normal is the
              default Nmap behaviour, which tries to run as
              quickly as possible without overloading the network
              or missing hosts/ports. Aggressive mode adds a 5
              minute timeout per host and it never waits more
              than 1.25 seconds for probe responses. Insane is
              only suitable for very fast networks or where you
              don't mind losing some information. It times out
              hosts in 75 seconds and only waits 0.3 seconds for
              individual probes. It does allow for very quick
              network sweeps though :). You can also reference
              these by number (0-5). For example, '-T 0' gives
              you Paranoid mode and '-T 5' is Insane mode.

Please respond to "Clifford, Shawn A" <shawn.a.cliffordLMCO.COM>

To: VULN-DEVSECURITYFOCUS.COM
cc: (bcc: John Bock/Whittman-Hart LP)

Subject: DOS on inetd w/ nmap

Hi All,

The problem is that inetd will abort when too many connections are made.
This is an old problem that appears to still be a problem even on some newer
OSes, specifically IRIX (*all* 6.2-6.5, others?), some HP-UX (B.10.20, but
only on some machines... dunno why), and of course old SunOS 4.1.3/4.1.4
machines (only some!). You must then log on at the console (unless you had
a remote window open to the machine prior to inetd exiting) and either
restard inetd or reboot the machine.

I was fiddling with the 'httpd_scan.pl' script that I posted a while back,
which is predicated on NetCat for the port scanning and for sending http
GETs to possible servers, when I thought I would substitute 'nmap' for 'nc'
in my script.

Nmap is about 4 times faster, as it turns out, for doing port scans, but it
has this nasty side-effect. It also seems to be sending data, as it not
only crashes inetd on IRIX, but it also crashes some service called
'sgi_fam' with an enormous amount of data.

/var/adm/SYSLOG entry:
Apr 5 18:30:43 3D:node famd: fd 10 message length 1212498244 bytes exceeds
max of 1064.

What's doubly annoying about this is that nmap is such a good tool,
otherwise, and is being promoted by SANS as a tool of choice. Clearly
crashing inetd isn't very subtle. Perhaps there is a way to make nmap
"low-and-slow"?

Although netcat is much slower, and doesn't have the fingerprinting
capability of nmap, I will have to keep using 'nc' for my Web server scans.

Regards,
- -- Shawn

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBOQWzziwFkokFbeHBEQJ+AQCgrMOoU5z204xzb4UVQVG2nw0w+/wAoOqo
1U4SvutEhZtYk60y59s59FOy
=XnxZ
-----END PGP SIGNATURE-----