Paj's Home
About Me
Site Info
Cryptography
Security
Introduction
Desktop
Data Theft
Web Applications
Network
Scanning
Hardening
Citrix
Programming
Web Apps

Scanning

(Under construction)

Security Scanning

There is a growing movement for "hacker's eye view" scanning. Many open source and commercial tools exist for this, including the very popular nmap and Nessus.

Interestingly, people are learning to block IP addresses of scanners. For example, some universities scan their networks for student web servers - as these often contain pirate software. I have heard cases of students firewalling the scanning addresses to continuing sharing.

Vulnerability Scanning

  • Port scan - TCP, UDP (including service-specific positive probes) and ICMP
  • Service identification
  • Version identification, through banners and fingerprinting, and checking of version against vulnerability database.
  • Service-specifics checks, e.g. mail relay check, or RPC/DCOM direct test.
  • Password brute forcing
  • Local checks - using Windows registry or Unix SSH access.
  • Web tests - CGI scanning, light touch application testing.

Reverse DNS Probe

Sometimes DNS servers are misconfigured can determine what domains they have cached. This is actually quite common.

An interesting exploit for this is to determine what IP addresses have visited a website. If the server does reverse DNS on visitors (which is fairly common), you can tell if a given IP address has visited the site, by checking the DNS server for having the reverse domain cached. And if you do your queries cleverly, you can brute force through the IP address space hierarchially, to enumerate everyone who's visited.

© 1998 - 2008 Paul Johnston, distributed under the BSD License   Updated:22 Feb 2008