[unisog] Determining local servers and banners

Brian Smith-Sweeney bsmithsweeney at nyu.edu
Thu Apr 14 20:21:35 GMT 2005

>>I asked about number of hosts because I'm working on getting  active
>>scans to run A) more accurately, and B) within a reasonable (1 week)
>>amount of time.  Would you mind sharing your nmap timing options, and
>>what your associated % of host response is?  And I too would be
>>interested in seeing your database setup, if it's available.
>We ping each host before scanning it, this way we get 100% host response
>and nmap timeout values isn't that important. We want cross reference this
>data with the router ARP tables to avoid local firewalls but not there
But the nmap timeout values I'm talking about are when a host pings and 
is up, but takes too long to respond during the scan portion and thus 
the scan data is lost.   I'm not sure a pre-scan ping sweep will help us 
with that.

>>Even though right now we're only getting data back from2 about 5k of our
>>30k active hosts, the follow-up amap gives us real good data on FTP
>>"quiet" backdoors, so I would still recommend it to anyone looking for
>>this type of compromise.  Those machines with FTP banners generally
>>point us at hosts that could turn into DDoS clients, brute-force
>>password attackers, etc. .  I've also noticed a tendency for
>>script-kiddie FTP backdoors to have some rudimentary portscan detection,
>>so more and more I'm having to nmap from one host and amap from another.
>I wouldn't advise you to use only portscans to find compromised hosts, we
>find more compromised machines with our honeypot and grep in netflow data.
>We use Scanorama more to check compliance (Windows machine in domain, not
>running W95 or NT4 etc.).
We're definitely not using *only* portscans. =)  However, it is a very 
effective method.  It allows us to find compromised systems that aren't 
being abused yet, and that therefor may or may not show up via passive 
detection.   Furthermore, with some simple rules one can reduce false 
positives to extremely low percentages.  And the work/return ratio on 
such scans is very good.  The scans themselves and post-processing can 
all be automated, as can the subsequent emailing to local admins (though 
we're still working on this).  All in all, I've been very happy with our 
results thus far. 

That being said, there are plenty of hosts detected via passive methods 
that we don't get via portscan + banner-grab.   So far we've found that 
the union of compromised hosts detected via passive and active detection 
is sufficiently larger than either of the individual sets to make using 
both methods worth the effort. 

>>We're also keeping track of "common" ports used by ftp backdoors on our
>>network and attempting to identify patterns of non-bannered ports on
>>those obviously compromised hosts that will help to identify others
>>compromised in more subtle ways.  Unfortunately, with the number of
>>hosts we've got, real OS/applications fingerprinting seems too slow to
>>be useful.
>We tried to keep track of the different backdoors, but most local exploits
>we find have "customized" the backdoor and is hiding in "legal" port
>ranges. Much in the same way they "customize" filenames for known Troyans,
>or utilities like netcat.
Agreed; not sure if this will end up being a worthwhile endeavor or not. 

>One side note is, the world is getting worse. A couple of weeks ago we
>found our first binary rootkit (hackers defenders) which hides itself from
>the OS. They got in through a unpatched apache server running PHP on
>someones desktop.
We've seen a large increase in the percentage of compromised machines on 
our networks that carry rootkits recently.  This is often frustrating 
for our local admins, who have gotten used to using fport et al. to see 
what's running on their systems.  Hacker Defender is definitely the most 


More information about the unisog mailing list