[unisog] Determining local servers and banners
bsmithsweeney at nyu.edu
Thu Apr 14 20:21:35 GMT 2005
>>I asked about number of hosts because I'm working on getting active
>>scans to run A) more accurately, and B) within a reasonable (1 week)
>>amount of time. Would you mind sharing your nmap timing options, and
>>what your associated % of host response is? And I too would be
>>interested in seeing your database setup, if it's available.
>We ping each host before scanning it, this way we get 100% host response
>and nmap timeout values isn't that important. We want cross reference this
>data with the router ARP tables to avoid local firewalls but not there
But the nmap timeout values I'm talking about are when a host pings and
is up, but takes too long to respond during the scan portion and thus
the scan data is lost. I'm not sure a pre-scan ping sweep will help us
>>Even though right now we're only getting data back from2 about 5k of our
>>30k active hosts, the follow-up amap gives us real good data on FTP
>>"quiet" backdoors, so I would still recommend it to anyone looking for
>>this type of compromise. Those machines with FTP banners generally
>>point us at hosts that could turn into DDoS clients, brute-force
>>password attackers, etc. . I've also noticed a tendency for
>>script-kiddie FTP backdoors to have some rudimentary portscan detection,
>>so more and more I'm having to nmap from one host and amap from another.
>I wouldn't advise you to use only portscans to find compromised hosts, we
>find more compromised machines with our honeypot and grep in netflow data.
>We use Scanorama more to check compliance (Windows machine in domain, not
>running W95 or NT4 etc.).
We're definitely not using *only* portscans. =) However, it is a very
effective method. It allows us to find compromised systems that aren't
being abused yet, and that therefor may or may not show up via passive
detection. Furthermore, with some simple rules one can reduce false
positives to extremely low percentages. And the work/return ratio on
such scans is very good. The scans themselves and post-processing can
all be automated, as can the subsequent emailing to local admins (though
we're still working on this). All in all, I've been very happy with our
results thus far.
That being said, there are plenty of hosts detected via passive methods
that we don't get via portscan + banner-grab. So far we've found that
the union of compromised hosts detected via passive and active detection
is sufficiently larger than either of the individual sets to make using
both methods worth the effort.
>>We're also keeping track of "common" ports used by ftp backdoors on our
>>network and attempting to identify patterns of non-bannered ports on
>>those obviously compromised hosts that will help to identify others
>>compromised in more subtle ways. Unfortunately, with the number of
>>hosts we've got, real OS/applications fingerprinting seems too slow to
>We tried to keep track of the different backdoors, but most local exploits
>we find have "customized" the backdoor and is hiding in "legal" port
>ranges. Much in the same way they "customize" filenames for known Troyans,
>or utilities like netcat.
Agreed; not sure if this will end up being a worthwhile endeavor or not.
>One side note is, the world is getting worse. A couple of weeks ago we
>found our first binary rootkit (hackers defenders) which hides itself from
>the OS. They got in through a unpatched apache server running PHP on
We've seen a large increase in the percentage of compromised machines on
our networks that carry rootkits recently. This is often frustrating
for our local admins, who have gotten used to using fport et al. to see
what's running on their systems. Hacker Defender is definitely the most
More information about the unisog