networking/port scanning question

Printable View

September 11th, 2004, 04:46 AM
Phonedog911

networking/port scanning question

i was reading this paper and part of it confused me about port scanning and stuff. it said:

Quote:

On 27 April, at 00:13 hours, our network was scanned by the system 1Cust174.tnt2.long-branch.nj.da.uu.net for several vulnerabilities, including imap. Our intruder came in noisy, as every system in the network was probed.

Apr 27 00:12:25 mozart imapd[939]: connect from 208.252.226.174
Apr 27 00:12:27 bach imapd[1190]: connect from 208.252.226.174
Apr 27 00:12:30 vivaldi imapd[1225]: connect from 208.252.226.174

how could he scan every system on the network from outside the network? if the computers on the internet are connected to the internet, wouldnt they have to be behind some kind of router or hub that would make it impossible for him to scan them from outside?

heres the page: http://project.honeynet.org/papers/enemy3/
September 11th, 2004, 05:22 AM
nebulus200

Re: networking/port scanning question

Quote:

Originally posted here by Phonedog911
i was reading this paper and part of it confused me about port scanning and stuff. it said:

how could he scan every system on the network from outside the network? if the computers on the internet are connected to the internet, wouldnt they have to be behind some kind of router or hub that would make it impossible for him to scan them from outside?

heres the page: http://project.honeynet.org/papers/enemy3/

Unfortunately not, there are many places that run without the benefit of firewalls or router's doing NAT or using access lists. I would beg to differ about their use of terminology, a port scan is hardly iindicative of 'several vulnerabilities.' It looks to me based on it that it is just run of the mill port scanning for imap...barely even noteworthy.

Also note, your source is the honeynet project, which is specifically dedicated to 'luring' hackers into specially constructed traps that are desinged to analyze their techniques and tools and to get an idea of what people are looking for. I would not be suprised to see a honeynet system wide open to the world. Was that quote from honeynet too? I am a little surpised they would use that kind of terminology...
September 11th, 2004, 03:53 PM
Phonedog911

what i meant was, wouldnt he just end up scanning whatever gateway the systems were connected to and not be able to scan the individual computers on the network? unless he could get on that network somehow
September 11th, 2004, 07:00 PM
JP

Greetings:

Quote:

Originally posted here by Phonedog911
what i meant was, wouldnt he just end up scanning whatever gateway the systems were connected to and not be able to scan the individual computers on the network?

He'll be able to scan everything that has a publicly routable IP address, assuming no firewall etc. is in place.
September 11th, 2004, 09:01 PM
Tiger Shark

Technically speaking, on a network with a non-stateful firewall it is possible to scan the machines on the inside though I'm quite sure that non-stateful firewalls nowadays are less common than unfirewalled networks.
September 12th, 2004, 03:03 AM
Highlander

Personally I would use a NAT Firewall router as my first line of defense
No ifs ands or buts!!!!