Certified Noob - Question (Scanning own company network legally with NMAP)

edited August 2020 in Off-topic

Hi,
I recently got certified and have been given permission to do vulnerability scanning on our company network. (I dont want to actually try exploit, just looking).

Can running the NMAP script scans cause problems for web servers? (--script vuln).
If I recall correctly it actually tries to exploit those ports for vulnerabilities but I may be mistaken.

I just want to run a full scan against our public facing network and research potential vulnerabilities and report.

Thanks in advance

Tagged:

Comments

  • Answered my own question but if anyone has any advice or issues they've experienced then plz share

    "Version scanning (-sV) and some of our NSE scripts (-sC or --script) risk crashing poorly written applications. Similarly, some buggy operating systems have been reported to crash when OS fingerprinted (-O). Omit these options for particularly sensitive environments or where you do not need the results."

  • Every org is different and you should only scan with explicit permission - generally, this means going through change control, making sure the people responsible for the environment know what scans you are going to do, what potential impact it has etc.

    Depending where you live and on your corporate culture, getting this wrong can have serious side effects.

    That said, if a system crashes when it is scanned, that's a finding. If the system admins are too worried that a system might crash to allow scanning, that's also a finding.

    On a related topic, it is important that you understand what is happening with the scans you run. You can't rely on blanket statements like "-sC might cause a crash" or "NSE scripts cause crashes" - because that doesn't really help you, it just leads to "never use -sC/Scripts" or "always use -sV/Scripts".

    Take some time to understand how each scan type works and what each script does. For example, do they actually try to exploit a vulnerability or do they just send specific packets to see if a vulnerability exists? Few if any vuln scanners try to exploit in the way most people would describe exploit, but you cant make that assumption until you look at what the script does.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • No. It is illegal to scan network without their permission. They may have chance to file Cyber criminal case. Since nmap is not just a scanning tool, you can even launch exploitation with scripts from NSE. So it is potentially wrong way to do on other's networks.
    With their legal permission, you can do it. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Thanks guys, yes I got permission first.

  • @FUBAR said:

    Thanks guys, yes I got permission first.

    One additional thing about permission - if you are scanning externally facing IP addresses then other people might need to approve.

    Remember your attack will go from your computer, over the internet, hit the upstream provider and then hit the public-facing IP address. If the IP is on a CDN (Akamai, Amazon etc), then they might have their own rules about what is allowed.

    The last thing you want is an ISP to report you to the police because they think you are attacking someone or, worse, because you've broken their kit.

    It is a bit of a minefield and I dont want to put you off. In general approval from the owner of the IP range/services exposed is enough but consider others.

    (Kind of goes back to understand what your attack is!)

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @sparkla said:

    Yeah I guess, those sort of "fears of crashes" is more of an excuse or a proof for a really old and bad app that needs an update anyway.

    100%

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Sysadmin here. Been through a good number of VAPTs in our environment.

    As others have said, always get permission first.

    It's also good practice to inform the IT/NOC/SOC teams ahead of time so they don't get any surprises.

    I've personally never experienced any system/app crashes while VAPT was ongoing though...

  • What is your opinion on using dirbuster/gobuster for a vulnerability scan? it is technically a brute forcer but it would be interesting to see what hidden directories can be found.

    Can that fall under a vulnerability assessment? (I did already get permission to use it as well, I'm just unsure if I should because I want to err on the safe safe)

  • @FUBAR said:

    What is your opinion on using dirbuster/gobuster for a vulnerability scan? it is technically a brute forcer but it would be interesting to see what hidden directories can be found.

    Can that fall under a vulnerability assessment? (I did already get permission to use it as well, I'm just unsure if I should because I want to err on the safe safe)

    IMHO the answer is "it depends" and I get that isn't very helpful.

    So it is a brute forcer but if you get approval from the system owner to do this, then you should be ok to run it. Generally speaking, they just generate a huge number of GET requests so any concerns are likely to hinge on resource utilisation/exhaustion.

    For example, if you have approval to run a VA scan without DOS checks, you might not want to run directory scans.

    **But it depends. **

    If you can modify the scan to make it less aggressive it might be OK. If you run rockyou against multiple extensions with hundreds of concurrent threads, you may well cause a problem.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I do not want to repeat the advice of "get permission first"... But make sure that it's not a verbal agreement, get permission on writing.

    I once had a boss asking me to do some digging on another machine from the company and I said "I am sorry, unless I give me the request, and therefore permission, to do that in writing, I won't be able to do it".
    They dropped it. And, yeah... it was a quite toxic environment, so I had to be very careful. ;-)

Sign In to comment.