Certified Noob - Question (Scanning own company network legally with NMAP)

edited August 7 in Off-topic

Hi,
I recently got certified and have been given permission to do vulnerability scanning on our company network. (I dont want to actually try exploit, just looking).

Can running the NMAP script scans cause problems for web servers? (--script vuln).
If I recall correctly it actually tries to exploit those ports for vulnerabilities but I may be mistaken.

I just want to run a full scan against our public facing network and research potential vulnerabilities and report.

Thanks in advance

Tagged:

Comments

  • Answered my own question but if anyone has any advice or issues they've experienced then plz share

    "Version scanning (-sV) and some of our NSE scripts (-sC or --script) risk crashing poorly written applications. Similarly, some buggy operating systems have been reported to crash when OS fingerprinted (-O). Omit these options for particularly sensitive environments or where you do not need the results."

  • Every org is different and you should only scan with explicit permission - generally, this means going through change control, making sure the people responsible for the environment know what scans you are going to do, what potential impact it has etc.

    Depending where you live and on your corporate culture, getting this wrong can have serious side effects.

    That said, if a system crashes when it is scanned, that's a finding. If the system admins are too worried that a system might crash to allow scanning, that's also a finding.

    On a related topic, it is important that you understand what is happening with the scans you run. You can't rely on blanket statements like "-sC might cause a crash" or "NSE scripts cause crashes" - because that doesn't really help you, it just leads to "never use -sC/Scripts" or "always use -sV/Scripts".

    Take some time to understand how each scan type works and what each script does. For example, do they actually try to exploit a vulnerability or do they just send specific packets to see if a vulnerability exists? Few if any vuln scanners try to exploit in the way most people would describe exploit, but you cant make that assumption until you look at what the script does.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • No. It is illegal to scan network without their permission. They may have chance to file Cyber criminal case. Since nmap is not just a scanning tool, you can even launch exploitation with scripts from NSE. So it is potentially wrong way to do on other's networks.
    With their legal permission, you can do it. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Thanks guys, yes I got permission first.

  • @FUBAR said:

    Thanks guys, yes I got permission first.

    One additional thing about permission - if you are scanning externally facing IP addresses then other people might need to approve.

    Remember your attack will go from your computer, over the internet, hit the upstream provider and then hit the public-facing IP address. If the IP is on a CDN (Akamai, Amazon etc), then they might have their own rules about what is allowed.

    The last thing you want is an ISP to report you to the police because they think you are attacking someone or, worse, because you've broken their kit.

    It is a bit of a minefield and I dont want to put you off. In general approval from the owner of the IP range/services exposed is enough but consider others.

    (Kind of goes back to understand what your attack is!)

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • AWS and most other hosting companies have indeed very strict rules regarding pentesting, you may trigger all sorts of alerts on your way to your company website or other server / cloud app. If you google you can find it, AWS wants to be informed beforehand, wants you to be an official pentesting company / service and you'll have to wait to get approval back from AWS, which will be limited to a certain time frame.

    Although I'm not yet actively working as pentester I already figured that it's much easier to have a local network ready to run a copy of a website or even clone an active directory configuration by version and work with the local clone.

    If the system admins are too worried that a system might crash to allow scanning, that's also a finding.

    :D love that one

    Yeah I guess, those sort of "fears of crashes" is more of an excuse or a proof for a really old and bad app that needs an update anyway.

    Hack The Box

  • @sparkla said:

    Yeah I guess, those sort of "fears of crashes" is more of an excuse or a proof for a really old and bad app that needs an update anyway.

    100%

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Sysadmin here. Been through a good number of VAPTs in our environment.

    As others have said, always get permission first.

    It's also good practice to inform the IT/NOC/SOC teams ahead of time so they don't get any surprises.

    I've personally never experienced any system/app crashes while VAPT was ongoing though...

  • What is your opinion on using dirbuster/gobuster for a vulnerability scan? it is technically a brute forcer but it would be interesting to see what hidden directories can be found.

    Can that fall under a vulnerability assessment? (I did already get permission to use it as well, I'm just unsure if I should because I want to err on the safe safe)

  • @FUBAR said:

    What is your opinion on using dirbuster/gobuster for a vulnerability scan? it is technically a brute forcer but it would be interesting to see what hidden directories can be found.

    Can that fall under a vulnerability assessment? (I did already get permission to use it as well, I'm just unsure if I should because I want to err on the safe safe)

    IMHO the answer is "it depends" and I get that isn't very helpful.

    So it is a brute forcer but if you get approval from the system owner to do this, then you should be ok to run it. Generally speaking, they just generate a huge number of GET requests so any concerns are likely to hinge on resource utilisation/exhaustion.

    For example, if you have approval to run a VA scan without DOS checks, you might not want to run directory scans.

    **But it depends. **

    If you can modify the scan to make it less aggressive it might be OK. If you run rockyou against multiple extensions with hundreds of concurrent threads, you may well cause a problem.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I do not want to repeat the advice of "get permission first"... But make sure that it's not a verbal agreement, get permission on writing.

    I once had a boss asking me to do some digging on another machine from the company and I said "I am sorry, unless I give me the request, and therefore permission, to do that in writing, I won't be able to do it".
    They dropped it. And, yeah... it was a quite toxic environment, so I had to be very careful. ;-)

  • @FUBAR said:
    What is your opinion on using dirbuster/gobuster for a vulnerability scan? it is technically a brute forcer but it would be interesting to see what hidden directories can be found.

    Depends a bit on the country, most will see it as hacking / computer sabotage. Even manually modifying a url, e.g. changing http://example.com/id=1 to http://example.com/id=2 is seen as hacking in terms of law.

    Another reality however is: On my servers, that I run for smaller companies, there's steady dirbusting going on, as well as parameter bruteforce and smtp bruteforce. It's like that for years now.

    Basically russia gave permission to any citizien to hack anything that's not russian, if I remember correctly. Strategically not a bad move. However they got the same hard sentences like any other country, if you do in fact hack russian things. Don't get me wrong, I'm not saying "it's the russians" who attack our servers, this was just an example on geopolitics and hacking.

    After all I know it's botnets and we'll probably never find out who they belong to, cause there's no damage, no police task force is ever gonna investigate. The dirbusting hardly wakes modern servers from sleep mode, not literally speaking. But it's annoying in the logs. If I where to find out however that it's from my neighbours IP I wouldn't hesitate to call the cops, tbh. Again, I doubt they would even pick it up, speaking from experience where I was victim to fraud on eBay, by a guy how was proven that he did the same thing to multiple victims. Case too small for the prosecuting attorney, we could have financed our own lawsuit with limited change of success..

    But all that said: Don't do anything illegal. Just don't. Not worth living in fear of kicked-down doors, lost hardware and the trouble that goes along. I'm kinda a little sad that I didn't start hacking 20 years ago when it wasn't really prosecuted, but well. There's still movies and books to make up for hero fantasies.

    @damnc said:
    . And, yeah... it was a quite toxic environment, so I had to be very careful. ;-)

    I wish there were still working environments that are NOT toxic...

    Hack The Box

Sign In to comment.