[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: other mysterious port things

On Tue, 29 May 2001, Ken Seefried wrote:

> Tim Haynes writes:
> > 
> > <sigh> Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.  
> > 
> > Go back to 
> >         sudo netstat -plan | grep LIST
> Well...that would be incorrect.  If you have been cracked, or suspect you 
> might have, then you cannot completely rely on the output of netstat, ps, 
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
> behind trojan utilities and shared libs, making detection by such casual 
> methods as you indicate difficult. 

Which is why nmap would be useful if you've been cracked: because you can
scan yourself from *another* *box* (which is how you're supposed to use

Tim is just saying that if you *haven't* been cracked, use netstat instead
of nmap.

Hubert Chan
Research Associate
Prediction in Interacting Systems (MITACS-PINTS)
University of Alberta
Office: CAB 522
Ph: 492-4394
e-mail: hubert@math.ualberta.ca

Reply to: