SANS Penetration Testing

Announcement: The Network Scanning Watch List

[Editor's Note: A recurring concern among penetration testers is that a scan may have an unexpected and seriously undesirable impact on some target devices. We've all heard stories about a simple TCP SYN scan killing this or that network device or SCADA system. Wouldn't it be cool if someone built and maintained a list of such devices, so we know what to watch out for? I'm happy to announce that Owen Connolly and Robin Wood (digininja) have done some great work pulling together the Network Scanning Watch List of devices that have encountered problems when scanned. In this post, Owen describes the project, links to the current list, and invites you to contribute. Here at Counter Hack, we'll be helping out in keeping the list updated with input from the community. Awesome stuff, Owen and Robin! Thanks for contributing to the community and helping penetration testers. -Ed.]

By Owen Connolly

So, one day, an interesting discussion started on the SANS pen test discussion list (called the "GPWN" list). Robin Wood (a.k.a., DigiNinja) asked if there was a list of devices maintained anywhere, that tended to hang, fall over, or otherwise behave weirdly when scanned in a penetration test or vulnerability assessment. This excellent request prompted me and several other people to leap in with definitive "No! But I'd watch out for XXX device?". Those warnings of course led to a lot of similar answers and a few new and interesting ones. As penetration testers, one of the last things we want to do is inadvertently break things in a target environment by running a simple port or vulnerability scan. A list of stuff to watch out for would be very helpful to people.

After letting the ideas, warnings, and tales of woe run for a while and having a couple of chats with Robin, we agreed to compile our findings so far and also ask in a few other fora for other examples of things. We then took all the submissions and put them in a spreadsheet on Google docs and have agreed to maintain this list going forward.

Without further adieu, we'd like to announce...

The Network Scanning Watch List

This list contains reports of unusual negative behavior (such as crashing, freezing, or massive performance hits) suffered by various devices while under common port and vulnerability scans. The list includes the vendor, product, scanning tool (if such information is available), the impact, and some comments.

The list can be found here - https://docs.google.com/spreadsheet/ccc?key=0Agg23JycSkYddDZHRnltVlZUMkVKSnUtN2g0WDl5clE&usp=sharing

We would very much like to keep this alive and for that reason, we have set up a Google group/mailing list at https://groups.google.com/forum/?fromgroups&hl=en#!forum/netscanwatch. We hope people will use this group to help keep us informed of any new devices they come across and also sharing additional advice.

We hope it helps a few of you out there and that maybe some of the vendors/manufacturers involved would be interested in figuring out why their stuff doesn't like being scanned! We welcome input from all directions?

Thanks also to Ed for offering to publish this through the SANS Pen-test blog. As we started from the GPWN mailing list, announcing it here only seems right! Oh, and Ed also offered us the use of his assistant? After clarification, we realised he meant to help us keep the list updated! :-)

Thanks to all who contributed and those who hopefully will!

Ojc


Owen Connolly
http://linkedin.com/in/ojconnolly

3 Comments

Posted June 14, 2013 at 5:02 PM | Permalink | Reply

Jim

What's best way to use this list?Make it part of pre-assessment questionaire?

Posted February 11, 2014 at 4:19 PM | Permalink | Reply

lausan

Has this project been moved or died? Link non working

Posted February 23, 2014 at 1:35 PM | Permalink | Reply

Ed Skoudis

The project is still live, and we would love to hear your input. Not sure what you mean, Lausan, about the links not working. I just checked them out, and they work fine. Please let me know any details and I'll be happy to look into it. ''"Ed.

Post a Comment






Captcha


* Indicates a required field.