Date: Fri, 1 Dec 2006 09:09:25 -0500
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: "Jason Miller" <jammer128@...il.com>
Subject: Re: Nmap Online

On 12/1/06, Jason Miller <jammer128@...il.com> wrote:
> I agree with Dave on this one. Dude Van, I thought it was illegal in the
> states..? Or am I mistaken?

http://www.securityfocus.com/news/126

> Also, think of this from the ISP's view, do they
> really want a service port scanning their users? And look at it this way,
> said target has a proxy server on it, attacker proxies into the proxy and
> scans the target server with that service, since he is now on the targets IP
> address, I think you understand what I'm getting at by now. nmap is made to
> find exploits, that is what this service is going to wind up being abused
> for (in most cases that i know).


nmap is used to find open ports and fingerprint OS's. What you do with
that info is up to you.

Here is an example of what is legal vs what isnt: If you scan a
machine with nmap from one machine, that is not illegal. If you run
100,00 nmap scans from a distributed botnet and take down their
server, thats illegal.

If your nmap scan tells you that port 80 is open and you run a nessus
scan and find that they are vulnerable to a bug in their webserver is
that illegal? I do know If you exploit that weakness and backdoor
their machine, you just broke the law, but am unsure about nessus's
legality on systems you dont have a get out of jail free card for or
own.

I have no doubt about nmap though. as long as you dont take down their
servers with the scans, you are legit.

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux