lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e024ccca0612010609m707d368aid768c13c8fb638b4@mail.gmail.com>
Date: Fri, 1 Dec 2006 09:09:25 -0500
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: "Jason Miller" <jammer128@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Nmap Online

On 12/1/06, Jason Miller <jammer128@...il.com> wrote:
> I agree with Dave on this one. Dude Van, I thought it was illegal in the
> states..? Or am I mistaken?

http://www.securityfocus.com/news/126

> Also, think of this from the ISP's view, do they
> really want a service port scanning their users? And look at it this way,
> said target has a proxy server on it, attacker proxies into the proxy and
> scans the target server with that service, since he is now on the targets IP
> address, I think you understand what I'm getting at by now. nmap is made to
> find exploits, that is what this service is going to wind up being abused
> for (in most cases that i know).


nmap is used to find open ports and fingerprint OS's. What you do with
that info is up to you.

Here is an example of what is legal vs what isnt: If you scan a
machine with nmap from one machine, that is not illegal. If you run
100,00 nmap scans from a distributed botnet and take down their
server, thats illegal.

If your nmap scan tells you that port 80 is open and you run a nessus
scan and find that they are vulnerable to a bug in their webserver is
that illegal? I do know If you exploit that weakness and backdoor
their machine, you just broke the law, but am unsure about nessus's
legality on systems you dont have a get out of jail free card for or
own.

I have no doubt about nmap though. as long as you dont take down their
servers with the scans, you are legit.

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists