On Tue, 29 May 2001, Ken Seefried wrote: > Tim Haynes writes: > > > > <sigh> Why do people persist in using nmap at test phase? Sure, if you've > > been cracked, scan yourself if you want, but if you're looking to see `what > > do I have open?' then nmap is the *last* tool I'd use. > > > > Go back to > > sudo netstat -plan | grep LIST > > Well...that would be incorrect. If you have been cracked, or suspect you > might have, then you cannot completely rely on the output of netstat, ps, > lsof, etc. Many of the rootkits I've seen quite effectively hide themselves > behind trojan utilities and shared libs, making detection by such casual > methods as you indicate difficult.
Which is why nmap would be useful if you've been cracked: because you can scan yourself from *another* *box* (which is how you're supposed to use nmap). Tim is just saying that if you *haven't* been cracked, use netstat instead of nmap. -- Hubert Chan Research Associate Prediction in Interacting Systems (MITACS-PINTS) University of Alberta Office: CAB 522 Ph: 492-4394 e-mail: [EMAIL PROTECTED]
