Why Would Ethical Professionals (White-hats) Ever Do This?
Some of you white-hat readers may be tempted to skip this
chapter. For authorized use against your own networks, why would you
ever want to evade your own security systems? Because it helps in
understanding the danger of real attackers. If you can sneak around a
blocked portmapper port using Nmap direct
RPC scanning,
then so can
the bad guys. It is easy to make a mistake in configuring complex
firewalls and other devices. Many of them even come with glaring
security holes which conscientious users must find and close. Regular
network scanning can help find dangerous implicit rules (for example, in your
Checkpoint Firewall-1 or Windows IPsec filters) before attackers
do.
There are good reasons for evading IDSs as well. Product
evaluation is one of the most common. If attackers can slide under
the radar by simply adding an Nmap flag or two, the system is not
offering much protection. It may still catch the script
kiddies and
worms, but they are usually blazingly obvious anyway.
Occasionally people suggest that Nmap should not offer features
for evading firewall rules or sneaking past IDSs. They argue
that these features are just as likely to be misused by attackers as
used by administrators to enhance security. The problem with this
logic is that these methods would still be used by attackers, who
would just find other tools or patch the functionality into Nmap.
Meanwhile, administrators would find it that much harder to do their
jobs. Deploying only modern, patched FTP servers is a far more
powerful defense than trying to prevent the distribution of tools
implementing the FTP bounce attack.