In addition to `nmap -h` you might also use `man nmap` for more extensive list of arguments.
Take note, doing unwarranted nmap scans is considered network abuse. Doing it from your VPS might (depending on the hosters TOS) get your contract terminated.
Interesting note. I wonder where's the cutoff - when exactly does "opening connections" become "abusing the network" - two connections? Two dozen? A thousand?
I always assumed network data is network data. I don't see the difference between sending millions of packets of data to stream a video and to scan a network. The only difference is the intention - does that mean the act of learning someone's open ports is what's considered abuse? Or is it consent - the fact that you're learning about open ports that the server owner doesn't want you to know about?
> You may not use, or facilitate or allow others to use, the Services or the AWS Site ... to violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device;
There's no cutoff because it's not about the number of connections; you could conceivably violate this policy with a single connection, and you could be in compliance with a million connections. Note the term "unwarranted" in OP's post.
Assume we're not talking about nmap (since it's widely known as a hacker tool which may muddy the waters), but instead of a user-written program that e.g. checks for open ports. If a port is open to the public internet, what exactly makes a connection to it "unwarranted"?
As for the AWS rule, scanning open ports does not violate, by itself, any of those things.
I have no idea how AWS defines it, but to my mind it's about two things: intent and impact.
Intent: What is the connection's purpose? To use a service, to map a topology, to identify potentially vulnerable targets, to consume resources?
Impact: How does the act of connecting (once or many times) affect the remote end of the connection? Is a critical resource being exhausted (network connections, cpu, memory, etc)? Is the remote end's service still available for its intended purpose?
There's no magic spot on the scales but the further you get away from "to use the service" on the Intent scale and "no detectable impact" on the Impact scale, the more trouble you're likely to run into.
What activity constitutes abuse is at the discretion of the provider. If it looks like abuse to them, then it is.
You're looking for a line in the sand (for whatever reason) but no provider will give one, nor should they. Because that would mean telling attackers how to get close to the line without going over it.
I do a lot of nmap scanning for fun and out of curiosity. I pick a site and check out what ports they have open on the server behind their domain. Never did any attacks nor do I intend to.
I'm asking questions to widen my understanding of how and why I might get in trouble for it.
I understand you're trying to get a concrete definition of "network abuse", but you won't find one. It's not really possible to create a concrete definition that won't somehow include legitimate user traffic.
And I know, now you want to define "legitimate user traffic".
The problem is that the expectation for such strictly defined terms is what leads to legalese that's impossible for anyone that isn't a lawyer to understand.
>As for the AWS rule, scanning open ports does not violate, by itself, any of those things.
Several years ago (so things may be different now), I snagged a free-tier (IIRC, it was free for six months or something like that) AWS instance specifically to battle-test my new firewall and config.
Within an hour of beginning tests, I received a notification from AWS asking me why I was doing port scans/etc. and that they wanted me to stop or I'd be kicked off.
I replied and documented that I was testing my own systems/networks and they backed off. I completed my testing and never heard anything from them after that.
Like I said, this was a few years ago (2019, I think), so things may be different now, but back then AWS was definitely proactive about this stuff.
> violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device
A normal port scan does none of these things. Unless you have some really crappy equipment (I've seen routers choke on a SYN scan), but in my opinion then that's on you.
In my experience, the detection software is looking for patterns of behavior, not just how many connections get opened.
> the act of learning someone's open ports is what's considered abuse?
Yes, port-scanning a system without the permission of the owner of the system is widely considered abuse. It's conceptually similar to going to an apartment building and knocking on every door to see who's home and who's not.
The act itself isn't very harmful (my home firewall is basically always getting portscanned by somebody or another), but in practice, the reason it's done is as preparation for a more serious attack.
Solicitors aren't generally welcome, either, but at least they aren't (usually) casing the place. And lots of people consider the practice of door-to-door solicitation to be abusive, too.
The cutoff is "they are getting abuse reports about the IP the machine you rent uses". Most providers (at least looking at my fail2ban lists...) don't give a shit about anything less
> The cutoff is "they are getting abuse reports about the IP the machine you rent uses". Most providers (at least looking at my fail2ban lists...) don't give a shit about anything less
That was my guess as well. For example, I send about half a dozen emails every day but they are all coming to me and nobody else so I just assumed that it should be ok because the only person I am spamming is myself :)
Depending on the provider, it may be as minimal as "when they get abuse complaints" or they may have proactive detection. Larger providers are more likely to have proactive measures. These can range from sort of incidental things like alerting on significant increases in size of the connection tracking table at a router or firewall, often caused by opening a very large number of connections on different ports as in port scanning... but could go up to a network intrusion detection system.
For incoming traffic I don't really care. The vast majority of such traffic is automated systems like bots and scripts looking for low hanging fruit to compromise. It is fine to run a low-level watchdog that throws a temporary source block on the firewall when it detects this traffic, but this is mainly to keep people happy (omg we're under attack!!!!) and keep the logs less cluttered. It doesn't do much to contribute to actual network security. Most real threats are going to be smarter than that. You should already be running your own scans, anyway, so you'll know if there's a problem.
If a scan is spotted in outgoing traffic, I would be concerned that there was a dumb bot of some kind running inside the network.
In the case of a service provider network, they want to make sure they are not facilitating criminals, either directly as their customer, or by hosting compromised systems.
A serious, targeted attack won't use an aggressive nmap type scan, but plenty of low effort malware scripts and bots will.
> doing unwarranted nmap scans is considered network abuse
After almost being physically ejected from a secure data centre because a member of my group used nmap to see if a port was open, I recommend starting with telnet. :)
A wide nmap is probably going to trigger an IDS, and then you get to meet interesting people and answer interesting questions.
There’s something wrong with your org if nmap scans trigger alerts/bring down machines. There’s so many rogue devices scanning networks nowadays that’d I’d be surprised if anyone had port scanning enabled in the filters to minimize false positives.
> Take note, doing unwarranted nmap scans is considered network abuse. Doing it from your VPS might (depending on the hosters TOS) get your contract terminated.
Makes you more excited to read the man page doesn't it?
> Take note, doing unwarranted nmap scans is considered network abuse.
By whom? I disagree; using nmap is more akin to, say, standing outside a building (on public property) and taking (or painting) a picture of the building. Yes, some people have gotten in trouble for that. Should they, though?
You could also say it's like going to a large apartment building and ringing all the doorbells to see who's there. And (depending on the nmap flags we're talking about) then profiling their voice on the intercom to figure out what kind of people live in each apartment.
I can't really explain why but I think there is a difference between doing something manually and automating it. For example, it is perfectly ok for a police officer to sit behind the bushes in front of someone's front porch with a pair of binoculars but not ok to put a hidden camera 24/7 in front of everyone's front porch.
Years ago, I wrote a primitive portscanner that was deliberately slow to avoid upsetting anyone. It would store hosts and results for scanned ports in a database (it was my toy project for learning SQL) and make sure to only connect to any given host once in a predefined period. Fun times.
Yeah it's such an old meme to say "Just read the man page" but there are a non-zero amount of completely useless man pages and tldr is a great alternative.
Yes. People have alerts set up on portscanning, both inbound (to detect recon attempts) and outbound (to detect compromised/abusive internal hosts). There are lots of legitimate reasons to do large-scale network surveys, but you have to be careful about them, because they are also strong abuse signals --- meaning: when providers go after people who are port scanning, more often than not it turns out that the port scanning source was in fact clearly abusive.
While not an issue any longer (well, at least for those without data caps -- man do I hate those!), ~30 years ago I worked for a network equipment manufacturer as an integrator/tester/3rd level support guy (yes, it was a small company) and was testing our IP stack.
I got the (not so) bright idea of running continuous pings to random IP addresses (changing them every couple days) to verify stability and identify possible memory leaks.
One of the addresses was someone in Australia who was charged by the byte (or packet...it was a long time ago) and after a day or two, we received some very angry telephone calls from them. Oops.
This person (and rightly so) felt I was abusing their internet link, even though I didn't know or care about them or the contents of their network.
Like I said, this isn't (or at least not for the most part) an issue any more, nor is it something more intrusive than port scanning, but it points up the idea that "abuse" is not a black and white thing.
Run port scans against my IP addresses and the absolute worst that might happen is me scanning you right back (yes, I know, that sort of thing is generally frowned upon. So sue me -- nobody has yet).
Run those same scans against government/military sites and you may well soon have a knock (or a battering ram) on your door.
You'll often trip security/abuse systems since the traffic looks (and in many cases - is) the same as abusive traffic. If you go and trip those unannounced then there is usually even less sympathy to exclude you than if you ask if they can be bothered to exclude you before you go and start scanning.
Because your incompetent enterprise hired incompetent contractors (on an eye watering day rate) to migrate firewall rules from an old firewall to a new one, and they did so by running an incompetently-implemented automated tool in an in incompetent manner such that 4000 'allow' rules were moved over but that the source and destination address were set to 0.0.0.0/0...
There are two "they"s involved in the conversation but generally when using someone else's stuff the more apt question is "why should I have an expectation I can use their stuff however I want without limit".
For the "they" of your provider, who is held accountable for allowing abusive traffic, the goal is to provide you outbound connectivity but to do that they also need to ensure they don't get de-peered or their network ranges blocked for hosting abusive traffic. Even for things which don't transit a 4th party there is negative incentive to let your customers abuse each other just because the addresses are reachable. This almost always results in automated systems with limited incentive for good uses of port scanning to be allowed.
For the "they" of the end system is (most likely) they didn't make the entire system available to you, just some select services for use in a certain way (e.g. loading their website). Doing that does not provide them an obligation to continuously allow all traffic received at the address to be processed and it's very likely they'll just block you entirely as another layer of defense.
This is not how authorization to use other people's services work. In practice you're vanishingly unlikely (in the US at least) to get into legal trouble for port scanning, but if you take this logic to its conclusion --- a service exposes some capability without authentication, ergo you're authorized to use it --- you very definitely can get prosecuted.
It's not different in any way. "Corporation doesn't like it when you do it" is apparently the number one cause of "trouble". Especially in the US where they can bankrupt you with legal fees even if they have no actual leg to stand on. Less so in other countries.
Anyone can be bankrupted by corporations over literally any bullshit claim. They can afford to lose in court and still win because their objective never was to win in the first place, it was to burn your money through legal fees. It's essentially abuse of the legal system by the rich to keep the poors in line.
Big companies with deep pockets will even bankrupt other companies this way. For an example, look at how Sony sued playstation emulator companies over the most bullshit claims possible, got an injunction, killed their profits and then it didn't matter that they lost in court afterwards. In my country, the judge would have estimated the profits the smaller player lost as a result of Sony's frivolous lawsuit and forced them to pay it all back on top of the legal fees.
Welcome to the age-old conversation which can well be analog'd as why would someone leave the front door of their house open if they didn't want you walking in? Or checking door knobs?
You didn't understand my comment. It's not about the specific thing (be it nmap or some other tool), it's about the intention behind using the tool.
The administrator of the network didn't intend to allow port scanning, but there were no technical measures (firewalls) to prevent it, and you did port scanning => you're wrong.
The writer of the access control software intended to have no bugs, but a bug slipped in to allow you to exploit it => you're wrong.
I scanned a school network once and printed about 40 pages of http request on every printer. I think turned out you just send anything on 9100 and it prints. I think it was nmap trying to detect the host with a query.
> Take note, doing unwarranted nmap scans is considered network abuse. Doing it from your VPS might (depending on the hosters TOS) get your contract terminated.
For live practice, you should scan IP addresses in countries that are unlikely to be able to prosecute you, like Russia (if you are a westener)*
I would suggest instead, if one really is interested in the topic of networking and port scanning, to set up a lab environment, either virtually, or physically.
This is not very costly, unless you need to scan specific enterprise systems that can not be emulated, and are beyond ones price range - to buy to learn.
There are also platforms like tryhackme, hackthebox etc., that offer both free and paid networks, on which one can legally scan.
> This is not very costly, unless you need to scan specific enterprise systems that can not be emulated, and are beyond ones price range - to buy to learn.
Take note, doing unwarranted nmap scans is considered network abuse. Doing it from your VPS might (depending on the hosters TOS) get your contract terminated.