[Owasp-Mumbai] Fwd: Legality of Port Scans

MuNNa sant.jadhav at gmail.com
Mon Oct 20 01:22:54 EDT 2008


Hi Yash

I guess if you are scanning a single IP for ports 25 and 80 which you can
try even by simple telnet instead of a port scanner, then that would not be
considered as suspicious act. But if you are scanning a pool of IPs for port
80 and 25 then that would surely be considered as suspicious act. Why would
any person scan a range of IPs even for port 80. Normal human beings connect
to port 80 using domain name instead of IP address ( until and unless you
have not registered any domain name. Then too you would be providing a
single IP to end users to connect and would never expect the user to scan
the IP pool for connecting to port 80). similarly for pop3 and smtp relays,
you would either be given certain IPs or simple sub-domain names like say
pop.gmail.com and smtp.gmail.com. Even here scanning a pool of IPs for port
110 or 25 looks suspicious.

Some may argue that SQL injection is not illegal but why would normal user
enter SQL queries in fileds which requires simple username and password or
simple page number.

At some places law might not consider these things illegal but its surely
is. It is similar to some strange guy always checking the locks of your
house door without actually trying to break in. You would surely feel it
suspicious and think its illegal.


Regards;
Santosh J.


On Sun, Oct 19, 2008 at 10:49 PM, TecCoder <teccoder at gmail.com> wrote:

> Dear Dipak,
>
> Thank you for your response.
>
> I just want to clarify a few things since you seem to have a strong legal
> understanding.
>
> How does the law define a port-scan to be illegal? If I am carrying out a
> very simplistic port-scan, I would simply connect to the port, retrieve the
> banner and close the connection. The banner will then be analyzed on my
> system to determine what is running.
>
> I personally don't see much of a difference between this and what my
> browser is doing as I open gmail.com.
>
> My browser connects to gmail.com on port 80, sends information, receives
> information and ends communication. In-fact, in this case I am going a step
> further as I am actually sending data to the server.
>
> In no-way does Google or Gmail state anywhere that I have the rights to
> connect to their system, so based on this am I breaking the law by checking
> my e-mail on a 3rd party server?
>
> If not, what differentiates a port-scan from regular surfing, sending an
> e-mail via smtp, retrieving e-mail via pop3, downloading files via ftp etc?
>
> What if I only port scan port 25 and port 80? Since obviously communicating
> to POP3 or a Web-site is not illegal?
>
> I am really just trying to understand how a Port-Scan is considered illegal
> and differentiated from regular net activity.
>
> People have used an argument similar to this to say  that "SQL Injections"
> are not illegal, however in that case you are sending out malicious data
> with malicious intent to make a system behave in a way it is not supposed
> to. However in-this case you are sending a simple RFC compliant SYN and/or
> SYN/ACK packet to the server.
>
> Once again, thanks for your time. Would love to sit down and really discuss
> these issues at the next OWASP meet.
> --
> Yash Kadakia
>
>
>
>
> 2008/10/19 Dipak Parmar <dipak at lawyer.com>
>
>  Dear Yogesh/Yash
>>
>>
>>
>> As to usage of Port scanning…
>>
>>
>>
>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>
>>
>>
>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>
>>
>>
>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>
>>
>>
>> I trust I had answered your query…
>>
>>
>>
>> With regards
>>
>>
>>
>> Dipak Parmar
>>
>> 022 -22093564
>>
>> 09820196971
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>> Date: Sun, Oct 19, 2008 at 11:11 AM
>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>> To: Yogesh Badwe <yogeshmb at gmail.com>
>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>> owasp-mumbai at lists.owasp.org>
>>
>>
>> Yash - simply put, this is a sticky area. Any scan must be done ONLY after
>> obtaining a clearly defined scope from the client. Having said that, the
>> investigator must also ensure that he / she is not being asked to scan any
>> networks which do not belong to the client.
>>
>> It will be good for the health :) to keep any such urges under strict
>> control which entice you to "go where no man has been nefore" !!
>>
>> This is regular common sense advice, and I shall try to get some legal
>> stuff out to the group in time.
>>
>> regards
>> Dinesh.
>>
>>
>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com> wrote:
>>
>>> Yash,
>>>
>>> *IT Act 2000*
>>>
>>> *                          Definitions:* *
>>>
>>> Access: *"access" with its grammatical variations and cognate
>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>> computer system or computer network;*
>>>
>>>                             Sections:*
>>> *
>>> Chapter IX - Penalties and Adjudication*
>>>
>>> *43: penalty for damage to computer* : Sets the penalty for damage to a
>>> computer or network at INR 10 million for any damage or *unauthorized
>>> access* to a computer system.
>>>
>>> Correlating the Definition and the Section --> implies "illegal"
>>>
>>> I am not a lawyer ...but hope it helps !!
>>>
>>> -Yogesh Badwe
>>>
>>>
>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>
>>>>   Hey,
>>>>
>>>> I was having a discussion with someone the other day and we started
>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>> really come to any definite answer and even after going through the relevant
>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>> there is no clear answer for the same.
>>>>
>>>> In my opinion, I do not think it is illegal since
>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>> about post-data theft, network compromise, virus infection etc.
>>>>
>>>> I just wanted to throw this out there and see if any of you have any
>>>> ideas about the same.
>>>>
>>>> Yash Kadakia
>>>>
>>>> Co-Founder/ Chief Technology Officer
>>>> Security Brigade
>>>> Information Security Solutions
>>>>
>>>> Mobile: +91-09833375290
>>>> Fax: +91-651-2444545
>>>> E-mail: yash at securitybrigade.com
>>>> Web: http://www.securitybrigade.com/
>>>> Blog: http://www.yashkadakia.com/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>> --
>>>  Please consider your environmental responsibility.
>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>> copy?"
>>>
>>>
>>>
>>> Yogesh . M . Badwe
>>> Disclaimer - This email and any files transmitted with it are
>>> confidential and contain privileged or copyright information. You must not
>>> present this message to another party without gaining permission from the
>>> sender. If you are not the intended recipient you must not copy, distribute
>>> or use this email or the information contained in it for any purpose other
>>> than to notify us.
>>>
>>> If you have received this message in error, please notify the sender
>>> immediately, and delete this email from your system. I do not guarantee that
>>> this material is free from viruses or any other defects although due care
>>> has been taken to minimise the risk.
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>>
>> With kind regards,
>>
>> DIPAK G. PARMAR
>> 13/A, Nalawala Building,
>> Ground Floor,
>> Bhaijivanji Lane,
>> Thakurdwar Road,
>> Mumbai - 400 002
>> India
>> (9122) 22093564
>>
>>
>> -- Be Yourself @ mail.com!
>> Choose From 200+ Email Addresses
>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081020/94a14a2e/attachment-0001.html 


More information about the OWASP-Mumbai mailing list