[Owasp-Mumbai] Fwd: Legality of Port Scans

TecCoder teccoder at gmail.com
Mon Oct 20 01:28:35 EDT 2008


Hi MuNNA,

I will reply in a full in a bit, Monday morning madness.

I just wanted to say in-regards to SQL Injections, I do not think they are
legal. However, I do-not think that inserting a quote somewhere should be
considered illegal. Lets just consider Dinesh's last name while filling out
a form, O'Bareja. I bet he has seen a lot of unintentional SQL errors.
However a real attack retrieving data is definitely illegal, no arguments
there. Unless ofcourse your last-name is: ' UNION SELECT * user,pass FROM
admin WHERE user='admin'--

Reminds me of an xkcd comic.

--
Yash Kadakia


2008/10/20 MuNNa <sant.jadhav at gmail.com>

> Hi Yash
>
> I guess if you are scanning a single IP for ports 25 and 80 which you can
> try even by simple telnet instead of a port scanner, then that would not be
> considered as suspicious act. But if you are scanning a pool of IPs for port
> 80 and 25 then that would surely be considered as suspicious act. Why would
> any person scan a range of IPs even for port 80. Normal human beings connect
> to port 80 using domain name instead of IP address ( until and unless you
> have not registered any domain name. Then too you would be providing a
> single IP to end users to connect and would never expect the user to scan
> the IP pool for connecting to port 80). similarly for pop3 and smtp relays,
> you would either be given certain IPs or simple sub-domain names like say
> pop.gmail.com and smtp.gmail.com. Even here scanning a pool of IPs for
> port 110 or 25 looks suspicious.
>
> Some may argue that SQL injection is not illegal but why would normal user
> enter SQL queries in fileds which requires simple username and password or
> simple page number.
>
> At some places law might not consider these things illegal but its surely
> is. It is similar to some strange guy always checking the locks of your
> house door without actually trying to break in. You would surely feel it
> suspicious and think its illegal.
>
>
> Regards;
> Santosh J.
>
>
> On Sun, Oct 19, 2008 at 10:49 PM, TecCoder <teccoder at gmail.com> wrote:
>
>> Dear Dipak,
>>
>> Thank you for your response.
>>
>> I just want to clarify a few things since you seem to have a strong legal
>> understanding.
>>
>> How does the law define a port-scan to be illegal? If I am carrying out a
>> very simplistic port-scan, I would simply connect to the port, retrieve the
>> banner and close the connection. The banner will then be analyzed on my
>> system to determine what is running.
>>
>> I personally don't see much of a difference between this and what my
>> browser is doing as I open gmail.com.
>>
>> My browser connects to gmail.com on port 80, sends information, receives
>> information and ends communication. In-fact, in this case I am going a step
>> further as I am actually sending data to the server.
>>
>> In no-way does Google or Gmail state anywhere that I have the rights to
>> connect to their system, so based on this am I breaking the law by checking
>> my e-mail on a 3rd party server?
>>
>> If not, what differentiates a port-scan from regular surfing, sending an
>> e-mail via smtp, retrieving e-mail via pop3, downloading files via ftp etc?
>>
>> What if I only port scan port 25 and port 80? Since obviously
>> communicating to POP3 or a Web-site is not illegal?
>>
>> I am really just trying to understand how a Port-Scan is considered
>> illegal and differentiated from regular net activity.
>>
>> People have used an argument similar to this to say  that "SQL Injections"
>> are not illegal, however in that case you are sending out malicious data
>> with malicious intent to make a system behave in a way it is not supposed
>> to. However in-this case you are sending a simple RFC compliant SYN and/or
>> SYN/ACK packet to the server.
>>
>> Once again, thanks for your time. Would love to sit down and really
>> discuss these issues at the next OWASP meet.
>> --
>> Yash Kadakia
>>
>>
>>
>>
>> 2008/10/19 Dipak Parmar <dipak at lawyer.com>
>>
>>  Dear Yogesh/Yash
>>>
>>>
>>>
>>> As to usage of Port scanning…
>>>
>>>
>>>
>>> Section 43 of the IT Act, 2000 starts with "If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network…
>>>
>>>
>>>
>>> So, if you are using it as security personnel (certainly with appropriate authority - either as part of your employment or service contract)then it is legal not otherwise…
>>>
>>>
>>>
>>> What you are scanning is question of fact… your client is owner of that network or just another user?
>>>
>>>
>>>
>>> I trust I had answered your query…
>>>
>>>
>>>
>>> With regards
>>>
>>>
>>>
>>> Dipak Parmar
>>>
>>> 022 -22093564
>>>
>>> 09820196971
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Dinesh O'Bareja <dineshbareja at gmail.com>
>>> Date: Sun, Oct 19, 2008 at 11:11 AM
>>> Subject: Re: [Owasp-Mumbai] Legality of Port Scans
>>> To: Yogesh Badwe <yogeshmb at gmail.com>
>>> Cc: Yash Kadakia <teccoder at gmail.com>, "owasp-mumbai at lists.owasp.org" <
>>> owasp-mumbai at lists.owasp.org>
>>>
>>>
>>> Yash - simply put, this is a sticky area. Any scan must be done ONLY
>>> after obtaining a clearly defined scope from the client. Having said that,
>>> the investigator must also ensure that he / she is not being asked to scan
>>> any networks which do not belong to the client.
>>>
>>> It will be good for the health :) to keep any such urges under strict
>>> control which entice you to "go where no man has been nefore" !!
>>>
>>> This is regular common sense advice, and I shall try to get some legal
>>> stuff out to the group in time.
>>>
>>> regards
>>> Dinesh.
>>>
>>>
>>> On Fri, Oct 17, 2008 at 9:45 AM, Yogesh Badwe <yogeshmb at gmail.com>wrote:
>>>
>>>> Yash,
>>>>
>>>> *IT Act 2000*
>>>>
>>>> *                          Definitions:* *
>>>>
>>>> Access: *"access" with its grammatical variations and cognate
>>>> expressions means gaining entry into, instructing *or communicating*with the logical, arithmetical, or memory function resources of a computer,
>>>> computer system or computer network;*
>>>>
>>>>                             Sections:*
>>>> *
>>>> Chapter IX - Penalties and Adjudication*
>>>>
>>>> *43: penalty for damage to computer* : Sets the penalty for damage to a
>>>> computer or network at INR 10 million for any damage or *unauthorized
>>>> access* to a computer system.
>>>>
>>>> Correlating the Definition and the Section --> implies "illegal"
>>>>
>>>> I am not a lawyer ...but hope it helps !!
>>>>
>>>> -Yogesh Badwe
>>>>
>>>>
>>>>   On Thu, Oct 16, 2008 at 8:48 AM, Yash Kadakia <teccoder at gmail.com>wrote:
>>>>
>>>>>   Hey,
>>>>>
>>>>> I was having a discussion with someone the other day and we started
>>>>> talking about whether Port Scanning is illegal in India or not. We couldn't
>>>>> really come to any definite answer and even after going through the relevant
>>>>> http://cybercellmumbai.com/cyber-laws/ <- Cyber Laws several times
>>>>> there is no clear answer for the same.
>>>>>
>>>>> In my opinion, I do not think it is illegal since
>>>>> http://www.cybercellmumbai.com/cyber-laws/chapter-9 really only talks
>>>>> about post-data theft, network compromise, virus infection etc.
>>>>>
>>>>> I just wanted to throw this out there and see if any of you have any
>>>>> ideas about the same.
>>>>>
>>>>> Yash Kadakia
>>>>>
>>>>> Co-Founder/ Chief Technology Officer
>>>>> Security Brigade
>>>>> Information Security Solutions
>>>>>
>>>>> Mobile: +91-09833375290
>>>>> Fax: +91-651-2444545
>>>>> E-mail: yash at securitybrigade.com
>>>>> Web: http://www.securitybrigade.com/
>>>>> Blog: http://www.yashkadakia.com/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Mumbai mailing list
>>>>> OWASP-Mumbai at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>  Please consider your environmental responsibility.
>>>>         Before printing this e-mail, ask yourself: "Do I need a hard
>>>> copy?"
>>>>
>>>>
>>>>
>>>> Yogesh . M . Badwe
>>>> Disclaimer - This email and any files transmitted with it are
>>>> confidential and contain privileged or copyright information. You must not
>>>> present this message to another party without gaining permission from the
>>>> sender. If you are not the intended recipient you must not copy, distribute
>>>> or use this email or the information contained in it for any purpose other
>>>> than to notify us.
>>>>
>>>> If you have received this message in error, please notify the sender
>>>> immediately, and delete this email from your system. I do not guarantee that
>>>> this material is free from viruses or any other defects although due care
>>>> has been taken to minimise the risk.
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>>
>>>
>>> With kind regards,
>>>
>>> DIPAK G. PARMAR
>>> 13/A, Nalawala Building,
>>> Ground Floor,
>>> Bhaijivanji Lane,
>>> Thakurdwar Road,
>>> Mumbai - 400 002
>>> India
>>> (9122) 22093564
>>>
>>>
>>> -- Be Yourself @ mail.com!
>>> Choose From 200+ Email Addresses
>>> Get a *Free* Account at www.mail.com <http://www.mail.com/Product.aspx>!
>>>
>>
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20081020/4ea8c0ad/attachment-0001.html 


More information about the OWASP-Mumbai mailing list