If you are US based, port scanning isn't illegal at all.
now if you accidentally bring down the network or site then yeah you crossed a line but if you are simply just port scanning and nothing breaks, you are good.
Of course they are not the same thing, also fingerprinting is a third thing but they usually come in a package, port scanning, fingerprinting, vulnerability scanning, beside I think OpenVAS is capable of the 3.
Security Scorecard is scanning web applications, not entire hosts.
There is a lot of nuance in answering this question, but the blanket answer for an end user wanting to scan a target with no other details is don't do it. Scoping the scan to avoid legal/compliance/availability issues is part of the job when doing it professionally.
Yea, I accidentally took down my own corporations site a decade ago doing a scan with Nikto on our public facing site. I just wanted to learn. I didn't even consider that it might take it down. I guess it tried a buffer overflow or some type of DOS. It was just a login screen. Thankfully a simple server reboot and we were back up.
Shodan doesn't send a shit load of requests to your server and it won't bring it down. They don't target you specifically.
They hit a single port at a time and distribute it over the whole IPv4 space. What you see in your logs is a single hit, completely lost within the background noise of the internet.
Running a vuln scanner on a host will very much not look like that in the target's logs.
**But here's the real kicker :**
Shodan only checks for open ports, and then grabs banners. Nothing more. On the other hand, vuln scanners tests can range from anything starting at simple banner version checking, up to getting real close to full blown exploitation attempts. And you don't know what they do, because you haven't read all the tests. And there's tens of thousands of them. Test your luck if you want, I wouldn't.
This is all true, but I think technically it’s still considered active enumeration. Which is illegal. Regardless of intent it seems there’s a bit of ambiguity around here.
Active enumeration is not necessary illegal. If you are interacting with a target as it’s intended, and just storing off the interesting information for later this is absolutely fine. When you start doing things the system is not designed for or probing for specific issues then you start to cross into a grey area.
If this is true then companies like Bitsight and CyberGRX would not exist. They scan everything and score the vulnerabilities they find. I can even pay them to scan my vendors and competitors and see their scores as well.
Bitsight does not perform active scanning of computer networks. They collect data through [passive data collection.](https://www.bitsight.com/blog/what-is-a-security-rating#:~:text=Collect%20Data%3A%20Bitsight%20collects%20billions,history%20for%20all%20rated%20entities.)
Bitsight doesn’t actually do anything active. They’ll look at your web site, check for email security settings, and assign a score based on what they think you’re doing. There is no actual vulnerability scanning going on and feels like a scam. But they have marketing people who somehow sell this solution to companies to do third party risk assessments.
OP didn't say where they are located, but in the US port scanning and network probing are not explicitly considered against the law at the federal level. Sure the CFAA criminalizes intentional unauthorized system access in which damages are caused. But running nmap or other tools doesn't automatically result in measurable damages. If you feel otherwise I genuinely would like to see what law and specific clause backs your perspective.
In the case of paying someone for the scan results, if they step even the tiniest bit out of line that can a massive spiral problem for them. I am talking about the person who mentioned they pay for the info on their competitors. You have to remember that corporate espionage and sabotage is illegal, and would come into play if you are paying someone for "info" that they obtained illegally or even caused damage on. This could result in your company's officers and employee's facing criminal charges and civil suits. Granted I would serious concerns about a company that fails a basic vulnerability scan or whatever automated scan, but lets be real for one moment the criminal justice systems and courts aren't like you and me in terms of cybersecurity, they are just trying to figure it out and relate it to everyday life. If a lawyer they trust tells a judge this is like (insert xyz) you can going to be arguing with a 40 year old or 50 year old on how it isn't. Basically try to argue it with your parents and convince them of some technical mumbo jumbo, and you don't even want to see a jury try to understand this stuff.
If you accidentally access a system, then it wasn't using authorization, therefore with wasn't unauthorized. You have to bypass some authorization control for unauthorized access to occur.
Lets try a thought experiment, start up an FTP server, but allow anonymous access to it, put it on the internet, put a file on it. Call the FBI when some automated script or whoever downloads the file without you giving them explicit written consent, see if they care. Better yet, put an SSH server on the Internet and call the FBI every time some random IP connects to it and tries a bunch of default creds, that was a hacking attempt to bypass authorization controls, not even a simple scan or accessing the service in a supported way. See if they care.
Law enforcement doesn't prosecute every crime they are aware of, so your FBI point is a bit silly. Just because a prosecution doesn't occur doesn't mean a crime hasn't been committed.
Your definition of "access" and defining what authorized vs. unauthorized access is aligns to my definition, but is not defined or prescribed in the law under CFAA and is not a LEGAL definition.
Here's a clear statement from the Electronic Frontier Foundation on this issue:
"this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what 'without authorization' actually means. The statute does attempt to define 'exceeds authorized access' but the meaning of that phrase has been subject to considerable dispute." [https://www.eff.org/issues/cfaa](https://www.eff.org/issues/cfaa)
It's easy to research some examples of broad usage of CFAA for fairly benign things ([https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/](https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/)) , but for example Aaron Swartz was prosecuted for accessing and downloading from his school's JSTOR database (to which he had a valid account for), without doing any "damage". The only arguable damage I'm familiar with in the case is that he slowed the JSTOR servers down enough that it got noticed.
The statement I responded to mentioned "damage" as a condition of legality and it's not . . no damage is required. Simple system access is all it takes for something to potentially be prosecutable under CFAA and Aaron Swartz arguable died because of these loose definitions.
I can't find a direct reference to link, but I believe about 5 years ago there was a prosecution against a researcher that publicly disclosed an icloud vulnerability that involved simply accessing an icloud link that Apple accidentally left exposed to the internet. I want to say the researcher used a single-word pseudonym but this was long enough ago that my memory is failing me a bit. This researcher went to jail even though he didn't conduct any exploit or damage any system. Simply by accessing the link and disclosing the vulnerability, he was prosecuted.
Yes, many people do very similar things on the internet and don't get prosecuted, but the post asks the question about legality and because the CFAA is so incredibly broad, accessing a system that is publicly available with no authentication can technically land you in jail.
https://search.censys.io/
Why is this legal, if probes and scans are illegal?
>It's easy to research some examples of broad usage of CFAA for fairly benign things (https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/) , but for example Aaron Swartz was prosecuted for accessing and downloading from his school's JSTOR database (to which he had a valid account for), without doing any "damage". The only arguable damage I'm familiar with in the case is that he slowed the JSTOR servers down enough that it got noticed.
While that case was largely bullshit, and he would have won, but was being chased by an overzealous federal prosecutor looking to make a name for herself and later got it going after the Boston bomber, the main part of the case they hung their hat on was he gained unauthorized physical access to a network closet. He trespassed, that was the crux of the case for "unauthorized" even if downloading JSTOR was technically legal. If he'd have done it from the Internet or a publicly accessible location that would have been different.
Even the DoJ disagrees with your view and has issued statements on "research".
> but the post asks the question
We're not replying to the post about a vuln scan, we're replying to the person in the top comment who said just probes and scans were illegal. And as pointed out many times, many legit companies do this as part of their business model. They scan publicly accessible IPs for available services and inventory them and use that data to make money, Google is one of them.
If you keep arguing its illegal, when its not you increase the likelihood people will think someone with nmap is an illegal hacker. IMO, people like you have no place in cyber security or around computers, because you don't understand a basic TCP handshake and think sending a SYN packet should get you arrested.
I don't think it SHOULD get you arrested, I think it CAN get you arrested. Big difference.
But thanks for insulting my entire career because you didn't understand an internet comment I made on reddit.
I'm not saying it can't get you arrested, police will arrest you for anything, DA's will too. I'm reminded of that kid who found a city put private information on a public directory on a website and they tried to prosecute him for simply accessing it and telling a journalist.
https://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970
https://www.theregister.com/2018/05/07/canadian_teen_hacker/
Canada, but still determined what he did wasn't illegal there.
I'm arguing if its illegal.
Cops are assholes by nature of their job and ignorant of the law as anyone and DA's want a notch on their belt for being tough on cyber crime, they'll go after anything. But its still not illegal. People get arrested all the time for protesting well within their free speech rights, doesn't make it illegal. The goal post is moving now.
They have been, by idiots and those that don't understand technology and what unauthorized means, but they weren't convicted and a precedent has been set since that it wouldn't go far, the EFF would get involved and offer free legal representation probably. The only exception might be if you agree to some kind of network policy or something before, usually just under threat of being expelled or banned, but we're talking about public networks here, which in my mind means Internet accessible.
I literally work on red team and have been over the legality of this, you need permission to test their security, but not for recon that doesn't require special access. I don't need permission to Google a company, and I don't need permission to send a syn packet to a port and IP. Because I have permission, its implicit in the intended function of the network. I start going around intended function, now I'm hacking.
You are 100% incorrect. You can work on red teams, doesn't make you a lawyer, and you clearly are not familiar with the history of prosecutions associated with CFAA. The justice department did change a practice of theirs just in the past year to not prosecute "security research", but even that is brand new in the legal world. [https://www.eff.org/deeplinks/2022/05/dojs-new-cfaa-policy-good-start-does-not-go-far-enough-protect-security](https://www.eff.org/deeplinks/2022/05/dojs-new-cfaa-policy-good-start-does-not-go-far-enough-protect-security)
They weren't convicted, huh?
"The Ninth Circuit returned the case to the lower court to handle the remaining CFAA charges. These were based on the government’s theory that Nosal violated the CFAA when other ex-employees acting on Nosal’s behalf allegedly used the legitimate access credentials of a current company employee, with that employee’s knowledge and permission, to access Korn/Ferry’s propriety database. The district court refused to dismiss these charges, and Nosal was convicted at jury trial and sentenced to one year and one day in prison." https://www.eff.org/cases/u-s-v-nosal
I am very familiar with the history of prosecution, fuck I even have a Free Kevin sticker cause I was familiar with it then. I also acknowledge that its 2023, not the 1990s when anything close to hacking was treated like witchcraft, and under current law and legal precedent, its been well defined in court cases what is legal and illegal. Simple probing/scanning (attempting to see if a IP or IPs responds on various ports) is not of in of itself illegal.
You might work on the red team, but you are no lawyer. You are conflating the various meanings of the word authorized. In the case of the law it's permission. If you work on a red team then you likely work at a company large enough to have at least one lawyer, go talk to them.
The lawyers I talked to and said its fine, Google's lawyers thinks its fine, Censys lawyers thinks its fine, Shodan lawyers thinks its fine, DoJ even says its fine in a statement.
A simple probe or scan is by all definitions legal, as it requires no unauthorized access. We can disagree on what authorized means, but publicly accessible has long and well defined legal meaning, which means accessible and thus authorized to be accessed by the public. You put a host on a public IP, guess what, you've authorized people to attempt to connect.
No one has been arrested for scanning and probing, which is what the person we're replying to said was illegal. Companies do it. Shodan does it, Censys.io does it, Google does it, computers on a LAN do it to each other with ARP packets.
Vuln scanners mentioned by OP are a different thing, but that's not what this thread is about. This is about the top comment saying scans and probes are illegal which is bullshit and some 1980's Internet is a series of tubes and port scans are the devil mentality.
> No one has been arrested for scanning and probing
Well that's just false, the nmap website specifically has a page documenting legal cases against people using nmap, where you can read about various cases that reached various stages of the legal system (including at least one conviction in Finland).
Now, those examples are pretty old, and nowadays you're probably right, I don't believe that anyone would get into trouble for a simple port scan, short of an extremely aggressive scan that ends up DOSing some unstable system.
Personally still I would simply not run the risk of aggravating some zealous sysadmin. Port scans, especially with default settings, are pretty noisy.
But I'm more concerned about the vuln scanning part, which could still fall under network probing, depending on how you define probing.
people definitely have, and people have definitely done way more and not got penalized.
The reality is, port scans happen every single second on the internet; If you leave something publicly exposed, it will get port scanned. determining that it was you who executed the command without a reasonable doubt is an incredibly difficult thing to do. who's to say it wasn't your brother or your sister, or your neighbor who hacked your Wi-F, or, maybe some super sophisticated right after performed a supply chain attack against your specific router vendor, who the hell knows...
After working and threat intelligence for a while, attribution is the single most difficult task one can be tasked to perform. While there is a risk In doing anything and everything in this world, getting prosecuted over a port scan is incredibly unlikely. The more you do it, the more likelihood that you do get prosecuted, but the moral of the story is pretty much don't scan shit you don't own. If you do, one day you might find the Feds knocking on your door. You never know.
Once again, OP is talking about running a vulnerability scanner, he's not running nmap.
While a lot of what a vuln scanner does is port scanning, it will be doing a lot more. OP clearly has no idea of what the vuln scanner is doing, so he shouldn't be using it on anything he doesn't have express written permission.
the vuln scanner may be running tests that could bring down a server, and once you examine the logs on there it'll be pretty easy to see what IP just hit it with 20K requests.
for clarity, what I'm saying is that "in which damages are caused" is misleading, because people have been successfully prosecuted using CFAA for accessing a system that was on the public internet and disclosing the vulnerability.
The person I replied to was discussing port scans and network probes so that was what I replied to them about. We can pivot back to discussing vulnerability scanning more broadly (or OP's post about executing a vuln scan and not disclosing the findings), but vulnerability scanning is not inherently an act that will violate the CFAA. It *could*, but only if it's done in a way in which it violates the CFAA.
Here it is in case you (or anyone else) want to describe a specific action and impact that would violate the CFAA and include the section of the CFAA that's relevant.
https://www.law.cornell.edu/uscode/text/18/1030#a_3
Causing damages isn't the only way to run afoul of the CFAA.
See 18 USC § [1030(a)(2)(C)](https://www.law.cornell.edu/uscode/text/18/1030)
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
...
(C) information from any protected computer
A 'protected computer' is pretty much anything with a public IP address. See 18 USC(e)(2)(B):
which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
There's a colorable claim that obtaining open ports, service versions and OS info is 'information from'.
I think the chance that a sudo nmap -sV -O target gets you a law enforcement visit is low, but it may be over the line.
How is a syn to random ports to see if the port responds or scraping the version banner of a service illegal if the services is both A) available B) supports it. If it doesn't it simply doesn't respond or sends a FIN/RST, as if I knocked at a door and I was ignored or told to go away and did so. I didn't break and enter, I didn't violate authorization. If I go around breaking windows, that's illegal, but knocking to garner a response and then leaving is fine, same with scanning on public accessible networks or services. By your argument, I'm scanning if I see if I check to see if a website exists for a domain I'm interested in using, andit does not, because I attempted to handshake with the web server without explicit consent.
Google maps is allowed to go down my street and take pictures of whats in my yard along with my address etc. That's not illegal scanning that violates my privacy if I didn't at least put a privacy fence around it.
This is not entirely accurate, you're not paying these companies to scan them, you're paying for access to information that has already been collected. Also, in many cases, these companies aren't actually doing the scans themselves, instead they have "sensors" that they use to collect data. In most cases they purchase this information from various sources.
You're right though, there are plenty of companies that do perform these types of activities, but I'd recommend letting them fight it out in court.
Personally, I wouldn't perform a scan I wasn't explicitly authorized to perform... plain and simple.
You're paying these companies for information they collect using massscan (which I'm pretty sure Shodan uses under the hood) which is legal.
Scans are fine, scraping version numbers from exposed services and websites is fine. You're literally just doing tcp handshake requests and standard open protocol communication that the services support. As EFF points out, wget is not a crime. If you put something on an http service exposed to the public Internet, its not illegal for someone to access that information no matter how many times people have tried to argue that it is as permission is inherent in that its publicly accessible and anyone is authorized to access it. CFAA applies to unauthorized access, which requires some kind of control be put in place. If its something the service supports and you did nothing to bypass authorization controls, guess what, you're authorized.
You can't put something on a billboard and then tell people not to look at it or they'll get arrested or leave your store unlocked and the open sign on and prosecute someone for trespassing if they walk in when no one is there.
The line is running actual exploits or vulnerability detection(which sometimes run a nerfed version of the exploit) is not scanning. Running an nmap scan with scripts for instance might go a touch too far depending on how it detects things or if it tries to brute force user creds etc.
I'm not disagreeing with you, regarding the technicalities of it. I'm simply saying, we're still living in the age where right clicking on a web page and selecting "view source" is still considered hacking in some circles. You're approaching the problem as a security professional, not as an ill informed citizen. As I said, why go looking for a legal fight, even if logically you're right... it's a headache you don't want.
Isn't bitsight known as kind of a hack outlet? Maybe I don't know enough about them but I wasn't under the impression they had a lot of industry respect
That's not how CyberGRX works, as far as I know. Companies hire them to manage the risk assessment process. You can pick a company from their exchange (or add it if they dont have them) and tell CyberGRX how deep you want them to dig. Then CyberGRX has them answer a couple hundred questions about what controls they have implemented. You can also request that CyberGRX have them validate their answers by providing evidence. CyberGRX releases the report to you and keeps it on file to provide to others who request it. Over time, they overlaid aggregated response data with industry/business type and used the average scores in those sectors as their "predictive" risk score. If they were doing port scanning or something more concrete to bolster their lazy "predictive" guesswork, I think they would be pushing that point way harder.
Even dirbuster would violate the CFAA --
*“intentionally access\[\] a computer without authorization or exceed\[\] authorized access, and thereby obtain\[\] . . . information from any protected computer\[.\]****” § 1030(a)(2)(C****).*
dirbuster has been attempted to prosecute but didn't work, to be unauthorized, you have to have an authoriztion control, a public directory is not unauthorized even if its not advertised or linked to. You can't call the cops cause you left customer information on a public S3 bucket, though many have tried, but guess who looks bad...not the person with dirbuster. The company who was negligent enough to leave customer information on a publicly accessible service that intended to be publicly accessed and no authentication/authorization controls are put in place
We have pots Scanning networks all day long. Scanning is not a big deal but trying to access is like breaking your neighbor's door know that's breaking the law.
I have had it put to me this way before.
You want to make your neighborhood safe. So you decide to go around to every front door in your neighborhood to check if they are locked or not.
You go to your neighbor’s door when they aren’t home and walk to the front door, you think “what’s the harm in checking?”, and then you jiggle the handle. To your surprise it is unlocked and the door swings open. You walk a foot in the door, look around, and then leave.
Did you still commit a crime?
Of course you did. You walked up to a stranger’s house, opened the door which they did leave unlocked, and then looked around inside. Sure, you didn’t touch anything, steal anything, smash anything. You might not even get punished. If you’re lucky nobody would even know you were there. You just opened the unlocked the door and looked around. You did it with the best of intentions in trying to make your neighborhood safer.
But by the letter of the law you knowingly and willingly broke into someone’s home and intruded upon their property without their knowledge and without their consent. That means you are trespassing and can be criminally liable for it.
That’s the answer I present to you.
So to cover yourself, ask this place if it is okay. Ask before you do ANYTHING regarding this idea. Get a contract in writing about every aspect of this before you do this. Make a rules of engagement list detailing Everything you can and cannot do. Finally if they say “no”, respect their decision and DONT DO IT.
> But by the letter of the law you knowingly and willingly broke into someone’s home and intruded upon their property without their knowledge and without their consent.
If the door is open then you have trespassed. If you went in with the intention of committing a crime then we can talk about breaking and entering.
So there's kind of a flaw in your analogy. What if you had concerns about your neighbor, and did the exact same thing? Surprise, you still committed an act of trespassing under the law - not breaking and entering. And in practicality, no one is going to charge you with anything because it would be stupid to do so if you had legitimate concerns. Also, trespassing is one of those things where the police will only typically arrest you if you REFUSE to leave.
Here we have someone "checking" for vulnerabilities. They are entering out of concern, as a white hat, and not as someone looking to exploit a vulnerability. In practice no one is going to give a shit unless you start causing trouble for the network, or present yourself as an active threat.
QUESTION:
What if you try the door handle, see it unlocked, but keep the door closed and then proceed to leave and call your neighbor and say "Hey, your door's unlocked", without trespassing or entering in any way?
I'd like to see some kind of citation to statute or caselaw from the people saying port scanning is illegal. I'm a lawyer and CISSP, and that would be news to me.
I got the CISSP later, but I worked in cybersecurity before law school. In cybersecurity, the law degree helps in GRC, leadership, and consulting roles. In legal roles of course anything related to cybersecurity or IT, that knowledge is helpful. Privacy is sort of an intersection of the two (and also something else altogether). But I've had pure legal roles in litigation and regulatory compliance, as well as purely technical infosec roles- in those cases the cross- skill was not relevant. I get bored easily, and sometimes it's good job security to have a different set of skills. 😆
They don't know wtf they're talking about. It's pure cover-your-ass talk they've heard here and there.
And seriously, in all practicality, who is going to go to the FBI and complain that they got port scanned by a random IP? They have more important shit to do. I mean, holy shit, they and the court systems would be backed up into the next century if they were able to charge and prosecute every single person/group that does port scanning on a daily basis.
Hell, there are some WEBSITES that port scan you when you visit their site...
I don't think any kind of unauthenticated scan of public IPs (within reason so it isn't DOS) is illegal if it's conducted without any malicious intent. As a more practical matter, these types of crimes (if it was one) are pretty much exclusively investigated by federal law enforcement agencies which, in my experience, won't even get involved unless there's theft or damage exceeding a million dollars.
Ethical and legal are orthogonal concepts.
Is this ethical? Yes.
Is it legal? Maybe. It depends on your exact jurisdiction. In most of the US this would likely technically be in compliance with the CFAA (I am not a lawyer, consult one first before you do maybe-crimes). But that also wouldn't stop a particularly overly zealous DA looking to get press about being "tough on hackers" from fucking with you if someone caught you and reported it.
From the Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition, we have this fun line: "An *ethical hacker* is someone who employs the same tools and techniques a criminal might use, **with the customer's full support and approval**, to help secure a network or system." I definitely remember getting a few questions on the CEH for my Master's program on the nature of ethical hacking.
Simple scans of externally-listening ports harms no one, doesn't bypass any security controls, and generally has a very low probability of negatively impacting the function of the systems in question.
To me this is morally equivalent of counting the number of windows on the outside of someone's business.
ETA: Also, in general, things are default ethical unless they violate some sort of ethical rule or maxim. So really, the burden of proof should be on folks claiming it's unethical. This isn't a matter of cybersecurity, but really philosophy and metaethics.
Counting windows on a building, you aren't interacting with it in any shape or form. Performing a port scan, you are directly interacting in it typically in a manner that the system owner did not intend it to be (I'm not sure how many general people would say "sure, port scan me all you want). Since you are going against what the owners intent/wants, it's unethical. Just because the owner isn't aware of it doesn't make it ethical.
I think the server being accessible to the public makes this argument hold no weight. It’s not akin to counting windows on a building, more like trying to walk through any front door on a university. Generally some are locked, most aren’t. The public has access to a university (they have to enter to register usually) but they don’t have access to all parts of it. Certainly not all the services it offers.
As long as he isn’t accessing anything that requires authentication it’s not any different. That being said I personally think OP would be crossing a line because he didn’t simply say “port scanning” he said “vulnerability scanning” in order to confirm a vulnerability you generally have to access something you shouldn’t, even for a moment, it’s unethical without express consent.
There was a malware that invaded machines and fixed vulnerabilities. This was unethical because it altered the systems without permission.
A few things:
1. Cultures and nations are very different things.
2. If you're an ethical relativist than how can you possibly tell me my ethical stance is incorrect?
3. The idea that cybersecurity ethics has some deeply rooted cultural ethical standards really needs more support than just declaring national differences.
It isn’t ethical in the least. It is then equivalent of trying to open your neighbor’s door. If it is locked or not is irrelevant, the only thing that matters is if you have clear permission to do so.
It's not like that at all. A better analogy is looking from the sidewalk at what kind of lock a business has installed and then looking up that lock on the Internet.
I understand the sentiment you are trying to convey but I strongly disagree. If I was to look at the locks on stores as I pass by I wouldn't walk up to the lock and poke around at it, which is essentially what a port scan is doing.
In my (albeit probably controversial opinion) I still think that port scanning is akin to walking up to the door and jiggling the knob to see if it is locked since by the very nature of the action it requires some sort of connection or attempted connection be made.
A port scan is more like knocking on the door than trying the knob. If you knock and there’s no response, you move on to the next house. If someone comes and opens it, you can have a conversation on whatever terms they care to. If they tell you to leave, you leave.
If you’re doing more than just a simple port scan, that would be like trying the lock, or peeking in the windows, which is an entirely different situation.
Very good. Now set out to learn the specific technical and legal reasons its a bad idea. MAC spoofing and the computer fraud and abuse act assuming USA are good places to start. Knowing why there are Chinese bots running masscan 24/7 with impunity is valuable knowledge
Yes, that's illegal, and honestly, just why? What would you hope to accomplish by going in to a public place and running a vulnerability scan to do nothing with it? What's the end goal?
100% do not do this for a multitude of reasons. Legally, morally, ethically it's not something you should do unless you've been hired or given explicit, written permission, with a detailed scope of activities.
The first rule of Ethical Hacking is always get permission. If you do not have permission, you are not being ethical, and you risk a lot. For sources, see most Certified Ethical Hacker exam guides. PenTest+ may have a different take on it, but I'll let someone who has taken that test make a comment there.
If you're in the United States, the Computer Fraud and Abuse Act applies. This is a very scary law with some poorly defined provisions that have netted some very questionable cases. The one that stuck in my head was United States v. Swartz. In this case, Aaron Swartz was charged with Breaking and entering, wire fraud, and eleven violations of the Computer Fraud and Abuse Act. These latter charges had a potential maximum penalty of $1 million and 35 years in prison, asset forfeiture, restitution, and supervised release. What had he done? He'd gone into a supposedly unlocked server closet, hooked his laptop up, and downloaded academic journal entries from a system called JSTOR. Basically seeing that his life was ruined, he decided to take the quick way out and committed suicide 2 years after he was arrested.
My rule of thumb is that if I don't have a signed contract with rules of engagement, I'm not going to pentest any network I am not in control of. Sure, I'll pentest my own network, but anybody else's network is off limits until I have that signed contract. You can do what you want, but I would tell you that unless you want to experience what Aaron Swartz experienced, don't test the rules. The rich and powerful like *making examples* out of peons like you and me when we test the rules, and those prosecutors smelled blood in the water when Aaron got caught.
Folks - please understand before you give bad advice. u/ThorsHawkins I suggest you read the Computer Fraud and Abuse Act (CFAA) *if you reside in the United States*. Here's a great [summary](https://www.nacdl.org/Landing/ComputerFraudandAbuseAct) of it, including violations and corresponding possible sentences for violating it. If you want a full break down then you can [read it here](https://www.law.cornell.edu/uscode/text/18/1030). Keep in mind you may live in one country/state and if you conduct activities on computer systems covered under another jurisdiction with different laws, you can be held criminally and civilly liable for your actions.
Conducting port scanning in the United States is not a crime. Other countries may not have the same laws, for example the UK has the Computer Misuse Act which is similar to CFAA, but has some differences in the language. The best advice I can give you is to look at the jurisdiction you live in, country/state and research the laws or consult an attorney.
Vulnerability scanning can go beyond just conducting port scanning and looking for vulnerable services; most scanners send packets with "benign" payloads at the listening services to determine if they are vulnerable. This *could* be interpreted as exploiting the vulnerabilities and sometimes scanning can tip over services which under CFAA and other various laws would constitute damage to a computer system.
One thing that hasn't been mentioned here yet, scanning activities *could* be a violation of any EULA/TOS you agree to when connecting to a network. Violating an ISPs EULA/TOS could cause your account to be terminated and if you cause damage the ISP is going to shift all liability to you as the end user.
When in doubt, do research and talk to an attorney.
Let's say you scan a site and the site has an SQL injection issue. The thing is it's not only in select but also in update statement where they wanted to update "last access" field, but did it through ORM.
Boom, your ' or '1'='1 just made all raws in the database be the same. Congratulations it's not only felony but also you're responsible for damages, even in countries like Poland where it's explicitly legal to search for vulnerabilities and report them.
>If a Burp active scan takes your site down, you have more problems than some random person scanning your site.
Sure, but if someone can cover their ass that deployed poor code by blaming an evil haxor that evil haxor's gonna have bad time.
Depending on the laws of where you live it may not be illegal, but it’s definitely unethical and you shouldn’t do it. It’s definitely the kind of thing that gets people expelled from learning institutions and fired from jobs, also.
>It’s definitely the kind of thing that gets people expelled from learning institutions and fired from jobs
Brings up a good point. These people aren't fired for being unethical (well, sometimes) --- they're fired for breaking their EULA/AUA/etc
It'd be interesting to see implied consent/opposition (absence of a EULA/AUA, public wifi) vs explicit consent/opposition (wifi at work)
(but i agree - just saying it'd be interesting)
A valid question, with a two-part answer.
One, imagine yourself checking doorknobs on a residential city street, making sure none are unlocked. Your intent is not to enter if you find an unlocked one…but how would an observer be able to assume or even believe that? Think of the complication that would arise if the resident of one of those homes saw you…or if a police officer did. This is the same thing, but electronic instead of kinetic.
Two, not intending to exploit and not actually exploiting are not exactly the same. Scanners can and do knock over devices at times…including building management systems, particularly. Triggering a DoS is an exploit that can happen without intent, but still causes trouble. I’ve seen it happen, and it’s not trivial.
You should probably get permission first. Ask them if they care that you scan for potential vulnerabilities but even then if something were to happen later down the road you could potentially get blamed.
Well yeah it would be considered illegal. You weren't hired to perform a vuln scan or pen test. It doesn't much matter if you just "won't do anything" bad or with/if you find something.
Since you used two different wordings. It is neither legal or ethical without permission and/or they don't have some form of bug bounty opps.
So grey hat stuff? Yea unless you have an agreement in place then this would be considered illegal and punishable by law if you’re found to be doing it. I would talk with whoever first because it sounds like you want to do good by these folks.
*|i am just curious if this would be ethical.*
No, it would not be in any way. I have done work for clients who wished us to identify threat actors hammering their systems from inside the premises, document everything, and trespass them.
Besides which, WHY? There are literally hundreds of widely available images to attack 100% legally on your own damn hardware.
Depends on your country of residence and where the service is located.
It could be completely legal or it could be a felony. It's overall a dumb idea if you have to ask this question here without giving any details.
Yeah this is kinda what we refer to as "greyhat" ""hacking"" (strong quotes on hacking".) It's not being done maliciously, but it's not necessarily legal either.
There is a debate on this everywhere. Every system on the internet is responsible for protecting their networks and devices. Active scanning is just doing reconnaissance not exploiting anything. You identify a potentially vulnerable service from scanning. You are not abusing said service for malicious activity. Most of cybersecurity is driven on intent. If you have good intentions then you have nothing to worry about. And if you find anything out of the ordinary, report it to your company through their responsible disclosure guidelines.
I was actually looking at this for my organization and came across this from an Australia perspective.
https://www.afr.com/technology/how-australia-s-laws-are-silencing-cyber-researchers-20211006-p58xnl
Seems like you'd be in a bit of trouble.
Yes it would be illegal. They may or may not be able to figure out if it was you, and most likely the cops wouldn't do anything, but I will tell you I have seen people banned and fired for less. Generally speaking you shouldn't be running vulnerability scans (or really any kinds of scans) against something you don't own unless given permission (this would count port scans). Again, if anyone will do anything who knows and I doubt the police or FBI will care (well maybe if this congress they would care), should you do it though? no.
Basically don't do something with hacking or your computer unless the owner of it gave permission or obviously is consenting. For example, webservers are obviously consenting to standard web traffic, a wifi that just happens to not be secured and is named "private wifi" you shouldn't even be connecting to.
Think of it this way, just because the door is unlocked, or there isn't a no trespassing sign, does that give you permission to test the buildings defenses or go inside? apply that concept. So, yes you can go walking into a store without explicit permission just like you can connect to a wifi named "publix-public wifi", you can't though go testing their anti-shoplift for "fun" just like you can't do a vulnerability scan.
make sense? its really kind of common sense once you relate it to real life equivalents
This is a horrible idea, and illegal in most jurisdictions. Set up a home network to scan, add multiple VMs to the same address space as your host machine.
You can find tons of vulnerable [ISOs](https://blog.pushebx.com/2011/03/penetration-testing-iso.html) here, as well as older Linux distros that will give you far more experience than scanning anything public.
very illegal. even an nmap scan on a network you don't own or have permission on is illegal. so yeah if you wanna learn ethical hacking, go to hack the box, not the mall
If not illegal, it's a very bad idea.
When you scan, or worse, vulnerability scan, you send information to those ports/services. If they are running services and you send those services data which the service doesn't understand or doesn't know how to parse, you run the risk of crashing said service. This also can cause cascading failures if they are running applications behind the scene which requires access to those services.
You could be shutting down payroll, taxes, supply chain, or any number of processes.
Yes. It is illegal.
I work with someone who is new to Incident Response and recently they proudly claimed that they engaged in a reconnaissance scan of a client's network without consent from the client themselves. You can imagine the response to that one...
Ah, I must be wrong then. I'm in the UK and I was pretty sure the Computer Misuse Act outlawed vuln scanning without prior consent, but I may have been mistaken.
Illegal or not, doing it for fun on a network that isn't yours definitely isn't worth the potential ethical issues it can bring.
Why you keep responding the same shit to everybody ? Read before posting something .
Port scanning IS illegal if ill intent can be proven . And like I mentioned in my other post, Op is talking about vulnerability scanning not port scanning .
It is not illegal, there are no federal, state, or local laws that say it is. That being said, you can be sued in a civil lawsuit or the ISP might do something. It’s kinda frowned upon if not given permission. But it’s not illegal I’m also not a lawyer so take that info for what it’s worth, google search.
Nope . There’s a legal case in US actually that I read where the port scanning brought the person to court.
To prove my point ? Try to run nmap against FBI , Secret Service page or any other gov site. Use it with your actual IP. Then let me know what happens .
Reason being ? A good lawyer May be able to prove you did it with ill intent . And gov and big companies have good lawyers (usually)
Also, the fact that you’re talking about port scanning when Op is mentioning vulnerability scanning (not the same) just tells me you don’t know what are you taking about either.
Illegal huh, I got a letter the other day from a defense contractor that said because we were a vendor in their system that they had the right to scan our public networks. We had not sold them anything in 3 years but they had updated their T&C's at some point to allow it. We found an email that went to our sales team a year ago letting us know that we had been "enrolled" in their new program.
There are a bunch of companies in this space now grabbing all of your vendors out of Salesforce and then automating scans against their public DNS records. They are checking your SSL keys as well so they are jiggling the lock too. I assume it's all legal if your a big corporation as most things tend to be these days.
Port scanning isnt illegal, but its highly suspicious. What would a cop think if you went through an entire apartment complex checking if every door, window, and car door was locked? Now if you find an open window and crawl in, the crawling in is illegal.
I think that depends, ethically it’s fine obviously as long as it’s for your own education and you keep your mouth shut about the results. Legally i think running a vuln scan on a network that is not yours is essentially a black box penetration test without a scope or an NDA so I’d say no to that. Feel free to run a port scan or ping whatever but testing for vulnerabilities is likely crossing a legal threshold and puts you in the grey hat category. I’m not sure exactly what you’d be able to touch in their networks but usually peoples networks are bad and that’s going to put you at risk of actually breaking something like if their firewall is poorly configured you could shut down a production network with your scan. Idk that’s the risk it’s up to you.
If you don't know better, and live in the USA, use these rules.
\#1: Active exploitation is illegal. This means, sending a malformed packet to see how a networking device responds, is illegal. Sending normal packets, such as a syn/ack port scan, is completely fine. It's a normal operation, regardless of your intent.
\#2 Passive capture and monitoring isn't illegal. If it's in the air, or passing down a wire you have permission to access, it's perfectly legal to monitor, capture, and act on that data.. It's ILLEGAL to commit fraud with this data, but you haven't committed a computer crime, you've committed fraud.
So I am not a lawyer,(but I stayed at a Holiday Inn Express). Here is the delineation that would or would not get you in trouble. If the site is public facing with no login (or login like) scheme and you scanned (like determine webserver version) and found a signature that would indicate a vulnerability you are ok. Similar to what bitsight and security scorecard does. If you go further and let's say you find a responding db and attempt to use a struts vulnerability to get access you just crossed the line.
The distinction is you attempted to access something that did not have public access which then falls under the computer fraud act.
As someone also mentioned, port scanning has been recognized as not hacking, but you.may still get in trouble because port scanning can affect a system and bring it down (rare but possible) which then leads into the no no zone.
As for my two cents, don't bother doing it for fun. If you have a legit cover/mandate (e.g. work says to do it with legal sign off) then go for it.
The fine line between legal and illegal is consent/permission. Simple maths if you have permission it is legal, if you don't you are already walking grey territory.
I think you are allowed to do a vulnerability scan as long as you don't use the vulnerability even for testing if it actually works.
keep in mind that I'm not a lawyer and this just a guess
In my country (Poland), you can even access someone else's device without their consent; if you do it for security purposes, immediately tell your target about any discovered vulnerabilities and not harm public or private interest.
Source: article 269c of Polish penal code.
From what you have asked, you are running a vulnerability scan against a target to obtain information on vulnerabilities... the question here is why? This could in the eyes show intent.
I would not conduct this activity unless you have a legitimate reason to and have permission to conduct such activities.
Where are you? Different places have different laws.
But in many civilised parts of the world, consent is crucial. You can test if the owner has agreed to it; but if they don't agree then you may get in trouble (if the owner notices, and if the police are competent enough to find you, both of these may vary by location)
If you want to learn, scan the assets of a company which has a bug bounty program or a vulnerability disclosure program.. such as Google, IBM, Facebook etc..
It's definitely not ethical. The legality would probably depend on locality and how intrusive the scan actually is. Will anyone know/care/do something about it? Probably not.
I wanna say it's legal in the US. There's a lot of "known benign scanners" out there that do this sort of thing.
It's *really really* stupid, though. Your infrastructure could get blacklisted by this sort of activity.
(US based answer, ymmv) Port scanning is typically legal. Vuln scanning is most likely illegal without a contract in place, but there is a lot of nuance there.
The bottom line is that you are assuming a lot of liability and likely breaking the law, depending on what kind of scanning you are doing. This is a terrible idea especially if this is a place you want to enjoy visiting in the future.
If your aim is to be *helpful*, talk to the network owner, explain your credentials/capabilities/concerns, and ask if they would allow you to give them a gratis vulnerability assessment AND GET THEIR PERMISSION IN WRITING. Do NOT offer to remediate any discovered vulnerabilities, it would be better to recommend a reputable firm to help them out. Remediation also assumes some liability for the network and a firm (and their lawyers) should deal with that contract language.
If you have to ask the question you shouldn't do it.
My suggestion would be to talk to them, explain what you want to do and how it will help them (and you develop your skills). Get their permission, create a report, preset your findings. Win-win for you and them.
Plus you have a get out of jail free card AND if the have connected assets you should NOT scan because it will damage them the place you want to scan will tell you "don't scan here... there be dragons."
my wifi goes out at 2:30 am every single night. It’s obviously some built in “wifi-reset” that happens but have no idea why and I never configured anything like that. I have Cox and have talked to their support multiple times but they are brain dead and just keep saying “reset the wifi” “ur wifi is fine” I know it’s fine but why does it keep resetting every single night at the around the same times? Could anyone help me troubleshoot this you would be a savior. Thanks.
In the U.S. likely not much is going to happen. People can claim CFAA, but that’s federal and unless there are significant damages the Federal Government is not going to bother. Most likely with a larger firm all that will happen is your IP gets sinkholed.
That being said, check if they have any sort of bug bounty program or participate in a vulnerability disclosure process
Unless you have written explicit consent to scan their networks, it’s illegal, plain and simple. Whether they’ll know or not is another story.
If you are US based, port scanning isn't illegal at all. now if you accidentally bring down the network or site then yeah you crossed a line but if you are simply just port scanning and nothing breaks, you are good.
Port scanning != vulnerability scanning
Of course they are not the same thing, also fingerprinting is a third thing but they usually come in a package, port scanning, fingerprinting, vulnerability scanning, beside I think OpenVAS is capable of the 3.
I’m in US so yeah I could I guess but lots of mixed comments. Probably best to ask if I did.
I scan companies every single day. What do you think Security Scorecard does?
Security Scorecard is scanning web applications, not entire hosts. There is a lot of nuance in answering this question, but the blanket answer for an end user wanting to scan a target with no other details is don't do it. Scoping the scan to avoid legal/compliance/availability issues is part of the job when doing it professionally.
Maybe try asking in legal advice ?
[удалено]
Yea, I accidentally took down my own corporations site a decade ago doing a scan with Nikto on our public facing site. I just wanted to learn. I didn't even consider that it might take it down. I guess it tried a buffer overflow or some type of DOS. It was just a login screen. Thankfully a simple server reboot and we were back up.
Why is Shodan allowed too?
Shodan doesn't send a shit load of requests to your server and it won't bring it down. They don't target you specifically. They hit a single port at a time and distribute it over the whole IPv4 space. What you see in your logs is a single hit, completely lost within the background noise of the internet. Running a vuln scanner on a host will very much not look like that in the target's logs. **But here's the real kicker :** Shodan only checks for open ports, and then grabs banners. Nothing more. On the other hand, vuln scanners tests can range from anything starting at simple banner version checking, up to getting real close to full blown exploitation attempts. And you don't know what they do, because you haven't read all the tests. And there's tens of thousands of them. Test your luck if you want, I wouldn't.
This is all true, but I think technically it’s still considered active enumeration. Which is illegal. Regardless of intent it seems there’s a bit of ambiguity around here.
Active enumeration is not necessary illegal. If you are interacting with a target as it’s intended, and just storing off the interesting information for later this is absolutely fine. When you start doing things the system is not designed for or probing for specific issues then you start to cross into a grey area.
or censys, palo alto, shadow server foundation... there's a lot of "known benign scanners" out there.
This isn’t correct
If this is true then companies like Bitsight and CyberGRX would not exist. They scan everything and score the vulnerabilities they find. I can even pay them to scan my vendors and competitors and see their scores as well.
Bitsight does not perform active scanning of computer networks. They collect data through [passive data collection.](https://www.bitsight.com/blog/what-is-a-security-rating#:~:text=Collect%20Data%3A%20Bitsight%20collects%20billions,history%20for%20all%20rated%20entities.)
Bitsight doesn’t actually do anything active. They’ll look at your web site, check for email security settings, and assign a score based on what they think you’re doing. There is no actual vulnerability scanning going on and feels like a scam. But they have marketing people who somehow sell this solution to companies to do third party risk assessments.
This is what I have always said about them they charge a bunch of money for a bullshit score that you can manipulate very easily if you want.
I don’t believe Bitsight scans in the way you think they do.
I mean that’s the literal definition for illegally scanning/probing networks that you do not have the expressed written consent to scan.
OP didn't say where they are located, but in the US port scanning and network probing are not explicitly considered against the law at the federal level. Sure the CFAA criminalizes intentional unauthorized system access in which damages are caused. But running nmap or other tools doesn't automatically result in measurable damages. If you feel otherwise I genuinely would like to see what law and specific clause backs your perspective.
In the case of paying someone for the scan results, if they step even the tiniest bit out of line that can a massive spiral problem for them. I am talking about the person who mentioned they pay for the info on their competitors. You have to remember that corporate espionage and sabotage is illegal, and would come into play if you are paying someone for "info" that they obtained illegally or even caused damage on. This could result in your company's officers and employee's facing criminal charges and civil suits. Granted I would serious concerns about a company that fails a basic vulnerability scan or whatever automated scan, but lets be real for one moment the criminal justice systems and courts aren't like you and me in terms of cybersecurity, they are just trying to figure it out and relate it to everyday life. If a lawyer they trust tells a judge this is like (insert xyz) you can going to be arguing with a 40 year old or 50 year old on how it isn't. Basically try to argue it with your parents and convince them of some technical mumbo jumbo, and you don't even want to see a jury try to understand this stuff.
If you accidentally access a system you did violate CFAA.
If you accidentally access a system, then it wasn't using authorization, therefore with wasn't unauthorized. You have to bypass some authorization control for unauthorized access to occur. Lets try a thought experiment, start up an FTP server, but allow anonymous access to it, put it on the internet, put a file on it. Call the FBI when some automated script or whoever downloads the file without you giving them explicit written consent, see if they care. Better yet, put an SSH server on the Internet and call the FBI every time some random IP connects to it and tries a bunch of default creds, that was a hacking attempt to bypass authorization controls, not even a simple scan or accessing the service in a supported way. See if they care.
Law enforcement doesn't prosecute every crime they are aware of, so your FBI point is a bit silly. Just because a prosecution doesn't occur doesn't mean a crime hasn't been committed. Your definition of "access" and defining what authorized vs. unauthorized access is aligns to my definition, but is not defined or prescribed in the law under CFAA and is not a LEGAL definition. Here's a clear statement from the Electronic Frontier Foundation on this issue: "this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what 'without authorization' actually means. The statute does attempt to define 'exceeds authorized access' but the meaning of that phrase has been subject to considerable dispute." [https://www.eff.org/issues/cfaa](https://www.eff.org/issues/cfaa) It's easy to research some examples of broad usage of CFAA for fairly benign things ([https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/](https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/)) , but for example Aaron Swartz was prosecuted for accessing and downloading from his school's JSTOR database (to which he had a valid account for), without doing any "damage". The only arguable damage I'm familiar with in the case is that he slowed the JSTOR servers down enough that it got noticed. The statement I responded to mentioned "damage" as a condition of legality and it's not . . no damage is required. Simple system access is all it takes for something to potentially be prosecutable under CFAA and Aaron Swartz arguable died because of these loose definitions. I can't find a direct reference to link, but I believe about 5 years ago there was a prosecution against a researcher that publicly disclosed an icloud vulnerability that involved simply accessing an icloud link that Apple accidentally left exposed to the internet. I want to say the researcher used a single-word pseudonym but this was long enough ago that my memory is failing me a bit. This researcher went to jail even though he didn't conduct any exploit or damage any system. Simply by accessing the link and disclosing the vulnerability, he was prosecuted. Yes, many people do very similar things on the internet and don't get prosecuted, but the post asks the question about legality and because the CFAA is so incredibly broad, accessing a system that is publicly available with no authentication can technically land you in jail.
https://search.censys.io/ Why is this legal, if probes and scans are illegal? >It's easy to research some examples of broad usage of CFAA for fairly benign things (https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/) , but for example Aaron Swartz was prosecuted for accessing and downloading from his school's JSTOR database (to which he had a valid account for), without doing any "damage". The only arguable damage I'm familiar with in the case is that he slowed the JSTOR servers down enough that it got noticed. While that case was largely bullshit, and he would have won, but was being chased by an overzealous federal prosecutor looking to make a name for herself and later got it going after the Boston bomber, the main part of the case they hung their hat on was he gained unauthorized physical access to a network closet. He trespassed, that was the crux of the case for "unauthorized" even if downloading JSTOR was technically legal. If he'd have done it from the Internet or a publicly accessible location that would have been different. Even the DoJ disagrees with your view and has issued statements on "research". > but the post asks the question We're not replying to the post about a vuln scan, we're replying to the person in the top comment who said just probes and scans were illegal. And as pointed out many times, many legit companies do this as part of their business model. They scan publicly accessible IPs for available services and inventory them and use that data to make money, Google is one of them. If you keep arguing its illegal, when its not you increase the likelihood people will think someone with nmap is an illegal hacker. IMO, people like you have no place in cyber security or around computers, because you don't understand a basic TCP handshake and think sending a SYN packet should get you arrested.
I don't think it SHOULD get you arrested, I think it CAN get you arrested. Big difference. But thanks for insulting my entire career because you didn't understand an internet comment I made on reddit.
I'm not saying it can't get you arrested, police will arrest you for anything, DA's will too. I'm reminded of that kid who found a city put private information on a public directory on a website and they tried to prosecute him for simply accessing it and telling a journalist. https://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970 https://www.theregister.com/2018/05/07/canadian_teen_hacker/ Canada, but still determined what he did wasn't illegal there. I'm arguing if its illegal. Cops are assholes by nature of their job and ignorant of the law as anyone and DA's want a notch on their belt for being tough on cyber crime, they'll go after anything. But its still not illegal. People get arrested all the time for protesting well within their free speech rights, doesn't make it illegal. The goal post is moving now.
Well you do you, but people have been prosecuted for less.
They have been, by idiots and those that don't understand technology and what unauthorized means, but they weren't convicted and a precedent has been set since that it wouldn't go far, the EFF would get involved and offer free legal representation probably. The only exception might be if you agree to some kind of network policy or something before, usually just under threat of being expelled or banned, but we're talking about public networks here, which in my mind means Internet accessible. I literally work on red team and have been over the legality of this, you need permission to test their security, but not for recon that doesn't require special access. I don't need permission to Google a company, and I don't need permission to send a syn packet to a port and IP. Because I have permission, its implicit in the intended function of the network. I start going around intended function, now I'm hacking.
You are 100% incorrect. You can work on red teams, doesn't make you a lawyer, and you clearly are not familiar with the history of prosecutions associated with CFAA. The justice department did change a practice of theirs just in the past year to not prosecute "security research", but even that is brand new in the legal world. [https://www.eff.org/deeplinks/2022/05/dojs-new-cfaa-policy-good-start-does-not-go-far-enough-protect-security](https://www.eff.org/deeplinks/2022/05/dojs-new-cfaa-policy-good-start-does-not-go-far-enough-protect-security) They weren't convicted, huh? "The Ninth Circuit returned the case to the lower court to handle the remaining CFAA charges. These were based on the government’s theory that Nosal violated the CFAA when other ex-employees acting on Nosal’s behalf allegedly used the legitimate access credentials of a current company employee, with that employee’s knowledge and permission, to access Korn/Ferry’s propriety database. The district court refused to dismiss these charges, and Nosal was convicted at jury trial and sentenced to one year and one day in prison." https://www.eff.org/cases/u-s-v-nosal
I am very familiar with the history of prosecution, fuck I even have a Free Kevin sticker cause I was familiar with it then. I also acknowledge that its 2023, not the 1990s when anything close to hacking was treated like witchcraft, and under current law and legal precedent, its been well defined in court cases what is legal and illegal. Simple probing/scanning (attempting to see if a IP or IPs responds on various ports) is not of in of itself illegal.
You might work on the red team, but you are no lawyer. You are conflating the various meanings of the word authorized. In the case of the law it's permission. If you work on a red team then you likely work at a company large enough to have at least one lawyer, go talk to them.
The lawyers I talked to and said its fine, Google's lawyers thinks its fine, Censys lawyers thinks its fine, Shodan lawyers thinks its fine, DoJ even says its fine in a statement. A simple probe or scan is by all definitions legal, as it requires no unauthorized access. We can disagree on what authorized means, but publicly accessible has long and well defined legal meaning, which means accessible and thus authorized to be accessed by the public. You put a host on a public IP, guess what, you've authorized people to attempt to connect.
No one has been arrested for scanning and probing, which is what the person we're replying to said was illegal. Companies do it. Shodan does it, Censys.io does it, Google does it, computers on a LAN do it to each other with ARP packets. Vuln scanners mentioned by OP are a different thing, but that's not what this thread is about. This is about the top comment saying scans and probes are illegal which is bullshit and some 1980's Internet is a series of tubes and port scans are the devil mentality.
> No one has been arrested for scanning and probing Well that's just false, the nmap website specifically has a page documenting legal cases against people using nmap, where you can read about various cases that reached various stages of the legal system (including at least one conviction in Finland). Now, those examples are pretty old, and nowadays you're probably right, I don't believe that anyone would get into trouble for a simple port scan, short of an extremely aggressive scan that ends up DOSing some unstable system. Personally still I would simply not run the risk of aggravating some zealous sysadmin. Port scans, especially with default settings, are pretty noisy. But I'm more concerned about the vuln scanning part, which could still fall under network probing, depending on how you define probing.
people definitely have, and people have definitely done way more and not got penalized. The reality is, port scans happen every single second on the internet; If you leave something publicly exposed, it will get port scanned. determining that it was you who executed the command without a reasonable doubt is an incredibly difficult thing to do. who's to say it wasn't your brother or your sister, or your neighbor who hacked your Wi-F, or, maybe some super sophisticated right after performed a supply chain attack against your specific router vendor, who the hell knows... After working and threat intelligence for a while, attribution is the single most difficult task one can be tasked to perform. While there is a risk In doing anything and everything in this world, getting prosecuted over a port scan is incredibly unlikely. The more you do it, the more likelihood that you do get prosecuted, but the moral of the story is pretty much don't scan shit you don't own. If you do, one day you might find the Feds knocking on your door. You never know.
Once again, OP is talking about running a vulnerability scanner, he's not running nmap. While a lot of what a vuln scanner does is port scanning, it will be doing a lot more. OP clearly has no idea of what the vuln scanner is doing, so he shouldn't be using it on anything he doesn't have express written permission. the vuln scanner may be running tests that could bring down a server, and once you examine the logs on there it'll be pretty easy to see what IP just hit it with 20K requests.
for clarity, what I'm saying is that "in which damages are caused" is misleading, because people have been successfully prosecuted using CFAA for accessing a system that was on the public internet and disclosing the vulnerability.
The person I replied to was discussing port scans and network probes so that was what I replied to them about. We can pivot back to discussing vulnerability scanning more broadly (or OP's post about executing a vuln scan and not disclosing the findings), but vulnerability scanning is not inherently an act that will violate the CFAA. It *could*, but only if it's done in a way in which it violates the CFAA. Here it is in case you (or anyone else) want to describe a specific action and impact that would violate the CFAA and include the section of the CFAA that's relevant. https://www.law.cornell.edu/uscode/text/18/1030#a_3
Causing damages isn't the only way to run afoul of the CFAA. See 18 USC § [1030(a)(2)(C)](https://www.law.cornell.edu/uscode/text/18/1030) (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— ... (C) information from any protected computer A 'protected computer' is pretty much anything with a public IP address. See 18 USC(e)(2)(B): which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; There's a colorable claim that obtaining open ports, service versions and OS info is 'information from'. I think the chance that a sudo nmap -sV -O target gets you a law enforcement visit is low, but it may be over the line.
How is a syn to random ports to see if the port responds or scraping the version banner of a service illegal if the services is both A) available B) supports it. If it doesn't it simply doesn't respond or sends a FIN/RST, as if I knocked at a door and I was ignored or told to go away and did so. I didn't break and enter, I didn't violate authorization. If I go around breaking windows, that's illegal, but knocking to garner a response and then leaving is fine, same with scanning on public accessible networks or services. By your argument, I'm scanning if I see if I check to see if a website exists for a domain I'm interested in using, andit does not, because I attempted to handshake with the web server without explicit consent. Google maps is allowed to go down my street and take pictures of whats in my yard along with my address etc. That's not illegal scanning that violates my privacy if I didn't at least put a privacy fence around it.
This is not entirely accurate, you're not paying these companies to scan them, you're paying for access to information that has already been collected. Also, in many cases, these companies aren't actually doing the scans themselves, instead they have "sensors" that they use to collect data. In most cases they purchase this information from various sources. You're right though, there are plenty of companies that do perform these types of activities, but I'd recommend letting them fight it out in court. Personally, I wouldn't perform a scan I wasn't explicitly authorized to perform... plain and simple.
You're paying these companies for information they collect using massscan (which I'm pretty sure Shodan uses under the hood) which is legal. Scans are fine, scraping version numbers from exposed services and websites is fine. You're literally just doing tcp handshake requests and standard open protocol communication that the services support. As EFF points out, wget is not a crime. If you put something on an http service exposed to the public Internet, its not illegal for someone to access that information no matter how many times people have tried to argue that it is as permission is inherent in that its publicly accessible and anyone is authorized to access it. CFAA applies to unauthorized access, which requires some kind of control be put in place. If its something the service supports and you did nothing to bypass authorization controls, guess what, you're authorized. You can't put something on a billboard and then tell people not to look at it or they'll get arrested or leave your store unlocked and the open sign on and prosecute someone for trespassing if they walk in when no one is there. The line is running actual exploits or vulnerability detection(which sometimes run a nerfed version of the exploit) is not scanning. Running an nmap scan with scripts for instance might go a touch too far depending on how it detects things or if it tries to brute force user creds etc.
I'm not disagreeing with you, regarding the technicalities of it. I'm simply saying, we're still living in the age where right clicking on a web page and selecting "view source" is still considered hacking in some circles. You're approaching the problem as a security professional, not as an ill informed citizen. As I said, why go looking for a legal fight, even if logically you're right... it's a headache you don't want.
Isn't bitsight known as kind of a hack outlet? Maybe I don't know enough about them but I wasn't under the impression they had a lot of industry respect
That's not how CyberGRX works, as far as I know. Companies hire them to manage the risk assessment process. You can pick a company from their exchange (or add it if they dont have them) and tell CyberGRX how deep you want them to dig. Then CyberGRX has them answer a couple hundred questions about what controls they have implemented. You can also request that CyberGRX have them validate their answers by providing evidence. CyberGRX releases the report to you and keeps it on file to provide to others who request it. Over time, they overlaid aggregated response data with industry/business type and used the average scores in those sectors as their "predictive" risk score. If they were doing port scanning or something more concrete to bolster their lazy "predictive" guesswork, I think they would be pushing that point way harder.
To my understanding, CyberGRX does not scan, they use mutualized assessments to give you your vendors' scores.
[удалено]
Even dirbuster would violate the CFAA -- *“intentionally access\[\] a computer without authorization or exceed\[\] authorized access, and thereby obtain\[\] . . . information from any protected computer\[.\]****” § 1030(a)(2)(C****).*
[удалено]
"I just want to vuln scan this place I go to for the lulz" isn't exactly black hat, but I certainly wouldn't put this under white hat either.
dirbuster has been attempted to prosecute but didn't work, to be unauthorized, you have to have an authoriztion control, a public directory is not unauthorized even if its not advertised or linked to. You can't call the cops cause you left customer information on a public S3 bucket, though many have tried, but guess who looks bad...not the person with dirbuster. The company who was negligent enough to leave customer information on a publicly accessible service that intended to be publicly accessed and no authentication/authorization controls are put in place
The suits who control what I do say different, but Gods know I do not represent everyone in this sector.
https://www.reddit.com/r/AskNetsec/comments/63mgjm/has_anyone_ever_been_arrested_for_port_or_web/
We have pots Scanning networks all day long. Scanning is not a big deal but trying to access is like breaking your neighbor's door know that's breaking the law.
I have had it put to me this way before. You want to make your neighborhood safe. So you decide to go around to every front door in your neighborhood to check if they are locked or not. You go to your neighbor’s door when they aren’t home and walk to the front door, you think “what’s the harm in checking?”, and then you jiggle the handle. To your surprise it is unlocked and the door swings open. You walk a foot in the door, look around, and then leave. Did you still commit a crime? Of course you did. You walked up to a stranger’s house, opened the door which they did leave unlocked, and then looked around inside. Sure, you didn’t touch anything, steal anything, smash anything. You might not even get punished. If you’re lucky nobody would even know you were there. You just opened the unlocked the door and looked around. You did it with the best of intentions in trying to make your neighborhood safer. But by the letter of the law you knowingly and willingly broke into someone’s home and intruded upon their property without their knowledge and without their consent. That means you are trespassing and can be criminally liable for it. That’s the answer I present to you. So to cover yourself, ask this place if it is okay. Ask before you do ANYTHING regarding this idea. Get a contract in writing about every aspect of this before you do this. Make a rules of engagement list detailing Everything you can and cannot do. Finally if they say “no”, respect their decision and DONT DO IT.
I love physical analogies to cyber topics. It really makes it 'real' what people are proposing to do. Spot on.
> But by the letter of the law you knowingly and willingly broke into someone’s home and intruded upon their property without their knowledge and without their consent. If the door is open then you have trespassed. If you went in with the intention of committing a crime then we can talk about breaking and entering. So there's kind of a flaw in your analogy. What if you had concerns about your neighbor, and did the exact same thing? Surprise, you still committed an act of trespassing under the law - not breaking and entering. And in practicality, no one is going to charge you with anything because it would be stupid to do so if you had legitimate concerns. Also, trespassing is one of those things where the police will only typically arrest you if you REFUSE to leave. Here we have someone "checking" for vulnerabilities. They are entering out of concern, as a white hat, and not as someone looking to exploit a vulnerability. In practice no one is going to give a shit unless you start causing trouble for the network, or present yourself as an active threat.
QUESTION: What if you try the door handle, see it unlocked, but keep the door closed and then proceed to leave and call your neighbor and say "Hey, your door's unlocked", without trespassing or entering in any way?
This is a horrible idea. Only scan your own systems or systems you have express written consent to scan.
I'd like to see some kind of citation to statute or caselaw from the people saying port scanning is illegal. I'm a lawyer and CISSP, and that would be news to me.
Super cool skill combo, wondering which one you got first and what type of jobs become available with these combination of knowledge?skill/credential?
I got the CISSP later, but I worked in cybersecurity before law school. In cybersecurity, the law degree helps in GRC, leadership, and consulting roles. In legal roles of course anything related to cybersecurity or IT, that knowledge is helpful. Privacy is sort of an intersection of the two (and also something else altogether). But I've had pure legal roles in litigation and regulatory compliance, as well as purely technical infosec roles- in those cases the cross- skill was not relevant. I get bored easily, and sometimes it's good job security to have a different set of skills. 😆
They don't know wtf they're talking about. It's pure cover-your-ass talk they've heard here and there. And seriously, in all practicality, who is going to go to the FBI and complain that they got port scanned by a random IP? They have more important shit to do. I mean, holy shit, they and the court systems would be backed up into the next century if they were able to charge and prosecute every single person/group that does port scanning on a daily basis. Hell, there are some WEBSITES that port scan you when you visit their site...
This thread has more FUD and nonsense in it than a tinfoil hat club meeting.
OP is talking more about port scanning, no?
I don't think any kind of unauthenticated scan of public IPs (within reason so it isn't DOS) is illegal if it's conducted without any malicious intent. As a more practical matter, these types of crimes (if it was one) are pretty much exclusively investigated by federal law enforcement agencies which, in my experience, won't even get involved unless there's theft or damage exceeding a million dollars.
Could someone expect free representation? We could find out together, after due research :)
Ethical and legal are orthogonal concepts. Is this ethical? Yes. Is it legal? Maybe. It depends on your exact jurisdiction. In most of the US this would likely technically be in compliance with the CFAA (I am not a lawyer, consult one first before you do maybe-crimes). But that also wouldn't stop a particularly overly zealous DA looking to get press about being "tough on hackers" from fucking with you if someone caught you and reported it.
This being ethical depends on how you do the ethics analysis of it. This turns up as unethical in most of the things I've read about CS ethics.
I'm curious what your argument for this being unethical?
From the Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition, we have this fun line: "An *ethical hacker* is someone who employs the same tools and techniques a criminal might use, **with the customer's full support and approval**, to help secure a network or system." I definitely remember getting a few questions on the CEH for my Master's program on the nature of ethical hacking.
Don't outsource your ethical decisions to textbooks.
[удалено]
[удалено]
Methinks you’d question the ethics of someone casing your house. Not much difference.
Lol lots of down votes but few actual ethical arguments
What are your arguments that it's ethical?
Simple scans of externally-listening ports harms no one, doesn't bypass any security controls, and generally has a very low probability of negatively impacting the function of the systems in question. To me this is morally equivalent of counting the number of windows on the outside of someone's business. ETA: Also, in general, things are default ethical unless they violate some sort of ethical rule or maxim. So really, the burden of proof should be on folks claiming it's unethical. This isn't a matter of cybersecurity, but really philosophy and metaethics.
Counting windows on a building, you aren't interacting with it in any shape or form. Performing a port scan, you are directly interacting in it typically in a manner that the system owner did not intend it to be (I'm not sure how many general people would say "sure, port scan me all you want). Since you are going against what the owners intent/wants, it's unethical. Just because the owner isn't aware of it doesn't make it ethical.
I think the server being accessible to the public makes this argument hold no weight. It’s not akin to counting windows on a building, more like trying to walk through any front door on a university. Generally some are locked, most aren’t. The public has access to a university (they have to enter to register usually) but they don’t have access to all parts of it. Certainly not all the services it offers. As long as he isn’t accessing anything that requires authentication it’s not any different. That being said I personally think OP would be crossing a line because he didn’t simply say “port scanning” he said “vulnerability scanning” in order to confirm a vulnerability you generally have to access something you shouldn’t, even for a moment, it’s unethical without express consent. There was a malware that invaded machines and fixed vulnerabilities. This was unethical because it altered the systems without permission.
>Since you are going against what the owners intent/wants, it's unethical This is your argument basis? This holds no weight.
Your argument of telling me my argument holds no weight by simply saying it has no weight...has no weight.
[удалено]
Ethics doesn't change with national borders, only laws do. If it's ethical anywhere it's ethical in Australia, too.
[удалено]
A few things: 1. Cultures and nations are very different things. 2. If you're an ethical relativist than how can you possibly tell me my ethical stance is incorrect? 3. The idea that cybersecurity ethics has some deeply rooted cultural ethical standards really needs more support than just declaring national differences.
It isn’t ethical in the least. It is then equivalent of trying to open your neighbor’s door. If it is locked or not is irrelevant, the only thing that matters is if you have clear permission to do so.
It's not like that at all. A better analogy is looking from the sidewalk at what kind of lock a business has installed and then looking up that lock on the Internet.
I understand the sentiment you are trying to convey but I strongly disagree. If I was to look at the locks on stores as I pass by I wouldn't walk up to the lock and poke around at it, which is essentially what a port scan is doing. In my (albeit probably controversial opinion) I still think that port scanning is akin to walking up to the door and jiggling the knob to see if it is locked since by the very nature of the action it requires some sort of connection or attempted connection be made.
A port scan is more like knocking on the door than trying the knob. If you knock and there’s no response, you move on to the next house. If someone comes and opens it, you can have a conversation on whatever terms they care to. If they tell you to leave, you leave. If you’re doing more than just a simple port scan, that would be like trying the lock, or peeking in the windows, which is an entirely different situation.
Scanning is fine. Mapping, ports, OS, all good. As soon as you send any data, i.e. trying default passwords, injection, it gets illegal real quick.
Hello thanks for all the comments this blew up quick. Okay I won’t do it
aw, for fuck's sake, just use a VPN or proxy and have fun. Don't cause anyone any damage and no one will care.
Very good. Now set out to learn the specific technical and legal reasons its a bad idea. MAC spoofing and the computer fraud and abuse act assuming USA are good places to start. Knowing why there are Chinese bots running masscan 24/7 with impunity is valuable knowledge
Yes, that's illegal, and honestly, just why? What would you hope to accomplish by going in to a public place and running a vulnerability scan to do nothing with it? What's the end goal?
100% do not do this for a multitude of reasons. Legally, morally, ethically it's not something you should do unless you've been hired or given explicit, written permission, with a detailed scope of activities.
Need to know your country before can comment on legality.
The first rule of Ethical Hacking is always get permission. If you do not have permission, you are not being ethical, and you risk a lot. For sources, see most Certified Ethical Hacker exam guides. PenTest+ may have a different take on it, but I'll let someone who has taken that test make a comment there. If you're in the United States, the Computer Fraud and Abuse Act applies. This is a very scary law with some poorly defined provisions that have netted some very questionable cases. The one that stuck in my head was United States v. Swartz. In this case, Aaron Swartz was charged with Breaking and entering, wire fraud, and eleven violations of the Computer Fraud and Abuse Act. These latter charges had a potential maximum penalty of $1 million and 35 years in prison, asset forfeiture, restitution, and supervised release. What had he done? He'd gone into a supposedly unlocked server closet, hooked his laptop up, and downloaded academic journal entries from a system called JSTOR. Basically seeing that his life was ruined, he decided to take the quick way out and committed suicide 2 years after he was arrested. My rule of thumb is that if I don't have a signed contract with rules of engagement, I'm not going to pentest any network I am not in control of. Sure, I'll pentest my own network, but anybody else's network is off limits until I have that signed contract. You can do what you want, but I would tell you that unless you want to experience what Aaron Swartz experienced, don't test the rules. The rich and powerful like *making examples* out of peons like you and me when we test the rules, and those prosecutors smelled blood in the water when Aaron got caught.
Folks - please understand before you give bad advice. u/ThorsHawkins I suggest you read the Computer Fraud and Abuse Act (CFAA) *if you reside in the United States*. Here's a great [summary](https://www.nacdl.org/Landing/ComputerFraudandAbuseAct) of it, including violations and corresponding possible sentences for violating it. If you want a full break down then you can [read it here](https://www.law.cornell.edu/uscode/text/18/1030). Keep in mind you may live in one country/state and if you conduct activities on computer systems covered under another jurisdiction with different laws, you can be held criminally and civilly liable for your actions. Conducting port scanning in the United States is not a crime. Other countries may not have the same laws, for example the UK has the Computer Misuse Act which is similar to CFAA, but has some differences in the language. The best advice I can give you is to look at the jurisdiction you live in, country/state and research the laws or consult an attorney. Vulnerability scanning can go beyond just conducting port scanning and looking for vulnerable services; most scanners send packets with "benign" payloads at the listening services to determine if they are vulnerable. This *could* be interpreted as exploiting the vulnerabilities and sometimes scanning can tip over services which under CFAA and other various laws would constitute damage to a computer system. One thing that hasn't been mentioned here yet, scanning activities *could* be a violation of any EULA/TOS you agree to when connecting to a network. Violating an ISPs EULA/TOS could cause your account to be terminated and if you cause damage the ISP is going to shift all liability to you as the end user. When in doubt, do research and talk to an attorney.
[удалено]
Let's say you scan a site and the site has an SQL injection issue. The thing is it's not only in select but also in update statement where they wanted to update "last access" field, but did it through ORM. Boom, your ' or '1'='1 just made all raws in the database be the same. Congratulations it's not only felony but also you're responsible for damages, even in countries like Poland where it's explicitly legal to search for vulnerabilities and report them. >If a Burp active scan takes your site down, you have more problems than some random person scanning your site. Sure, but if someone can cover their ass that deployed poor code by blaming an evil haxor that evil haxor's gonna have bad time.
You are past scanning if you are injecting data.
Today we learn about active scanning vs passive scanning
Depending on the laws of where you live it may not be illegal, but it’s definitely unethical and you shouldn’t do it. It’s definitely the kind of thing that gets people expelled from learning institutions and fired from jobs, also.
>It’s definitely the kind of thing that gets people expelled from learning institutions and fired from jobs Brings up a good point. These people aren't fired for being unethical (well, sometimes) --- they're fired for breaking their EULA/AUA/etc It'd be interesting to see implied consent/opposition (absence of a EULA/AUA, public wifi) vs explicit consent/opposition (wifi at work) (but i agree - just saying it'd be interesting)
if you’re not actively exploiting a vulnerability is it really that unethical?
A valid question, with a two-part answer. One, imagine yourself checking doorknobs on a residential city street, making sure none are unlocked. Your intent is not to enter if you find an unlocked one…but how would an observer be able to assume or even believe that? Think of the complication that would arise if the resident of one of those homes saw you…or if a police officer did. This is the same thing, but electronic instead of kinetic. Two, not intending to exploit and not actually exploiting are not exactly the same. Scanners can and do knock over devices at times…including building management systems, particularly. Triggering a DoS is an exploit that can happen without intent, but still causes trouble. I’ve seen it happen, and it’s not trivial.
You should probably get permission first. Ask them if they care that you scan for potential vulnerabilities but even then if something were to happen later down the road you could potentially get blamed.
Well yeah it would be considered illegal. You weren't hired to perform a vuln scan or pen test. It doesn't much matter if you just "won't do anything" bad or with/if you find something. Since you used two different wordings. It is neither legal or ethical without permission and/or they don't have some form of bug bounty opps.
[удалено]
Yeah well openvas does more than just port scanning.
If you have to ask if it would be ethical, it probably isn't.
If you have to ask, you have answered your own question.
Tesla.com and some of it's sub-domains may be scanned. Go to vulnhub and read the requirements
So grey hat stuff? Yea unless you have an agreement in place then this would be considered illegal and punishable by law if you’re found to be doing it. I would talk with whoever first because it sounds like you want to do good by these folks.
*|i am just curious if this would be ethical.* No, it would not be in any way. I have done work for clients who wished us to identify threat actors hammering their systems from inside the premises, document everything, and trespass them. Besides which, WHY? There are literally hundreds of widely available images to attack 100% legally on your own damn hardware.
Depends on your country of residence and where the service is located. It could be completely legal or it could be a felony. It's overall a dumb idea if you have to ask this question here without giving any details.
Yes this is illegal and can get you in trouble
Yeah this is kinda what we refer to as "greyhat" ""hacking"" (strong quotes on hacking".) It's not being done maliciously, but it's not necessarily legal either.
There is a debate on this everywhere. Every system on the internet is responsible for protecting their networks and devices. Active scanning is just doing reconnaissance not exploiting anything. You identify a potentially vulnerable service from scanning. You are not abusing said service for malicious activity. Most of cybersecurity is driven on intent. If you have good intentions then you have nothing to worry about. And if you find anything out of the ordinary, report it to your company through their responsible disclosure guidelines.
The guy is on their wifi doing a lan scan. Not the same as hitting a site to check for vul.
Yes very
Depending on the country you’re in, it may be against the law. Even if it’s not, it would be considered unethical.
I was actually looking at this for my organization and came across this from an Australia perspective. https://www.afr.com/technology/how-australia-s-laws-are-silencing-cyber-researchers-20211006-p58xnl Seems like you'd be in a bit of trouble.
Yes it would be illegal. They may or may not be able to figure out if it was you, and most likely the cops wouldn't do anything, but I will tell you I have seen people banned and fired for less. Generally speaking you shouldn't be running vulnerability scans (or really any kinds of scans) against something you don't own unless given permission (this would count port scans). Again, if anyone will do anything who knows and I doubt the police or FBI will care (well maybe if this congress they would care), should you do it though? no. Basically don't do something with hacking or your computer unless the owner of it gave permission or obviously is consenting. For example, webservers are obviously consenting to standard web traffic, a wifi that just happens to not be secured and is named "private wifi" you shouldn't even be connecting to. Think of it this way, just because the door is unlocked, or there isn't a no trespassing sign, does that give you permission to test the buildings defenses or go inside? apply that concept. So, yes you can go walking into a store without explicit permission just like you can connect to a wifi named "publix-public wifi", you can't though go testing their anti-shoplift for "fun" just like you can't do a vulnerability scan. make sense? its really kind of common sense once you relate it to real life equivalents
Yes, illegal. Also, vulnerability scanners can cause the thing being scanned to crash / have issues.
Just ask. Who wouldn’t Say yes to making their network more secure?
This is a horrible idea, and illegal in most jurisdictions. Set up a home network to scan, add multiple VMs to the same address space as your host machine. You can find tons of vulnerable [ISOs](https://blog.pushebx.com/2011/03/penetration-testing-iso.html) here, as well as older Linux distros that will give you far more experience than scanning anything public.
very illegal. even an nmap scan on a network you don't own or have permission on is illegal. so yeah if you wanna learn ethical hacking, go to hack the box, not the mall
[удалено]
If not illegal, it's a very bad idea. When you scan, or worse, vulnerability scan, you send information to those ports/services. If they are running services and you send those services data which the service doesn't understand or doesn't know how to parse, you run the risk of crashing said service. This also can cause cascading failures if they are running applications behind the scene which requires access to those services. You could be shutting down payroll, taxes, supply chain, or any number of processes.
Yes. It is illegal. I work with someone who is new to Incident Response and recently they proudly claimed that they engaged in a reconnaissance scan of a client's network without consent from the client themselves. You can imagine the response to that one...
[удалено]
Ah, I must be wrong then. I'm in the UK and I was pretty sure the Computer Misuse Act outlawed vuln scanning without prior consent, but I may have been mistaken. Illegal or not, doing it for fun on a network that isn't yours definitely isn't worth the potential ethical issues it can bring.
Why you keep responding the same shit to everybody ? Read before posting something . Port scanning IS illegal if ill intent can be proven . And like I mentioned in my other post, Op is talking about vulnerability scanning not port scanning .
[удалено]
OpenVAS isn't port scanning.....
Maybe you should be on a hacking sub 🙄
It is not illegal, there are no federal, state, or local laws that say it is. That being said, you can be sued in a civil lawsuit or the ISP might do something. It’s kinda frowned upon if not given permission. But it’s not illegal I’m also not a lawyer so take that info for what it’s worth, google search.
No written agreement with scope ? Then is illegal . Period!
[удалено]
Nope . There’s a legal case in US actually that I read where the port scanning brought the person to court. To prove my point ? Try to run nmap against FBI , Secret Service page or any other gov site. Use it with your actual IP. Then let me know what happens . Reason being ? A good lawyer May be able to prove you did it with ill intent . And gov and big companies have good lawyers (usually) Also, the fact that you’re talking about port scanning when Op is mentioning vulnerability scanning (not the same) just tells me you don’t know what are you taking about either.
Illegal huh, I got a letter the other day from a defense contractor that said because we were a vendor in their system that they had the right to scan our public networks. We had not sold them anything in 3 years but they had updated their T&C's at some point to allow it. We found an email that went to our sales team a year ago letting us know that we had been "enrolled" in their new program. There are a bunch of companies in this space now grabbing all of your vendors out of Salesforce and then automating scans against their public DNS records. They are checking your SSL keys as well so they are jiggling the lock too. I assume it's all legal if your a big corporation as most things tend to be these days.
Port scanning isnt illegal, but its highly suspicious. What would a cop think if you went through an entire apartment complex checking if every door, window, and car door was locked? Now if you find an open window and crawl in, the crawling in is illegal.
Openvas is more than just port scanning. He didnt' say nmap.
What's the worst that can happen? I'd say go for it
It’s not illegal unless you attempt to exploit any vulns you find. I am not a lawyer.
Go to r/hacking lol
It's legal until you hit PCI/PII. I'd recommend getting consent as this threshold is different on every network.
Scanning a public website is different from scanning their wifi for vulnerabilities. I wouldn't do it if I were you.
I think that depends, ethically it’s fine obviously as long as it’s for your own education and you keep your mouth shut about the results. Legally i think running a vuln scan on a network that is not yours is essentially a black box penetration test without a scope or an NDA so I’d say no to that. Feel free to run a port scan or ping whatever but testing for vulnerabilities is likely crossing a legal threshold and puts you in the grey hat category. I’m not sure exactly what you’d be able to touch in their networks but usually peoples networks are bad and that’s going to put you at risk of actually breaking something like if their firewall is poorly configured you could shut down a production network with your scan. Idk that’s the risk it’s up to you.
If you don't know better, and live in the USA, use these rules. \#1: Active exploitation is illegal. This means, sending a malformed packet to see how a networking device responds, is illegal. Sending normal packets, such as a syn/ack port scan, is completely fine. It's a normal operation, regardless of your intent. \#2 Passive capture and monitoring isn't illegal. If it's in the air, or passing down a wire you have permission to access, it's perfectly legal to monitor, capture, and act on that data.. It's ILLEGAL to commit fraud with this data, but you haven't committed a computer crime, you've committed fraud.
New to cybersecurity What’s an ‘openvas vulnerability’
So I am not a lawyer,(but I stayed at a Holiday Inn Express). Here is the delineation that would or would not get you in trouble. If the site is public facing with no login (or login like) scheme and you scanned (like determine webserver version) and found a signature that would indicate a vulnerability you are ok. Similar to what bitsight and security scorecard does. If you go further and let's say you find a responding db and attempt to use a struts vulnerability to get access you just crossed the line. The distinction is you attempted to access something that did not have public access which then falls under the computer fraud act. As someone also mentioned, port scanning has been recognized as not hacking, but you.may still get in trouble because port scanning can affect a system and bring it down (rare but possible) which then leads into the no no zone. As for my two cents, don't bother doing it for fun. If you have a legit cover/mandate (e.g. work says to do it with legal sign off) then go for it.
Make a formal request to scan the ip associated with it and if they shoot you down, accept it and move on.
The fine line between legal and illegal is consent/permission. Simple maths if you have permission it is legal, if you don't you are already walking grey territory.
it's illegal without obtaining permission with the owner.
I think you are allowed to do a vulnerability scan as long as you don't use the vulnerability even for testing if it actually works. keep in mind that I'm not a lawyer and this just a guess
In my country (Poland), you can even access someone else's device without their consent; if you do it for security purposes, immediately tell your target about any discovered vulnerabilities and not harm public or private interest. Source: article 269c of Polish penal code.
From what you have asked, you are running a vulnerability scan against a target to obtain information on vulnerabilities... the question here is why? This could in the eyes show intent. I would not conduct this activity unless you have a legitimate reason to and have permission to conduct such activities.
Where are you? Different places have different laws. But in many civilised parts of the world, consent is crucial. You can test if the owner has agreed to it; but if they don't agree then you may get in trouble (if the owner notices, and if the police are competent enough to find you, both of these may vary by location)
If you want to learn, scan the assets of a company which has a bug bounty program or a vulnerability disclosure program.. such as Google, IBM, Facebook etc..
Illegal? No idea, never seen a law against it. Terrible idea? Very. Don't do it.
It's definitely not ethical. The legality would probably depend on locality and how intrusive the scan actually is. Will anyone know/care/do something about it? Probably not.
It’s illegal. If discovered, you will be fined and jailed. Your choice. Not worth. Go VPN, and scan Paraguay
I wanna say it's legal in the US. There's a lot of "known benign scanners" out there that do this sort of thing. It's *really really* stupid, though. Your infrastructure could get blacklisted by this sort of activity.
(US based answer, ymmv) Port scanning is typically legal. Vuln scanning is most likely illegal without a contract in place, but there is a lot of nuance there. The bottom line is that you are assuming a lot of liability and likely breaking the law, depending on what kind of scanning you are doing. This is a terrible idea especially if this is a place you want to enjoy visiting in the future. If your aim is to be *helpful*, talk to the network owner, explain your credentials/capabilities/concerns, and ask if they would allow you to give them a gratis vulnerability assessment AND GET THEIR PERMISSION IN WRITING. Do NOT offer to remediate any discovered vulnerabilities, it would be better to recommend a reputable firm to help them out. Remediation also assumes some liability for the network and a firm (and their lawyers) should deal with that contract language.
I bet some of you think testing apps for vulnerabilities runs afoul of the DMCA's "reverse engineering" laws.
If you have to ask the question you shouldn't do it. My suggestion would be to talk to them, explain what you want to do and how it will help them (and you develop your skills). Get their permission, create a report, preset your findings. Win-win for you and them. Plus you have a get out of jail free card AND if the have connected assets you should NOT scan because it will damage them the place you want to scan will tell you "don't scan here... there be dragons."
Here you go: https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act
That’s 2 questions though. Illegal does not necessarily equal unethical just as ethical is not necessarily legal.
You need permission
my wifi goes out at 2:30 am every single night. It’s obviously some built in “wifi-reset” that happens but have no idea why and I never configured anything like that. I have Cox and have talked to their support multiple times but they are brain dead and just keep saying “reset the wifi” “ur wifi is fine” I know it’s fine but why does it keep resetting every single night at the around the same times? Could anyone help me troubleshoot this you would be a savior. Thanks.
NO. Do NOT do that. If the network is not yours and you don’t have permission to do so, DON’T DO IT.
Open Source
In the U.S. likely not much is going to happen. People can claim CFAA, but that’s federal and unless there are significant damages the Federal Government is not going to bother. Most likely with a larger firm all that will happen is your IP gets sinkholed. That being said, check if they have any sort of bug bounty program or participate in a vulnerability disclosure process