2

Is it usually authorized to run systematic information gathering tools ? I'm talking about tools like nmap, knock, dirb and so on. I'm obviously talking about running them on public websites without consent.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Hedam
  • 121
  • 2
  • 4
    Legal questions might be more appropriate on [law.SE]. – Arminius Aug 01 '17 at 20:26
  • As long as you are not utilizing a website the authorized way, then it is unauthorized. The details regarding "legal" aspects, ie. what the law actually dictates, varies on a lot of factors (your location, location of your target, location through which your data is routed, status of you, your ISP, your target, your target hosting company, etc.) and requires consultation of a lawyer. – WhiteWinterWolf Aug 01 '17 at 20:41
  • @Arminius: This question would be off-topic on [law.se]: ["Please don't ask questions seeking legal advice on a specific matter."](https://law.stackexchange.com/help/on-topic). Either the OP is satisfied with the answer that, unless explicitly stated otherwise, such action is unauthorized, or he must hire a lawyer to study his case in details. Law.SE does not provide free lawyer services, the same way we do not provide free security audit service here. – WhiteWinterWolf Aug 01 '17 at 20:45
  • I'm satisfied with a generic "unauthorized" answer. – Hedam Aug 01 '17 at 20:46
  • I've edited your question to explicitly remove the "legal" aspect of it and try to avoid its closure. I think this is a good question as it is a frequent issue raised by newcomers in the IT security realms and did not find any duplicates (most probably all closed due to their "legal" aspect being off-topic here). – WhiteWinterWolf Aug 01 '17 at 20:52
  • What's the difference after changing "legal" to "authorized"? Is it now about whether the terms of use *usually* permit that? I don't think that makes it a meaningful question. – Arminius Aug 01 '17 at 21:00
  • @Arminius: When discussing about the "legal" aspect, you are discussing what the law states. When discussing about the "authorized" aspect, you are discussing what the target website states. The "legal" aspect usually serves as a wrong justification for script kiddies to attack random websites (aka. "I wasn't doing anything illegal!"). I think it is important to highlight here on sec.se that such broad claims have usually no reality and that, when you're not a specialized lawyer, you must limit yourself to explicitly authorized actions, no matter what your own interpretation of the law may be. – WhiteWinterWolf Aug 01 '17 at 21:25
  • @Arminius: Nevertheless I rewrote the question very quickly, there may be a clearer title like "Am I free to use automated scan tools against random websites?" or something else. All professionals here *know* the answer to this question, new people in the field or simply people curious about the tools (you know, *Mr. Robot* and all) may sincerely not know it. – WhiteWinterWolf Aug 01 '17 at 21:34
  • 1
    Related: [At what point does “hacking” become illegal? (US)](https://security.stackexchange.com/questions/6355/at-what-point-does-hacking-become-illegal-us) – Arminius Aug 01 '17 at 21:46
  • Any questions over legality regardless of how you word it are off topic. It does not fit into the scope defined by this site and it also borderlines being flagged as the answers would mostly be opinionated. – Bacon Brad Aug 01 '17 at 22:04
  • @BaconBrad Can you clarify?The help center says little more than "we're security professionals so deal with legal issues, but this site is not a law site" Saying *Any* questions over legality are off-topic is a little misleading considering these questions https://security.stackexchange.com/questions/6355/at-what-point-does-hacking-become-illegal-us https://security.stackexchange.com/questions/13374/what-are-legal-ethical-concerns-to-bear-in-mind-when-hacking-websites-with-open?rq=1 https://security.stackexchange.com/questions/24700/is-hacking-back-a-valid-security-technique-for-companies?rq=1 – Cody P Aug 01 '17 at 22:23
  • 1
    @CodyP I was just referring that this question (and questions like it) were off topic due the type of legal question it. I use [this meta answer](https://security.meta.stackexchange.com/questions/2325/what-is-wrong-with-this-legal-question-are-legal-questions-on-topic-at-all/2326#2326) from a moderator as a basis of what is an on/off topic legal question in SE. – Bacon Brad Aug 01 '17 at 22:39
  • @CodyP As discussed a few times on meta, questions from 2011-2012 are usually no good indicators of what's considered on-topic now. Some of the linked ones would most likely not stay open if asked today. – Arminius Aug 01 '17 at 23:49
  • @Arminius Thanks but Bacon Brad already gave me what I was looking for: a simple explanation of why this question was closed that doesn't require beginning users to have read through most of the meta or study the grey areas and confusing policies on this site. – Cody P Aug 01 '17 at 23:55

1 Answers1

1

On a general basis, as long as you are not using a website the authorized way, then you can assume it is unauthorized by default.

Some websites may explicitly authorize the use of automated scanning tools. A classical example of this is Nmap's ScanMe page. In this case the page clearly state the authorization and the associated limitations.

Some general websites also offer bug bounties allowing to some extend the search of vulnerability on their systems. Such website may or may not authorize the use of automated tools, this is usually clearly stated in their bug bounty details.

The "authorized" and "unauthorized" statements however have to be distinguished from the "legal" and "illegal" statements. In some cases, the first ones may have nothing to do with the later ones. In particular, before engaging in any activity which may, even remotely, be considered offensive, ensure that the explicit authorization has been issued by someone in measure to issue it and in full knowledge of any potential consequences (in particular, before allowing such use, the target must check if his hosting company allows it).

Laws controlling such activity are far more complex than one may think, even more when the scanning source and destination (either its HQ or its servers) are located in different jurisdictions. Things may quickly go wrong and out-of-hand. What if the server you were scanning crashed during your scan and the local sysadmin made no backup? Even if your scan may be technically unrelated to the crash, expect to be designated as the main responsible for all the damages and the associated losses.

In doubt, either contact a lawyer before doing anything or abstain.

As a side note, you remain free to scan your own devices on your own network. Simply using virtual machines in your own LAN is usually enough for most personal tests.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104