Re: Query: NMAP and Multiple Tier Network Discovery

["Jason Ross" <algorythm () gmail com>]

On Wed, Aug 6, 2008 at 8:46 AM, william fitzgerald <wfitzgerald () tssg org> wrote:
> Dear Experts,
>
> Can NMAP map and traverse multiple networks with a single enterprise.
>
> I am looking for a nice open source network discovery tool that can discover
> hosts and their services within a enterprise/corporate environment.
>
> Example enterprise network topology:
> GatewayFirewall --> DMZ Servers
>                --> Tier2-Firewall --> Application Servers
>                                   --> Tier3-Firewall --> Databases
>                                                      --> Corp-LAN
>
> It would be handy to use a tool to traverse the network (including firewalls
> and routers) to map out the entire network for host types and service they
> run. Presumably all firewalls in the enterprise network would have rules to
> permit the dedicated host running nmap.
>
> Is NMAP capable of this if its only hosted/running in a single tier or
> should I be looking at: multiple instances of nmap or another tool
> (www.netdisco.org/ ) or a combination of tools.


Maybe I'm missing some subtlety in the problem, but if you can
summarize the different networks, you can scan them all from a single
nmap instance:

   TARGET SPECIFICATION:
      Can pass hostnames, IP addresses, networks, etc.
      Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
         -iL <inputfilename>: Input from list of hosts/networks
         -iR <num hosts>: Choose random targets
         --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
         --excludefile <exclude_file>: Exclude list from file


That said, if all you're attempting to do is enumerate hosts, there
may be better tools to accomplish this ... scanrand comes to mind.
It'd allow for summarizing similarly to nmap, but may provide better
results dealing with large numbers of hosts.

--
Jason