Re: Need help for nmap scan

[magnus () linuxtag org (Nils Magnus)]

Re,

On Thu, Apr 20, 2006 at 11:13:23AM -0400, kx wrote:
> Andreas is right, especially if you are scanning from outside the targets LAN.

Well with some heuristics regarding the actual active IP addresses you
_might_ _guess_ if an address is assigned by DHCP, but that has not much
to do with nmap.

> If you are inside the targets LAN, sniff for DHCP traffic, and perform
> traffic analysis. As far as using nmap, both the ARP ping (vendor
> code), and OS detection can help identify what routers are on the LAN,
> which is likely to be the default gateway.
>
> If you are outside the target LAN, at best, you may be able to tell if
> the target is behind a NAT with nmap, but it depends.

At least you can (under some, or even most circumstances) figure out the
gateway the segment uses to route traffic to _your_ location (which is
in many situations just the single default gateway): Send probes to all
IPs in the target network and watch the TTL field of the response
packets. One might have a smaller count, this is a candidate for the
gateway (because it's topologically closer to you).

These techniques rely on a certain amount of heuristics and experience
and are not acurate in all cases.

However, they emphasize my wish of inclusion of more traceroute features
in upcoming releases, as I already stated in the nmap-survey :)

Regards,

Nils Magnus
Program-Chair LinuxTag 2006 Free Conference Program

LinuxTag 2006: Where .com meets .org - magnus () linuxtag org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev