Re: Fwd: Re: tcpwrapper hassle

["securityfocus () truesec de" <securityfocus () truesec de>]

Hi Richard,

I realize the ambivalence. I've learned that "--min-hostgroup/max-hostgroup"
might make different sense dependent on what you scan, TCP or UDP and which
results do you expect. 

In my case not knowing the network, expect misconfiguration, big results etc.
and scanning UDP it might be of advance to use --min-hostgroup ~50-100, like
Fyodor and other guys recommend; you don't expect that many open ports, scan in
parallel as much as you can, etc. When scanning TCP it might make sense to use
--max-hostgroup ~20 so if a tcpwrapped-monster comes up you won't wait too long
for the first results and you will be able to save them to the harddisk.

You know sitting there and starring at the screen while nmap was counting up the
open TCP ports from ~6000 up to 65535 made me wishing more interactivity with
nmap. Like "Press n to skip to the next host and save the current host to the
list named noisy_hosts.txt to scan them later or from a different machine...".
Is that a legitimate one?

Regards,
Edin


> -------- Original-Nachricht --------
> Datum: Mon, 30 Nov 2009 13:55:13 +0100
> Von: Richard Sammet <richard.sammet () googlemail com>
> An: Edin Dizdarevic <edind () gmx de>
> CC: nmap-dev () insecure org
> Betreff: Re: tcpwrapper hassle
>
> Hi Edin,
>
> you should have  look at the "--min-hostgroup/max-hostgroup <size>:
> Parallel host scan group sizes" option.
>
> By setting the hostgroup to a maximum of e.g. 16, nmap will only scan
> 16 hosts in parallel and after done so it will save the results for
> those 16 hosts to the log before going on to scan the next 16 hosts.
>
> This way you are not going to lose that much result data in case of 
> failure...
>
> You should also keep in mind that speeding up a scan will cause you
> miss some open ports/services. especially if you decide to reduce the
> timeout values... So its really decision between speed an accuracy...
>
>
> Greetings,
> Richard
>
>
> On Mon, Nov 30, 2009 at 8:00 AM, Edin Dizdarevic <edind () gmx de> wrote:
> > Hello list,
> >
> > what I experienced recently was a huge flat ground /16 network with many
> >  nodes using tcpwrapper. Some of them were simply showing almost all ports
> > open which just took a lot, I mean _really_ lots of time to scan.
> >
> > First of all I did not expect so many nodes the customer neither - and then
> > (before writing down the scan(!)) nmap crashed a few times consuming 2GB
> > ram.
> >
> > Is there any other, smarter approach than it was mine - I assume there is -
> > to cope with such stuff?
> >
> > The facts/prerequisites for the job were:
> >
> > * Sensitive environment, no aggressive scans allowed but T4 was fine
> > * /16 Network, unknown number of nodes (it came out 1500)
> > * Full TCP and UDP scan with service and OS recognition required
> > * Many systems showing almost all TCP ports open (tcpwrapped)
> >
> > The hints I found in the nmap book about speeding up TCP and UDP scans were
> > extremely helpful but in this case it did not help me that much at the end
> > of the day. (But nice book... ;-))
> >
> > Regards,
> > Edin
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
> -- 
> Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
> sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser

[data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAADsElEQVR4n
K2VTW9VVRSGn33OPgWpYLARbKWhQlCHTogoSkjEkQwclEQcNJEwlfgD/AM6NBo1xjhx5LyJ0cYEDHGkJ
qhtBGKUpm3SFii3vb2956wPB/t+9raEgSs52fuus89613rftdcNH8/c9q9++oe/Vzb5P+3McyNcfm2Cc
Pj9af9w6gwjTwzvethx3Bx3x8xwd1wNM8dMcTNUHTfFLPnX6nVmZpeIYwf3cWD/PhbrvlPkblAzVFurK
S6GmmGqqComaS+qmBoTI0Ncu3mXuGvWnrJ+ZSxweDgnkHf8ndVTdbiT3M7cQp2Z31dRTecHAfqydp4ej
hwazh6Zezfnu98E1WIQwB3crEuJ2Y45PBTAQUVR9X4At66AppoEVO1Q8sgAOKJJjw6Am6OquDmvHskZ3
R87gW+vlHz98zpmiqphkkRVbQtsfPTOC30lJKFbFTgp83bWh7Zx/uX1B6w3hI3NkkZTqEpBRDBRzG2AQ
HcwcYwEkOGkTERREbLQ/8HxJwuW7zdYrzfZ2iopy4qqEspKaDYravVm33k1R91Q69FA1VBRzFIVvXbx5
AgXT44A8MWP81yfu0utIR2aVK3vfCnGrcUNxp8a7gKYKiLCvY2SUvo/aNtnM3e49ucK9S3p0aDdaT0UA
VsKi2tVi6IWwNL9JvdqTdihaz79/l+u/rHMxmaJVMLkS2OoKKLWacdeE3IsSxctc2D5Qcl6vUlVVgNt+
fkPPcFFmTw1xruvT7SCd7nuVhDQvECzJH90h0azRKoKFRkAmP5lKTWAGRdefoZL554FQNUxB92WvYeA5
UN4PtSqwB2phKqsqMpBgAunRhFR3j49zuU3jnX8k6fHEQKXzh1jbmGDuYU6s4t1rt6socUeLLZHhYO2A
HSHmzt19ihTZ48O8Hzl/AmunD/BjTvrvPfNX3hWsNpwJCvwYm+ngug4UilSCSq6k8YPtxDwfA+WRawIW
FbgscDiULcCEaWqBFOlrLazurupOSHLqGnEKJAY8TwBEHumqUirAjNm52vEPPRV4p01XXMPAQhUBjcWm
9QZwijwokgAeYHlHYA06KR1cT6ZvoV56pDUJQEjw0KeaMgj1hPEY4vz2A4eW0/e1qA7KtQdsxTYAG0H3
iG4xyK1Y+xm7XmEPOJZDiENzLi2WZHngeOjj2Pe+sMg4GRYyLAsx7ME4FnsyTD9pr0PEc8zPGRAwKXBk
YOPEd96cZRvf11g9MDe7e3R4Z4Q+vyEnn3P4t0XzK/W+ODN5/kPfRLewAJVEQ0AAAAASUVORK5CYII%3
D]
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/