Penetration Testing mailing list archives
RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 23 Apr 2004 19:40:35 -0400
If you use SHADOW, you can easily modify it to grab the full snaplen of the packets. To do this, modify the tcpdump command in the std.ph (or whatever the site is named) file in the sensor directory. Here's a modification I made for special purpose sensor I installed a few months ago to deal with a specific problem user. $LOGPROG = "/usr/sbin/tcpdump -s 4000"; BTW, some tcpdumps with use -s 0 to specify to grab the entire payload of the packet but that doesn't work for all of them - just wanted to head off any flames in advance....but this isn't a terribly flamey group;) -----Original Message----- From: Dan Goldberg [mailto:dan () madjic net] Sent: Friday, April 23, 2004 2:12 PM To: Paul Johnston; pen-test () securityfocus com Subject: Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket
1) How reliable have people here found nmap and nessus to be? Anything that can be done about this?
Paul, I have had very good luck with Nmap. It helps to know something about the path to the host(s) your are interested in. You will get different results and responses depending on whether there are firewalls or packet filters between the scanner and target. (Sorry I know this is obvious). In addition I always capture a packet trace of any scan I perform create an audit trail of the scan and see anything that Nmap fails to report on as I would expect. I also tend to break large scans in to smaller chunks. Rather than scanning -p 1-65535 on a host I will script out a few chunks at a time usually getting well known or expected ports first. This is mostly to keep from bogging down the scanner (especially if the scanner is a windows box).
2) I'm looking at setting up a box to capture all traffic on our scanning network. Does anyone have thoughts on doing this, based on their operational experiences?
I would think that a system like Shadow http://www.nswc.navy.mil/ISSEC/CID/ would help here or else Snort in Logging mode. I have used Shadow to capture large amounts of traffic on a 24 hour basis and the front end is excellent for reviewing headers. It does collect IIRC the 1st 68 bytes though not entire packets.
3) Using Core Impact's Impacket library,
I have never used this. Hope this helps. -- dan () madjic net -- ------------------------------------------------------------------------ ------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Web site testing, (continued)
- Web site testing Jerry Shenk (Apr 23)
- Re: Web site testing Josh Tolley (Apr 23)
- Re: Web site testing Dan Goldberg (Apr 23)
- RE: Web site testing Jerry Shenk (Apr 23)
- RE: Web site testing Clement Dupuis (Apr 26)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Anders Thulin (Apr 27)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket James Davis (Apr 30)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Renaud Deraison (Apr 30)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Don Parker (Apr 23)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Dan Goldberg (Apr 23)
- RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Jerry Shenk (Apr 24)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Dan Goldberg (Apr 23)
- RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Brass, Phil (ISS Atlanta) (Apr 26)
- RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Robert E. Lee (Apr 26)
- RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket BĂ©noni MARTIN (Apr 30)
- Web site testing Jerry Shenk (Apr 23)