Penetration Testing mailing list archives
Re: Scanning Class A network
From: Volker Tanger <vtlists () wyae de>
Date: Mon, 24 Oct 2005 22:40:11 +0200
Greetings! On 24 Oct 2005 12:33:05 -0000 tarunthenut () gmail com wrote:
Recently I was given a task to carry out a port scan of an entire valid Class A range (Dont ask me what the huge pool of valid IP's was for :) ). The scan needed to be carried out externally, and not from within the network to identify hosts and ports exposed to the Internet. The problem compounded cause of the following limitations : 1. ICMP was not allowed in the network 2. The IP range was to be scanned every month for the entire port range from 1-65535 for TCP & UDP
Okay, so you can't see wether a host is up and you have to scan all ports for all IPs. 2^16 ports for each UDP and TCP = 2* 2^16 = 2^17 tests for each host Class A = 2^24 hosts Thus total IP+ports to test = packets to send: 2^17 ports * 2^24 hosts = 2^41 tests For simplicity's sake let's assume 60 bytes/packet = 480 bit/packet To scan this within a month you'll need 2^41 tests / month = 2^41 tests * 480 bits/test / month = 1 Pbit/month = 35 Tbit/day = 1,5 Tbit/hour = 24 Gbit/minute = 407 Mbit/s in small packages, full duplex = 848.389 tests/s = packets/s So in best case (no collisions etc.) you'll saturate half an external GIGAbit/s line interface just for pen testing (give or take a small factor). And this only is for the outgoing port-knocking part... ...if you can test that at all. Depending on your gear and optimization you might not be able to sustain spewing out that many connections and track the responses. IPtables usually maxes out at roughly 300.000 packet/s, which is only a third of what you need. For TCP connections RfC793 defines a limit of 268 new TCP sessions/second (54512 non-reusable source ports available, TCP timeout 4 minutes). So as long as you stay RfC-conform you're a bit more than factor 1500 too slow (unless you utilize 1500 parallelized PCs, of course). But you'll need to tweak Linux kernel settings e.g. for state tables anyway, so you might squeeze off a little bit from this, too. So I'd say without being able to reliably check wether a host (IP) is up you won't have a realistic chance to meet your schedule. Even if the impact of that repeated scan onto network infrastructure is ... hm... quite a bit. The network fabric (switches) and firewall (or whatever being used as external gateway) must be able to carry that load, too. We're talking about large-enterprise/carrier class firewalls here... Are you sure your customer fully understood the impact and wants a scan that's saturating roughly half the a Gbit/s interface 24 hours a day, 7 days a week, 365+ days a year? Do you have the equipment capable of this? Does the customer have? Good luck! Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Scanning Class A network, (continued)
- Re: Scanning Class A network David Eduardo Acosta RodrÃguez (Oct 24)
- Re: Scanning Class A network robert (Oct 24)
- Re: Scanning Class A network Mike Jones (Oct 24)
- Re: Scanning Class A network Justin (Oct 24)
- Re: Scanning Class A network Chris Byrd (Oct 24)
- Re: Scanning Class A network Matt Bellizzi (Oct 24)
- RE: Scanning Class A network Kyle Starkey (Oct 24)
- Re: Scanning Class A network Satanic.Brain (Oct 24)
- Re: Scanning Class A network R. DuFresne (Oct 24)
- Re: Scanning Class A network Steve Micallef (Oct 24)
- Re: Scanning Class A network Volker Tanger (Oct 24)
- RE: Scanning Class A network Talisker (Oct 25)
- Re: Scanning Class A network Adam Jones (Oct 26)
- RE: Scanning Class A network Brian Loe (Oct 26)
- Re: Scanning Class A network barcajax (Oct 24)
- RE: Scanning Class A network Jarmon, Don R (Oct 24)
- RE: Scanning Class A network Mike Thompson (Oct 24)
- RE: Scanning Class A network Josh Perrymon (Oct 24)
- RE: Scanning Class A network Derick Anderson (Oct 24)
- Re: Scanning Class A network Cesar Osorio (Oct 24)
- RE: Scanning Class A network Michael Gargiullo (Oct 25)
(Thread continues...)