Penetration Testing mailing list archives
Re: Nmap
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 3 Oct 2011 15:49:46 +0200 (ora legale Europa occidentale)
Hi, On Sat, 1 Oct 2011, Mel Chandler wrote:
The best way I can think of off the top of my head is to do two similar scans, one with a ping scan and the other looking for open ports but without pinging (-Pn) dumping them to two different files and do a diff between them. Granted if you have a host out there without any ports open (or you just didn't scan for the port it had open) you'll miss it. Maybe someone else has a better idea?
If your target network is large, Nmap may take a long time to perform a full TCP scan. Instead, you might wanna try an asyncronous stateless TCP scanner such as scanrand or singsing [1]. Remember to watch for closed ports as well, which return TCP RSTs responses.
Also, targeted UDP scans performed with payload-based scanners such as Unicornscan or Metasploit Framework's udp_sweep can help identifying active hosts with no exposed TCP services. Don't forget to try specific tools in order to identify UDP services, e.g. ike-scan and onesixtyone.
Finally, less intrusive methods such as DNS scanning (via Nmap -sL, bruteforce tools such as fierce.pl, or DNS AXFR if available) and Google searches can sometimes do wonders;)
PS. Of course, if you are on the same network segment as your targets, ARP scan is the way to go, either with Nmap or something like arp-scan.
[1] http://lab.mediaservice.net/code/singsing/ -- ------------------------------------------------------------------ Marco Ivaldi OPSA, OPST, OWSE Senior Security Advisor @ Mediaservice.net Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://www.mediaservice.net/ ------------------------------------------------------------------ PGP Key - https://keys.mediaservice.net/m_ivaldi.asc ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Nmap Ukpong (Oct 01)
- Re: Nmap Mel Chandler (Oct 01)
- Re: Nmap james (Oct 01)
- Re: Nmap Marco Ivaldi (Oct 03)
- Re: Nmap Tim Gonzales (Oct 01)
- Re: Nmap Jerry (Oct 01)
- Re: Nmap Jeffory Atkinson (Oct 01)
- Re: Nmap John M. Martinelli (Oct 03)
- Opinions on Burp Suite Web App Scanner Derrenbacker, L. Jonathan (Oct 12)
- Re: Opinions on Burp Suite Web App Scanner pand0ra (Oct 12)
- Re: Opinions on Burp Suite Web App Scanner Fabio Cerullo (Oct 12)
- Re: Opinions on Burp Suite Web App Scanner Matt Gardenghi (Oct 12)
- RE: Opinions on Burp Suite Web App Scanner Ben de Bont (Oct 12)
- Re: Opinions on Burp Suite Web App Scanner Meenal Mukadam (Oct 19)
- Re: Nmap John M. Martinelli (Oct 03)
- Re: Nmap Mel Chandler (Oct 01)