Re: AW: ICMP (Ping)

[Tim Greer <chatmaster () charter net>]

On Mon, 2003-09-08 at 11:17, Meidinger Chris wrote:
> Nmap ping scans first unless you tell it not to.
>
> > From the nmap manpage at
> http://www.insecure.org/nmap/data/nmap_manpage.html:
>
>        -P0    Do  not  try  and ping hosts at all before scanning
>               them.  This allows the scanning  of  networks  that
>               don't  allow  ICMP  echo  requests  (or  responses)
>               through their firewall.  microsoft.com is an  exam­
>               ple  of  such a network, and thus you should always
>               use -P0 or -PT80 when portscanning microsoft.com.
>
> Wouldn't this be a reliable measure of whether people are likely to ping
> scan first or just vuln scan right away?

That's right, or you can just use such an option on a number of tools
and specify the port to check... bypassing any checks on the ping
response.  And, of course, it would only take a few minutes to create a
script to check IP ranges for port 80 or 25 responses and compile a list
from that--you can just use Perl and LWP to check if you wanted to get
very simple and accurate, and check for the response code and/or the web
server type and version (assuming the banner hasn't been modified, which
most people don't do) and only add it to a list of you can match the
m/^\s*Server:\s*(.+)$/ field of a known vulnerable version--or whatever
you want to do.  This would perhaps be a total of 8 lines of code.
-- 
Tim Greer <chatmaster () charter net>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------