Re: 2 ideas for NMAP, 1 open question

[Lamont Granquist <lamont () scriptkiddie org>]

On Fri, 24 May 2002, Fyodor wrote:
> > ARP scan.
> >
> > I've noticed that this is what happens anyways when you do a TCP or ICMP
> > scan on your local network (just think about it for a second).  You could
> > just cut to the chase and do this directly.  Ideally do it massively
>
> Hi Lamont!  I agree.  This is certainly on my (very long) list, but
> perhaps someone will beat me to the chase :).  I have traditionally
> avoided ethernet-specific stuff, but am slowly changing my mind as it
> becomes more and more prevalent among home end users.

Like I said, I think ethernet specific features make sense as long as you
don't break anything in the process.  Ideally you'd write it so that while
it was ethernet specific it wouldn't be that difficult to extend it to
other link-layers as well.  I'd view it just as extending the features of
NMAP for its largest "market segment" first -- rather than viewing it as
hard-coding in dependencies on ethernet.

> > broken).  Libnet might make ARP scanning a lot easier to implement, and I
> > think the link-layer output could be useful in other circumstances to play
> > with.
>
> Libnet is nice, although I have lately been playing with Dug Song's
> Libdnet ( http://libdnet.sourceforge.net/ ) and have been quite
> impressed.

Yeah, I might have gotten a bit too specific by mentioning libnet.  And if
both libnet and libdnet didn't work out, rolling an NMAP-specific (but
generally reusable) packet output layer would work too.

> > IPv6
> >
> > Anyone got any ideas for how to ping sweep an entire 64-bit address space,
> > corresponding to one network?  IPv6 seems to pose some interesting
> > challenges.
>
> Yes it does.  The good news is that this is being worked on :).  Not
> by me though.  A Belgian graduate student named S?bastien Peterson
> (seb.peterson () easynet be) is working on this for his thesis.
> Apparently he has some scans working already.  I certainly would be
> interested in integrating that into core Nmap.

Could you use the list of allocated EUI-48's (aka MAC addys) to scan for
machines?  Program a scanner to go through all eepro100 MACs in a subnet?
You've got to get that 64-bit address space cut down somehow (and the
whole 128-bit address space is a really nasty problem, just getting a
counter to increment completely through 128-bits takes an enormous amount
of computing power...)


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).