Nmap Development mailing list archives
Re: RFC on Nping: Raw packet probing nirvana
From: Ron <ron () skullsecurity net>
Date: Fri, 08 May 2009 10:08:59 -0500
Hi Brandon. You should think about this more when you're more rested, as I think you're on to something! In particular, a number of people over the years have asked for this sort of client/server testing to determine what packets are being dropped and how they're being manipulated across the network. If you can think up a concrete proposal, please do send it for discussion. Having Nping act as the sniff server itself is an interesting idea. Or we could have another tool for that (nsniff?), which would sniff for a unique token/signature which Nping, Nmap and the like could be requested to send. This signature could be a unique IP option string, IP ID, TCP option, data value, or the like. That would make it very easy to isolate and only show the packets coming from Nmap/Nping. But it may not work well for some of the things you have in mind. I'm just doing late night incoherent brainstorming too :). But everyone has probably noticed that I've lately had a propensity for dreaming up new tools :).
>...This is very much related to what Brandon suggested, but a somewhat different purpose (maybe :) ).
When doing pentesting work, you are sometimes starting from a residential ISP, and there's no telling what filters are in place (one ISP here filters 445, for example, which makes detecting Conficker difficult). Or maybe you broke into the target's wireless network, or are staying at a hotel. It'd be good to have a way of testing an ISP's filters, whether it's port-based, session-based, actual attack signatures, etc.
I once whipped up a in Perl where the client would tell the server that it was going to start sending stuff. The server would basically run tcpdump and log everything. When the client announced it was done, the server would send the full capture log to the client. It was up to the client to see what's missing and report what type of filters are in place.
I didn't actually get past writing the server portion, unfortunately. But knowing what kind of filters are in place could be extremely useful to a pen tester (when I was taking a SANS course with Ed Skoudis, he mentioned a desire for such a tool).
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- RFC on Nping: Raw packet probing nirvana Fyodor (May 06)
- Re: RFC on Nping: Raw packet probing nirvana Brandon Enright (May 06)
- Re: RFC on Nping: Raw packet probing nirvana Luis M. (May 07)
- Re: RFC on Nping: Raw packet probing nirvana Arturo 'Buanzo' Busleiman (May 07)
- Re: RFC on Nping: Raw packet probing nirvana doug (May 30)
- Re: RFC on Nping: Raw packet probing nirvana Luis M. (Jun 01)
- Re: RFC on Nping: Raw packet probing nirvana Luis M. (May 07)
- Re: RFC on Nping: Raw packet probing nirvana Brandon Enright (May 06)
- Re: RFC on Nping: Raw packet probing nirvana Fyodor (May 08)
- Re: RFC on Nping: Raw packet probing nirvana Ron (May 08)