Re: Increasing UDP Scanning with virtual hosts

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 1 Feb 2010 12:52:44 -0700
David Fifield <david () bamsoftware com> wrote:
[...]
> I tried scanning Linux from two other points on a LAN, and the Linux
> did indeed do its rate-limiting per-host. So with two addresses a
> scan could go twice as fast. I don't know if it would work if both
> scanning hosts had the same MAC address.
>
> This wouldn't be too easy to add to Nmap, but I guess it's possible. I
> can imagine running a command like
>       nmap -sU -e eth0:0 -e eth0:1 -e eth0:2 -e eth0:3
> to make Nmap round-robin between the different addresses.

For just port scanning via a SYN flood, we shouldn't actually need to
use "real interfaces".  We could potentially allow Nmap to ARP for and
"steal" a bunch of IPs similar to Honeyd.  From their page:

There are three different methods to direct traffic to Honeyd:

    * Add a route on your router that directs parts of your network to Honeyd.
    * Use proxy-arp so that your hosts answers arp requests for IP addresses that Honeyd should control.
    * Use arpd to get Honeyd to respond to all unused IP addresses on your network. This often causes DHCP to stop 
working.

Nmap is already reading responses via PCAP.  That part of the code
wouldn't really need to be updated much.

I'm not really endorsing this idea, I don't know if it's the right
thing for Nmap or not.  I just think that we could implement it via
with a little bit of APR+IP theft and raw frames+PCAP pretty easily.


Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAktnd+QACgkQqaGPzAsl94KewwCglXZLFDrEJYsku84yCUwOxG8I
VjIAoJIE2h1b+g38i8FITKNDfl1YvWT5
=fRd3
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/