Penetration Testing mailing list archives

Re: [PEN-TEST] Any way to speed up mapping for penetration testing?

From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Thu, 15 Mar 2001 17:17:11 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The method I developed works extremely well:

1. Determine the average RTT to that host via hping or similar tool. Try
sending syn packets to a port you know is open, or try pinging another host
on the same segment, and finally if that doesnt work, ping their gateway and
take that RTT.

2. Take the RTT from above and double it, then pass it to nmap's
- --max_rtt_timeout option along with a reasonable maximum host timeout (based
on number of ports * 2 * RTT).

The nmap scan should take a maximum of 3-5 minutes on a normal ethernet
segment. By forcing the max rtt to be double the known value, you keep nmap
from taking forever while waiting on responses back from filtered ports.
Hard network spikes in the middle of your scan can cause nmap to timeout
prematurely, so make sure the network isnt being clobbered before you try
this.

You also might want to check out SpiderMap, a paralell'ized nmap scanning
script, creating for this purpose a couple years ago.  You can find a copy on
my digital offense web site in the projects section

.

- -HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)
http://www.dursec.com (conf)



On Thursday 15 March 2001 01:58 pm, Randy Molen wrote:

Am currently working with a customer to map their network prior to
penetration/vulnerability testing using NMap.  Customer doesn't allow Ping
and wants 65000 ports tested.  Since we can't Ping, NMap takes a long time
to test a single host resulting in a very long testing period.  We've tried
setting a time-out value of 30 seconds but end up missing hosts with this
value.  Has anyone had an experience like this and if so, any
recommendations to efficiently map a network without Ping?

thanks


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOrFNfTwRvqMPEDLhEQLTyQCgitBuw7IzRWCFoq4GeCar51fyiegAn3QN
iz6A9g/j9kz97Pa4X/d0H7B5
=d/kx
-----END PGP SIGNATURE-----

Current thread:

[PEN-TEST] Any way to speed up mapping for penetration testing? Randy Molen (Mar 15)
- Re: [PEN-TEST] Any way to speed up mapping for penetration testing? Weiss, Bill (Mar 15)
- Re: [PEN-TEST] Any way to speed up mapping for penetration testing? Shoten (Mar 15)
- Re: [PEN-TEST] Any way to speed up mapping for penetration testing? morgothan (Mar 15)
- Re: [PEN-TEST] Any way to speed up mapping for penetration testing? batz (Mar 15)
- Re: [PEN-TEST] Any way to speed up mapping for penetration testing? H D Moore (Mar 15)