Penetration Testing mailing list archives
Re: [PEN-TEST] Any way to speed up mapping for penetration testin g?
From: Chris Tobkin <tobkin () INTERSEC COM>
Date: Thu, 15 Mar 2001 23:01:53 -0600
Well, there are a couple ways to tackle this. First you've got to find out they're disallowing Ping. Is it because ICMP is being blocked by a router? ------------------------------------------------ If ICMP is being blocked by a router, then performing a sweep for ports that aren't being blocked should quickly tell you what hosts are up. You could use nmap to SYN scan a few common ports (20,21,23,53,80,110,143), a few specific ports (i.e. 256 and 258 to look for FireWall-1 control connections), and a few not so common ones (just grab a few random ports), dump out the results in machine parsable format (-oM) and grep -v "Ignored State: closed (0)" to find all the machines that have ports in your list that aren't "filtered". So use something like: nmap -sS -P0 -p 20,21,23,53,80,110,143,6000,8080,11111,18232,28237,31337 -oM output.log If incoming connections are also being blocked, you could try defeating the router ACLs by acting like you're responding to a request from the client by using an ACK scan from port 80. So also use something like: nmap -sA -P0 -g 80 -p 20,21,23,53,80,110,143,6000,8080,11111,18232,28237,31337 -oM output.log You can do even more exhaustive scanning with other tools like hping, but these will get most of the information you'll need to narrow down which hosts will need scanning. Is it because they have a firewall? ----------------------------------- This is actually more difficult since there could be any single port open anywhere up and down their stack on each IP address. You could try the first method to find some of the machines, but the ACK scanning will most likely not work if the firewall is stateful.. The best way I've found to do this is to have multiple instances of nmap running (if possible, on their own isolated network link) and also tcpdump/snoop all of the packets going back and forth and look for any responses to your packets (tcpdump dst <scanning machine> would break it down to only responses). Strobe would work in this case -- all you need to do is just send the packets out and look through the log file for any responses. Because you're looking through the logs and not having the program do the entire analysis, you can bump up nmap to a faster timing policy (like Aggressive or Insane). (Just make sure you're not exhausting your resource or theirs.) You can also look for machines that may be dropping packets but are behind a firewall by doing a IP Protocol scan (-sO) and see which ones respond back with ICMP protocol unreachable messages. For example, tcpdump would show it like this: 23:00:54.337932 my.test.example.com > my.scanning.machine.com: icmp: my.test.example.com protocol 216 unreachable (DF) Note that if you're doing this legitimatly, you may want to use the -r option in nmap so that you can look through the logs and see each port/protocol scan in order instead of randomized. ------------------------------------ A less resource intensive way to look for systems initially is to look at the reverse DNS and their forward DNS if they allow zone transfers and uniq the IP addresses inside for a good list to start from. In my experience, this finds about 80% of the systems if they're firewalled off. Beware: ------- We've incidentally DoS'd a few clients by running portscans (not even heavy ones) on them against systems that are behing proxy-based firewalls. (I.e. Gauntlet Firewall's httpd proxy dying under a the load of having numerous quickly successive connection attempts) If you're logging and scanning on the same machine, beware that you may lose packets under high load of logging and generating packets -- For best results, separate the logging and scanning onto two different machines and toss them on the same hub. On the other hand, some clients would like to know if their firewall croaks under load like that. // Chris tobkin () intersec com P.S. are you sure they don't want ports 1-65535 scanned?
Am currently working with a customer to map their network prior to penetration/vulnerability testing using NMap. Customer doesn't allow Ping and wants 65000 ports tested. Since we can't Ping, NMap takes a long time to test a single host resulting in a very long testing period. We've
tried
setting a time-out value of 30 seconds but end up missing hosts with this value. Has anyone had an experience like this and if so, any recommendations to efficiently map a network without Ping?
Current thread:
- Re: [PEN-TEST] Any way to speed up mapping for penetration testin g? Chris Tobkin (Mar 16)