Re: [PEN-TEST] Any way to speed up mapping for penetration testin g?

[Chris Tobkin <tobkin () INTERSEC COM>]

Well, there are a couple ways to tackle this.  First you've got to find out
they're disallowing Ping.

Is it because ICMP is being blocked by a router?
------------------------------------------------
  If ICMP is being blocked by a router, then performing a sweep for ports
that aren't being blocked should quickly tell you what hosts are up.  You
could use nmap to SYN scan a few common ports (20,21,23,53,80,110,143), a
few specific ports (i.e. 256 and 258 to look for FireWall-1 control
connections), and a few not so common ones (just grab a few random ports),
dump out the results in machine parsable format (-oM) and grep -v "Ignored
State: closed (0)" to find all the machines that have ports in your list
that aren't "filtered".

        So use something like:
        nmap -sS -P0 -p
20,21,23,53,80,110,143,6000,8080,11111,18232,28237,31337 -oM output.log

  If incoming connections are also being blocked, you could try defeating
the router ACLs by acting like you're responding to a request from the
client by using an ACK scan from port 80.

        So also use something like:
        nmap -sA -P0 -g 80 -p
20,21,23,53,80,110,143,6000,8080,11111,18232,28237,31337 -oM output.log

  You can do even more exhaustive scanning with other tools like hping, but
these will get most of the information you'll need to narrow down which
hosts will need scanning.


Is it because they have a firewall?
-----------------------------------
  This is actually more difficult since there could be any single port open
anywhere up and down their stack on each IP address.  You could try the
first method to find some of the machines, but the ACK scanning will most
likely not work if the firewall is stateful..  The best way I've found to do
this is to have multiple instances of nmap running (if possible, on their
own isolated network link) and also tcpdump/snoop all of the packets going
back and forth and look for any responses to your packets (tcpdump dst
<scanning machine> would break it down to only responses).  Strobe would
work in this case -- all you need to do is just send the packets out and
look through the log file for any responses.  Because you're looking through
the logs and not having the program do the entire analysis, you can bump up
nmap to a faster timing policy (like Aggressive or Insane).  (Just make sure
you're not exhausting your resource or theirs.)

  You can also look for machines that may be dropping packets but are behind
a firewall by doing a IP Protocol scan (-sO) and see which ones respond back
with ICMP protocol unreachable messages.

        For example, tcpdump would show it like this:
        23:00:54.337932 my.test.example.com > my.scanning.machine.com: icmp:
my.test.example.com protocol 216 unreachable (DF)

  Note that if you're doing this legitimatly, you may want to use the -r
option in nmap so that you can look through the logs and see each
port/protocol scan in order instead of randomized.


------------------------------------

A less resource intensive way to look for systems initially is to look at
the reverse DNS and their forward DNS if they allow zone transfers and uniq
the IP addresses inside for a good list to start from.  In my experience,
this finds about 80% of the systems if they're firewalled off.


Beware:
-------
  We've incidentally DoS'd a few clients by running portscans (not even
heavy ones) on them against systems that are behing proxy-based firewalls.
(I.e. Gauntlet Firewall's httpd proxy dying under a the load of having
numerous quickly successive connection attempts)  If you're logging and
scanning on the same machine, beware that you may lose packets under high
load of logging and generating packets -- For best results, separate the
logging and scanning onto two different machines and toss them on the same
hub.  On the other hand, some clients would like to know if their firewall
croaks under load like that.

// Chris
tobkin () intersec com
P.S. are you sure they don't want ports 1-65535 scanned?


> Am currently working with a customer to map their network prior to
> penetration/vulnerability testing using NMap.  Customer doesn't allow Ping
> and wants 65000 ports tested.  Since we can't Ping, NMap takes a long time
> to test a single host resulting in a very long testing period.  We've
tried
> setting a time-out value of 30 seconds but end up missing hosts with this
> value.  Has anyone had an experience like this and if so, any
> recommendations to efficiently map a network without Ping?