Re: [PEN-TEST] subnet discovery

[Yonatan Bokovza <Yonatan () XPERT COM>]

Hacking hping is one option. Using existing tool
is far easier. My fav is SING, from sourceforge,
or ports/net/sing for the FreeBSD'ers.
excerpt:
MyMachine# sing -c 1 -mask SolarisMachine
SINGing to SolarisMachine (10.0.0.1): 12 data bytes
12 bytes from 10.0.0.1: seq=0 DF! ttl=255 TOS=0 mask=255.255.255.0
--- 10.0.0.1 sing statistics ---
1 packets transmitted, 1 packets received, 0% packet loss


According to Arkin's paper (sys-security.com), the only ones
that answer ICMP_TIMESTAMP are Solaris, win95/8/ME,
winNT-pre SP3, and some routing equipment.
Note that Cisco Catalyst 5505 with OSS v4.5 answers
both direct requests and broadcast requests.

Regards,
Yonatan Bokovza.

-----Original Message-----
From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes () DELOITTE CO ZA]
Sent: Monday, March 19, 2001 1:27 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] subnet discovery


There exists an ICMP netmask message, which might also work. Have a look at
hping2.
http://www.kyuzz.org/antirez/hping.html

Actually, looking at the source, it doesn't support ICMP_ADDRESS requests.
Maybe you can hack it. Also have a look at hping3, linked from the same
site, although there doesn't seem to be much code yet.

Linux also doesn't support ICMP_ADDRESS, it seems, from "man icmp", so Linux
2.2+ machines probably won't answer this type of ICMP message.

Rogan



-----Original Message-----
From: Jason Ellison [mailto:infotek () DATASYNC COM]
Sent: 18 March 2001 10:15
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] subnet discovery


has anyone seen a tool that does ping sweeps and detects DUP packets
outputing results into a nice parsable format?