Penetration Testing mailing list archives
RE: faster scans? (nmap)
From: JLETOUX () bouyguestelecom fr
Date: Tue, 4 Jun 2002 15:45:12 +0200
Another solution i used before to use is quite similar to this one... But i was forging packets for targeted host, and putting my computer in sniffing mode (tcpdump +tcpslice) Then a tiny script was getting hosts from which i got response. Like this, sending packet is very fast and your net stack is not suffering from number of connections, because there isn't ;) Have a nice day =) Regards, Jean-Marc LE TOUX Jar Jar Binks: Monsters out there, leaking in here. Weesa all sinking and no power. Whena yousa thinking we are in trouble?(Episode 1, Star wars) PS: for forging, take a look at iwu.c, located in http://www.hsc.fr/ressources/outils/idswakeup/download/IDSwakeup-1.0.tgz
-----Message d'origine----- De: Andreas Junestam [SMTP:andreas () atstake com] Date: mardi 4 juin 2002 09:57 À: wirepair Cc: pen-test () securityfocus com Objet: Re: faster scans? (nmap) Hi, there is one more way to do this, but it assumes the machine to listen on atleast one well-known port. Do a SYN sweep (fscan is easy to use for this if you're stuck under windows) of the entire class B, but only scan for 10-20 well-know ports and without pinging, such as ftp, ssh, telnet, dns, http, finger, fw-1 ports, netbios, rpcportmap, https, ldap, cisco ports and so on. This will not take more than 10-20 sec per host. When you have pinned down most machines with this (and maybe combined with an ordinary ping sweep), just hit all found machines with a full blown nmap scan. /andreas wirepair wrote:Thanks for the responses: - The -PT option is great, if you know the host is listening on that specific port, otherwise it's kinda of useless. Remember a firewall is most likely sitting infront intercepting these packets, if the IP does not exist the firewalls going to drop (and not send a rst) the packet. This gives us no information to work from heh. - The -T Insane (5) -T Aggressive (4) Options don't exactly help either, Insane gives up after 75 seconds if no response is seen, (keep in mind a machine that may have a service listening on port 23592, this would never get picked up, nmap would quit after 75 seconds of scanning [unless it hit this by random]) So that rules this option out. Aggressive timed out in 300 seconds same deal as before with Insane. - strobe didn't seem to work any faster in this case, I tried that as well. *sigh* people need to not disable icmp echo reply :) Any other suggestions? (Thanks to all of you who did respond) -wire _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf>-------------------------------------------------------------------------- --This list is provided by the SecurityFocus Security Intelligence Alert(SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities pleasesee:https://alerts.securityfocus.com/-------------------------------------------------------------------------- -- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: faster scans? (nmap), (continued)
- Re: faster scans? (nmap) Andreas Junestam (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)
- Re: faster scans? (nmap) Michael Starr (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: How to portscan a Class B effectively batz (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: faster scans? (nmap) Anders Thulin (Jun 04)
- Re: faster scans? (nmap) miguel . dilaj (Jun 03)
- RE: faster scans? (nmap) Steve Maks (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- RE: faster scans? (nmap) JLETOUX (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)