Penetration Testing mailing list archives
How to portscan a Class B effectively
From: RT <roelof () sensepost com>
Date: Mon, 3 Jun 2002 20:35:32 +0000 (GMT)
Yeah... It's no fun nmapping a class B network. Here is how I do it: 1) Lets assume you find your class B network from a whois query, and lets assume the net is located on the Internet. It might be that only a few class C networks within the large block are actually routed. I include a simple but effective PERL script that is fed an IP number and responds if its routed, and what block is routed - see at the end. Obviously you are only interested in the routed blocks - makes no sense hitting your head against an unrouted network. Please dont use this script for every IP in the block - do it once only..(or once per class C)..:) 2a) If ICMP is allowed in you're in luck. Use nmap with -sP (ping only) and -PI (only ICMP - else it will probe on port 80 as well and it takes time). If not: 2b) Superscan (windoze) does a very good job of quicky looking for open ports. Limit your port list to common ports - e.g. 21,22,23,25,53,80,443,1080. Superscan is nice and fast, but it does not give additional information such as if the port is closed, open, or filtered. Nmap is the better scanner for more detailed information, or when you want to use more advanced scanning techniques - for now we just want open common ports. 4) Sometimes you will see that the admin screwed up and for instance port 53 is open to all machines (an old FW1 config error). If so, limit the ports only to 53 (why scan the rest at this stage?) and see which responds as closed (you'll need Nmap for this). Another config error regularly found in stateless firewalls is source port 20 allowed to high ports. Use nmap with the -g and -sS (SYN scan) option here; set the source port to 20 and hit a high (>1024) port. You can easily test with hping for such errors (or use nc -n -p 20 -v target 2000). 5) Once you know which machines are alive you want to use a proper nmap scan on these. Use the -iL option to import the list of IPs found alive in the previous steps, and let rip. 'later, Roelof. Here's the PERL script: ------cut here------ #!/usr/bin/perl # Usage : blah.pl <IP number> # Typically: # # > routedornot 196.30.67.100 # Network is routed. Block is [196.30.0.0/16] # # > routedornot 10.0.0.1 # Network appears to be non-routed # # Roelof Temmingh (roelof () sensepost com) # SensePost (http://www.sensepost.com) # 2001.09 use Socket; start: ($range)=@ARGV[0]; $host = "nitrous.digex.net"; $port = 80; $target = inet_aton($host); $urlthingy="/cgi-bin/looking_glass.pl"; $poststring="GLASS_ID=1&query=bgp&addr=$range"; $plength=length($poststring); $tosend=<<EOT POST $urlthingy HTTP/1.0 Content-Length: $plength Connection: Keep-Alive User-Agent: SensePostData Referer: http://nitrous.digex.net/mae/mae-lg.html Content-Type: application/x-www-form-urlencoded $poststring EOT ; $tosend=~s/\n/\r\n/g; @results=sendraw($tosend); $flag=0; foreach $line (@results){ if ($line =~ /BGP routing table entry for/){ ($duh,$yeah)=split(/BGP routing table entry for/,$line); ($real,$poef)=split(/\,/,$yeah); $real=~s/ //g; print "Network is routed. Block is [$real]\n"; $flag=1; } if ($line =~ /VTY/){print "Busy\n"; goto start;} } if ($flag==0) {print "Network appears to be non-routed\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in=""; select(S); $|=1; print $pstr; while(<S>) { push @in,$_; last if ($line=~ /^[\r\n]+$/ );} select(STDOUT); return @in; } else { die("connect problems\n"); } } ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com http://www.hackrack.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Matt Selsky (Jun 03)
- RE: faster scans? (nmap) Ozan Gonenc (Jun 03)
- Re: faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Andreas Junestam (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)
- Re: faster scans? (nmap) wirepair (Jun 03)
- Re: faster scans? (nmap) Michael Starr (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: How to portscan a Class B effectively batz (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- How to portscan a Class B effectively RT (Jun 03)
- Re: faster scans? (nmap) Anders Thulin (Jun 04)
- <Possible follow-ups>
- Re: faster scans? (nmap) miguel . dilaj (Jun 03)
- RE: faster scans? (nmap) Steve Maks (Jun 03)
- Re: faster scans? (nmap) Yann Berthier (Jun 03)
- RE: faster scans? (nmap) JLETOUX (Jun 04)
- Re: faster scans? (nmap) Gregory Duchemin (Jun 04)