Penetration Testing mailing list archives
RE: Graphical NMAP
From: "Robert E. Lee" <robert () dyadsecurity com>
Date: Thu, 30 Oct 2003 12:04:10 -0800
One more thing to throw into this conversation: Dan Kaminsky - http://www.doxpara.com of Paketto Keiretsu fame is working on some very cool updates to the scanrand tool. Currently it has the ability to output to SQL servers, which allows for some very sophisticated data correlation queries. You can also dump this information into other various tools for graphical summaries of the information. Just for kicks you might want to check out the following dump output: http://www.dyadsecurity.com/sample_dump This is just a taste of the graphical representations that are possible with your scan output. As an additional ISECOM - http://www.isecom.org related project I am working with Dan on a front-end to his tools with an emphasis on how to graphically represent this data. For now, if you're interested in playing with it, I'd suggest you find a copy of one of Dan's more recent talks (check the Black Hat conference repositories). These talks contain enough information to start playing with the new scanrand stuff. Just a quick usage primer: To dump to a mysql DB, create a new database and user account with full permissions to the new db. Create a new table in your new database: create table demotable (abs_tv_sec integer unsigned, abs_tv_usec integer unsigned, rel_tv_sec integer unsigned, rel_tv_usec integer unsigned, stat char(5), src varchar(64), dst varchar(64), port integer unsigned, hopcount integer unsigned, trace_hop integer unsigned, qos integer unsigned, trace_src varchar(64), trace_dst varchar(64), trace_mid varchar(64)); Kick off a listening scanrand thread that dumps directly to your database: scanrand2 -e -L -s key -t0 -T demotable -M1 | mysql -u <mysql username> -p "demodb" Now you can do any set of scans/traceroutes that you want and have it all dump directly to your scanrand listener and populate your mysql database: scanrand2 -i <ip to send from> -S -s key -b200k <ip_range_to_scan>:<ports_to_scan> Now for a good sample query: select hopcount,dst,port,stat,trace_mid from demotable where src="<ip you sent from>" and stat!="DOWN" order by dst,port; That query shows you ICMP error messages, and active TCP ports. It orders it by the destination, and then by the port on the destination. It also shows you your hopcount (distance), and the server IP that send the ICMP message back to you. The possible ways to represent this data are numerous, and will be very "pretty"/graphical soon. If you have any other questions about this particular project, I'll try to keep up to date with my email account :). Also, if you're interested in helping with the coding of the front-end stuff, I could definitely use additional volunteers. Thanks, Robert Robert E. Lee CTO, http://www.dyadsecurity.com 3400 Irvine Ave, Building 118 Newport Beach, Ca 92660 T (949) 486-6600 F (949) 486-6001 robert () dyadsecurity com --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: Graphical NMAP Robert E. Lee (Oct 30)
- Re: Graphical NMAP johnadams (Oct 31)