Penetration Testing mailing list archives
RE: Mapping Class A network ( any easy trick?)
From: "Moonen, Ralph" <Moonen.Ralph () kpmg nl>
Date: Wed, 9 Feb 2005 19:05:23 +0100
Hi, Apart from the timing issues (I agree totally) I still think that you cannot call nmap+nbtstat or nmap+nessus or whatever combinatioin 'penetration testing'. To me that is Vulnerability Analysis. VA on a class A is tricky enough. Pentesting (ie attempted exploitation of all discovered vulenrabilities) on a full class A is extremely difficult. Impossible for 1 man and his laptop, given average population of networks. I assume that stealth is not an issue here, and if indeed not, then my choice for the mapping and scanning would be to have a few lappies (like your setup) crunch away unattendend (but with humans on call 24/7) for as long as it takes. For the actual testing (exploiting) I usually concentrate on the business critical environments and the devices that those environments most heavily depend on. No use pentesting each and every workstation. But usually, it never gets that far. You find so much sh*t during the first scans and so when you've totally 0wn3d the SAP environment within half a day it's pretty clear what needs to happen first. --Ralph -----Original Message----- From: Tim [mailto:tim-pentest () sentinelchicken org] Sent: woensdag 9 februari 2005 18:10 To: Moonen, Ralph Cc: John Thomas; pen-test () securityfocus com Subject: Re: Mapping Class A network ( any easy trick?) --- Virus checked / op virussen gecontroleerd ---
You might also want to manage expectations. Pentesting a full class A,
even given low population of the network will take you months. I think
It can be done faster. Once upon a time I built a system with primarily shell/python/perl which used nmap and nbtscan to scan all RFC1918 addresses in a large company. With a LOT of timing optimization options, and a very focused set of ports we were scanning for, we were able to scan this many IPs in 2-3 days. However, we had to distribute the scan across 8 linux machines, each of which ran 4 scanning threads in parallel. We didn't utilize any broadcasts, of course. It is a pain, and I don't recommend doing it unless you have a good reason, but it can be done with enough effort. The more recent versions of nmap supposedly has a more efficient scanning engine. Definately use the newest stuff. tim ps- Our scanning network could scan 300+ IPs/sec on average (majority of IPs didn't have hosts, of course) and during the scan, a few older firewalls tipped over. Be careful. -------------------------------------------------------------------------------------------------------------------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht. KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur. Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure. KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code. --------------------------------------------------------------------------------------------------------------------------------------------
Current thread:
- Re: Mapping Class A network ( any easy trick?), (continued)
- Re: Mapping Class A network ( any easy trick?) alank (Feb 08)
- Message not available
- Re: Mapping Class A network ( any easy trick?) alank (Feb 09)
- Message not available
- Re: Mapping Class A network ( any easy trick?) alank (Feb 08)
- Re: Mapping Class A network ( any easy trick?) Jordan Wiens (Feb 08)
- Re: Mapping Class A network ( any easy trick?) Ismael Gonzalez (Feb 11)
- RE: Mapping Class A network ( any easy trick?) Moonen, Ralph (Feb 08)
- Re: Mapping Class A network ( any easy trick?) Tim (Feb 09)
- RE: FW: Mapping Class A network ( any easy trick?) Navin Johnson (Feb 08)
- Fw: Re: Mapping Class A network ( any easy trick?) Volker Tanger (Feb 09)
- RE: Mapping Class A network ( any easy trick?) Henderson, Dennis K. (Feb 09)
- RE: Mapping Class A network ( any easy trick?) Brass, Phil (ISS Atlanta) (Feb 09)
- RE: Mapping Class A network ( any easy trick?) Moonen, Ralph (Feb 09)
- Re: Mapping Class A network ( any easy trick?) Tim (Feb 11)
- RE: Mapping Class A network ( any easy trick?) robert (Feb 09)
- RE: Mapping Class A network ( any easy trick?) Jeff Gercken (Feb 09)
- Re: Mapping Class A network ( any easy trick?) John Thomas (Feb 11)