Re: Discovering Live Hosts

["Lee Lawson" <leejlawson () gmail com>]

Right, first thing, definitions.

Vulnerability Assessment - Identifying any vulnerabilities that exist
on a computer system, this will involve port scanning, enumeration,
service probing and scanning with something like Nessus/Nikto etc.

Penetration Testing - All of the above, but continuing to actual
exploit a computer system to gain control and therefore irrefutably
prove the existance of the vulnerability.

Neither of them are limited to a LAN or a WAN/Internet.

Second...

Is your target range on the same LAN segment as you?  Can you get your
testing computer on the same LAN segment for testing?  If yes, use
arping which comes with a lot of Linux distro's.  Unfortunately,
unless it's been updated, it cannot natively take a list of IP's from
a file, but that can be scripted.  You may even be able to ping the
broadcast address and view your own ARP cache for entries (but
unlikely).

If you target IP address range is on a different LAN segment,
separated by a router for example, which essentially is the same
situation for port scanning as testing another LAN over the Internet,
then you are limited to port scanning.  I would forget UDP scanning as
the responses would not be reliable.  You could try nmap with the ping
options as already mentioned, or nmap with straight TCP scanning.
There's nothing wrong with doing this:
nmap -sT -vv -P0 -p 80 -iL target_file -oN output_file
Then searching through the output_file for all active responses such
as open or closed ports.  Once you have that list, you can concentrate
on the non-responders and try further scans to determine if they are
active.

Remember that an open port, closed port, ARP response (get the MAC
address) or possibly a DNS resolution (although you may find
tombstoned entries!) all tell you that a computer is active.

done.
/mail

On 8/8/07, John M. Martinelli <john () martinelli com> wrote:
> Since when?
>
> If I'm auditing an intrusion detection system on my LAN, I would
> consider that I'm penetration testing, not performing a vulnerability
> assessment.
>
> Regards,
> John Martinelli
> RedLevel.org Security
>
> On Aug 8, 2007, at 2:04 AM, Nikhil Wagholikar wrote:
>
> > Hello Jure,
> >
> > Performing scans from within target LAN is called Vulnerability
> > Assessment, and doing the same thing from other LAN or outside IP
> > Address/Addresses is called Penetration Testing.
> >
> > I have clearly mentioned that the scenario is applicable for
> > Pen-Testing. Kindly suggest the same answer from Pen-Testing point of
> > view.
> >
> > Thanks for your suggestion. This suggestion will be usefull for
> > Vulnerability Assessors.
> >
> > ---
> > Nikhil Wagholikar
> > Information Security Analyst
> >
> >
> > On 8/8/07, Jure Krasovic <jure.krasovic () lusp com> wrote:
> > > Nikhil Wagholikar pravi:
> > > > Hello List,
> > > >
> > > > I need some suggestions and inputs from all Pen-testers around the
> > > > world on this issue.
> > >
> > > Hello Nikhil,
> > >
> > > if you are on the same LAN as machines you do pentest, you should try
> > > arpping.
> > >
> > > Regards
> > >
> > >       Jure
> >
> > ----------------------------------------------------------------------
> > --
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ----------------------------------------------------------------------
> > --
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


-- 
Lee J Lawson
leejlawson () gmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------