Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Discovering Live Hosts

From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 8 Aug 2007 08:49:21 -0700 (PDT)
The devil is always in the details, as it is said. 
There have been some good suggestions here, but some
additional important points to keep in mind:

1)You hint that your targets may be behind a firewall.
 I wonder if this is known.  If so, a tool called
firewalk may assist you.  See also
http://www.packetfactory.net/Projects/firewalk/

2) A syn scan (nmap switch -sS) will have false
positives in some cases.  I often find that some
firewalls respond as if every port is open for every
single IP address.  A full TCP connect is the only way
to identify if the host is truly live (nmap switch
-sT).  It takes longer, but you can't be sure the host
is up or down if the firewall is masking all responses
until you actually connect to each and every port.

3) Yes, I said "each and every port."  Some hosts
don't respond to ICMP.  Some may be behind a firewall
that masks the responses.  Some services may have been
remapped to unusual ports.  Some hosts support no
typical services, but do have something listening on
an unusual port.

All this makes identifying live hosts through a scan
alone take a very long time in some cases if your
initial target pool is large.  Sorry, failure to get
typical responses from a scan do not prove that a host
is unreachable.  It is logically impossible to prove
the absence of a phenomena.  Following the above
exhaustive measures will help assure that you have
turned over every stone to try.

I'll offer one other thing to try, though, which might
help.  Capture network traffic to see who is talking
on the network.  Filter on the target network IDs. 
Will they let you have a monitor port on the local
switch?  Can you arp spoof to gain the ability to
capture packets?  If you get a packet capture, you may
often see communications with systems that you may not
be otherwise able to reach at all.

Best of luck

--- Nikhil Wagholikar <visitnikhil () gmail com> wrote:


Hello List,

I need some suggestions and inputs from all
Pen-testers around the
world on this issue.

I have been alloted a set of IP Address Pool for
pen-testing. So my
first task is to find out live IP Addresses out of
the given Pool of
IP Addresses (Class A & Class B). I know, that
normal ping (ICMP)
won't help me, because now-a-days firewalls can be
configured to drop
ICMP requests. So if I ping (ICMP) the hosts to find
live IP Address,
it won't help me.

Performing a full port scan for the whole IP Address
Pool range is
also not recommended solution, since my whole and
sole target is just
to find Live IP Addresses out of given Pool of IP
Addresses i.e.
either UP or DOWN thats it!!

Now second thought that comes to my mind is TCP
Ping. Nmap has a very
beautiful option built into it i.e. -sP or -PT or
-PS. But by default
it tries to connect to port 80 if no port is
specified along with it.
If the remote IP Address doesn't have HTTP/HTTPS
service running on
it, but has some other service (like FTP, SMTP etc)
running on it,
then even this option would fail. Besides this, if
suppose SMTP is
configured on port 26 instead of traditional port
25, then it would
add a twist to this situation. Hence specifying well
known ports along
with -PT or -PS option is also not a effective
method of discovering
live hosts from given IP Address Pool. Added to
this, specifying large
number of well known ports along with this options
(-PT. -PS), leads
Nmap to exit abruptly by throwing Buffer Overflow
related error.

Can anyone kindly guide me, as to how to find live
IP Addresses from a
given Pool of IP Addresses (Range of IP Addresses)
with as less false
positive results as possible and as quickly as
possible? Is there any
tool out (no matter shareware or freeware), which
focuses on finding
live IP Addresses from Pool of IP Addresses?

--
Nikhil Wagholikar
Information Security Analyst



------------------------------------------------------------------------

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE
today!

http://www.cenzic.com/downloads


------------------------------------------------------------------------







       
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: