Penetration Testing mailing list archives
Re: Discovering Live Hosts
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 8 Aug 2007 08:49:21 -0700 (PDT)
The devil is always in the details, as it is said. There have been some good suggestions here, but some additional important points to keep in mind: 1)You hint that your targets may be behind a firewall. I wonder if this is known. If so, a tool called firewalk may assist you. See also http://www.packetfactory.net/Projects/firewalk/ 2) A syn scan (nmap switch -sS) will have false positives in some cases. I often find that some firewalls respond as if every port is open for every single IP address. A full TCP connect is the only way to identify if the host is truly live (nmap switch -sT). It takes longer, but you can't be sure the host is up or down if the firewall is masking all responses until you actually connect to each and every port. 3) Yes, I said "each and every port." Some hosts don't respond to ICMP. Some may be behind a firewall that masks the responses. Some services may have been remapped to unusual ports. Some hosts support no typical services, but do have something listening on an unusual port. All this makes identifying live hosts through a scan alone take a very long time in some cases if your initial target pool is large. Sorry, failure to get typical responses from a scan do not prove that a host is unreachable. It is logically impossible to prove the absence of a phenomena. Following the above exhaustive measures will help assure that you have turned over every stone to try. I'll offer one other thing to try, though, which might help. Capture network traffic to see who is talking on the network. Filter on the target network IDs. Will they let you have a monitor port on the local switch? Can you arp spoof to gain the ability to capture packets? If you get a packet capture, you may often see communications with systems that you may not be otherwise able to reach at all. Best of luck --- Nikhil Wagholikar <visitnikhil () gmail com> wrote:
Hello List, I need some suggestions and inputs from all Pen-testers around the world on this issue. I have been alloted a set of IP Address Pool for pen-testing. So my first task is to find out live IP Addresses out of the given Pool of IP Addresses (Class A & Class B). I know, that normal ping (ICMP) won't help me, because now-a-days firewalls can be configured to drop ICMP requests. So if I ping (ICMP) the hosts to find live IP Address, it won't help me. Performing a full port scan for the whole IP Address Pool range is also not recommended solution, since my whole and sole target is just to find Live IP Addresses out of given Pool of IP Addresses i.e. either UP or DOWN thats it!! Now second thought that comes to my mind is TCP Ping. Nmap has a very beautiful option built into it i.e. -sP or -PT or -PS. But by default it tries to connect to port 80 if no port is specified along with it. If the remote IP Address doesn't have HTTP/HTTPS service running on it, but has some other service (like FTP, SMTP etc) running on it, then even this option would fail. Besides this, if suppose SMTP is configured on port 26 instead of traditional port 25, then it would add a twist to this situation. Hence specifying well known ports along with -PT or -PS option is also not a effective method of discovering live hosts from given IP Address Pool. Added to this, specifying large number of well known ports along with this options (-PT. -PS), leads Nmap to exit abruptly by throwing Buffer Overflow related error. Can anyone kindly guide me, as to how to find live IP Addresses from a given Pool of IP Addresses (Range of IP Addresses) with as less false positive results as possible and as quickly as possible? Is there any tool out (no matter shareware or freeware), which focuses on finding live IP Addresses from Pool of IP Addresses? -- Nikhil Wagholikar Information Security Analyst
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
____________________________________________________________________________________ Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Discovering Live Hosts, (continued)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts rajat swarup (Aug 07)
- Re: Discovering Live Hosts rajat swarup (Aug 07)
- Re: Discovering Live Hosts pand0ra (Aug 08)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts Jure Krasovic (Aug 07)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts John M. Martinelli (Aug 07)
- Re: Discovering Live Hosts Vivek P (Aug 08)
- Re: Discovering Live Hosts Lee Lawson (Aug 08)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Sat Jagat Singh (Aug 08)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Fabrizio (Aug 08)