Penetration Testing mailing list archives
Re: Discovering Live Hosts
From: "rajat swarup" <rajats () gmail com>
Date: Wed, 8 Aug 2007 13:49:05 -0400
On 8/8/07, Sat Jagat Singh <flyingdervish () yahoo com> wrote:
1)You hint that your targets may be behind a firewall. I wonder if this is known. If so, a tool called firewalk may assist you. See also http://www.packetfactory.net/Projects/firewalk/ 2) A syn scan (nmap switch -sS) will have false positives in some cases. I often find that some firewalls respond as if every port is open for every single IP address. A full TCP connect is the only way to identify if the host is truly live (nmap switch -sT). It takes longer, but you can't be sure the host is up or down if the firewall is masking all responses until you actually connect to each and every port. 3) Yes, I said "each and every port." Some hosts don't respond to ICMP. Some may be behind a firewall that masks the responses. Some services may have been remapped to unusual ports. Some hosts support no typical services, but do have something listening on an unusual port. I'll offer one other thing to try, though, which might help. Capture network traffic to see who is talking on the network. Filter on the target network IDs. Will they let you have a monitor port on the local switch? Can you arp spoof to gain the ability to capture packets? If you get a packet capture, you may often see communications with systems that you may not be otherwise able to reach at all.
Sat..are you sure it was a firewall or was it something like a portsentry that actively throws off scans by showing spurious open ports? For my knowledge could you elaborate which firewall parameters (and which firewalls) do that? Nmap has a firewall detection capability as it can fingerprint but that is at the cost of time. Also, we're looking at a class A & B here. Connecting to "each and every port" would be possible if you have the budget for many months. Most pen tests wouldn't have the time / budget for the same. Realistically, you can't find all hosts on such large network. Let's not forget DHCP and DNS timeouts working. One tip: if you are not too concerned abt DNS resolutions (at the cost of loosing hosts that would only resolve on a DNS but don't respond to anything) try using -n option on nmap to avoid DNS resolutions, I've seen it saves a lot of time. Also, don't forget to use the --max-rtt-timeout for enhanced timing. Arp spoofing would only help in sniffing the traffic...it's still not an effective way to enumerate as you will only know the frequently used servers + Arp spoofing is applicable if the client is on the same network as the tester. No kind of sniffing can be as effective as scans but sniffing could be used in *conjuction* with other stuff already talked about. HTH, -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Discovering Live Hosts, (continued)
- Re: Discovering Live Hosts rajat swarup (Aug 07)
- Re: Discovering Live Hosts rajat swarup (Aug 07)
- Re: Discovering Live Hosts pand0ra (Aug 08)
- Re: Discovering Live Hosts Jure Krasovic (Aug 07)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts John M. Martinelli (Aug 07)
- Re: Discovering Live Hosts Vivek P (Aug 08)
- Re: Discovering Live Hosts Lee Lawson (Aug 08)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Sat Jagat Singh (Aug 08)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Fabrizio (Aug 08)