Re: Discovering Live Hosts

["rajat swarup" <rajats () gmail com>]

On 8/8/07, Sat Jagat Singh <flyingdervish () yahoo com> wrote:
> 1)You hint that your targets may be behind a firewall.
>  I wonder if this is known.  If so, a tool called
> firewalk may assist you.  See also
> http://www.packetfactory.net/Projects/firewalk/
>
> 2) A syn scan (nmap switch -sS) will have false
> positives in some cases.  I often find that some
> firewalls respond as if every port is open for every
> single IP address.  A full TCP connect is the only way
> to identify if the host is truly live (nmap switch
> -sT).  It takes longer, but you can't be sure the host
> is up or down if the firewall is masking all responses
> until you actually connect to each and every port.
>
> 3) Yes, I said "each and every port."  Some hosts
> don't respond to ICMP.  Some may be behind a firewall
> that masks the responses.  Some services may have been
> remapped to unusual ports.  Some hosts support no
> typical services, but do have something listening on
> an unusual port.
>
>
> I'll offer one other thing to try, though, which might
> help.  Capture network traffic to see who is talking
> on the network.  Filter on the target network IDs.
> Will they let you have a monitor port on the local
> switch?  Can you arp spoof to gain the ability to
> capture packets?  If you get a packet capture, you may
> often see communications with systems that you may not
> be otherwise able to reach at all.

Sat..are you sure it was a firewall or was it something like a
portsentry that actively throws off scans by showing spurious open
ports?  For my knowledge could you elaborate which firewall parameters
(and which firewalls) do that?
Nmap has a firewall detection capability as it can fingerprint but
that is at the cost of time.  Also, we're looking at a class A & B
here.  Connecting to "each and every port" would be possible if you
have the budget for many months.  Most pen tests wouldn't have the
time / budget for the same.
Realistically, you can't find all hosts on such large network.  Let's
not forget DHCP and DNS timeouts working.
One tip: if you are not too concerned abt DNS resolutions (at the cost
of loosing hosts that would only resolve on a DNS but don't respond to
anything) try using -n option on nmap to avoid DNS resolutions, I've
seen it saves a lot of time.  Also, don't forget to use the
--max-rtt-timeout for enhanced timing.

Arp spoofing would only help in sniffing the traffic...it's still not
an effective way to enumerate as you will only know the frequently
used servers + Arp spoofing is applicable if the client is on the same
network as the tester.  No kind of sniffing can be as effective as
scans but sniffing could be used in *conjuction* with other stuff
already talked about.

HTH,
-- 
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------