Penetration Testing mailing list archives
Scanning for "live" hosts, nmap vs unicornscan (scanrand?)
From: offset <offset () ubersecurity org>
Date: Thu, 24 Jan 2008 15:49:17 -0600
I'm trying to scan network ranges for "live" IPs to feed to a vulnerability scanner. I'm using both nmap and unicornscan currently to try and determine which may be more accurate for my discovery. I haven't looked at scanrand in awhile, so I'm not sure of its merits lately. I want to stress that I am after accuracy versus speed, but also not scanning the full port ranges for discovery. Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm using -mU -r10 on a set of 9 ports. Nmap, I'm using -sT -PS on 10 TCP ports, then -sU -pU: on a set of 9 ports no attempt at network throttling. It is my understanding that nmap tries to do some calculations on speed/latency and why I split out each nmap scan into network ranges where I believe the speed will be similar. Meaning, my international scans will be a separate scan than my domestic scans because I'm not sure if nmap will adjust up/down in speed/latency when it hits a new network. My upload link is 128k (yes I know, it sucks), but that is what I'm working with and hence the packet rate of 10pps. I'm finding in unicorn scan that I'm seeing fewer results all listed as 'open' than nmap. In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it is these 'closed' status hosts that are resulting in more IPs listed than what I see in unicornscan. So the question, do I consider the nmap results of 'closed' as something I should include as being "live"? Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to report that as "live". I'm assuming that for nmap it considers a port 'closed' if it gets a RST flag back. This delves into the conversation of interpretation of results versus just reporting the flags it sees compared to the rest of the network. Also, on the merits of providing packets and looking for a stimulus, it does seem intriguing that maybe I try this using scapy to determine how each scanner interprets 'open' versus 'closed' versus 'filtered', etc. I'm not sure what kind of maximum throughput I can get with using scapy for a port/host discovery scanner. Thanks in advance, -- offset ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Scanning for "live" hosts, nmap vs unicornscan (scanrand?) offset (Jan 25)
- Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?) Robert E. Lee (Jan 28)
- Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?) Marco Ivaldi (Jan 28)