Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)

[Marco Ivaldi <raptor () mediaservice net>]

Offset,

On Thu, 24 Jan 2008, offset wrote:

> I'm using both nmap and unicornscan currently to try and determine which 
> may be more accurate for my discovery. I haven't looked at scanrand in 
> awhile, so I'm not sure of its merits lately.

Speaking about asyncronous TCP scanning, you may want to take a look at 
Inode's singsing library:

http://singsing.woolly-sheep.net/
(soon to be hosted at http://lab.mediaservice.net/)

Specifically, you should try the "zucca" scanner with something like the 
following command line:

# ./zucca -h x.x.x.x/x -i eth0 -b 10 -p 1-65535 -c
(adjust bandwidth and ports according to your needs)

I bet you'll be impressed by its speed, even though your uplink speed is 
limited. Even better, you can easily develop your own TCP port scanner 
based on the singsing library.

> So the question, do I consider the nmap results of 'closed' as something 
> I should include as being "live"? Can I adjust unicornscan to tell me 
> that if it gets a 'closed' on a host, to report that as "live".  I'm 
> assuming that for nmap it considers a port 'closed' if it gets a RST 
> flag back.  This delves into the conversation of interpretation of 
> results versus just reporting the flags it sees compared to the rest of 
> the network.

Of course, a host that replies with a TCP RST should be considered alive.

Cheers,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------