Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: RFC on Nping: Raw packet probing nirvana
From: Ron <ron () skullsecurity net>
Date: Fri, 08 May 2009 10:08:59 -0500

Hi Brandon.  You should think about this more when you're more rested,
as I think you're on to something!  In particular, a number of people
over the years have asked for this sort of client/server testing to
determine what packets are being dropped and how they're being
manipulated across the network.

If you can think up a concrete proposal, please do send it for
discussion.  Having Nping act as the sniff server itself is an
interesting idea.  Or we could have another tool for that (nsniff?),
which would sniff for a unique token/signature which Nping, Nmap and
the like could be requested to send.  This signature could be a unique
IP option string, IP ID, TCP option, data value, or the like.  That
would make it very easy to isolate and only show the packets coming
from Nmap/Nping.  But it may not work well for some of the things you
have in mind.  I'm just doing late night incoherent brainstorming too
:).  But everyone has probably noticed that I've lately had a
propensity for dreaming up new tools :).
>...

This is very much related to what Brandon suggested, but a somewhat different purpose (maybe :) ).

When doing pentesting work, you are sometimes starting from a residential ISP, and there's no telling what filters are in place (one ISP here filters 445, for example, which makes detecting Conficker difficult). Or maybe you broke into the target's wireless network, or are staying at a hotel. It'd be good to have a way of testing an ISP's filters, whether it's port-based, session-based, actual attack signatures, etc.

I once whipped up a in Perl where the client would tell the server that it was going to start sending stuff. The server would basically run tcpdump and log everything. When the client announced it was done, the server would send the full capture log to the client. It was up to the client to see what's missing and report what type of filters are in place.

I didn't actually get past writing the server portion, unfortunately. But knowing what kind of filters are in place could be extremely useful to a pen tester (when I was taking a SANS course with Ed Skoudis, he mentioned a desire for such a tool).

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]