Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: distributed nmap?

Re: distributed nmap?

From: Simple Nomad <thegnome_at_nmrc.org>
Date: Tue, 21 Mar 2000 16:12:44 -0600 (CST)

The easiest way to make nmap distributed is to modify it to just listen.
Run nmap in listen mode on 192.168.1.1, and have several instances of
nmap on other systems scanning with a forged source address of
192.168.1.1. All the replies would go to 192.168.1.1.

For example, you have nmap on 192.168.1.1 listening with the theoretical
-L option, started as such: nmap -L -sS -v -v -n 10.10.10.1-3. On another
box you start a scan: nmap -sS -n -S 192.168.1.1 10.10.10.1, and repeat on
additional boxes for .2 and .3.

The listener, perhaps using an additional timeout parameter, eventually
receives all the packets its going to receive and reports what it heard.

What makes this even more interesting is if your listener is upstream from
the spoofed source address. Then you could spoof the source address on the
listener and listen to replies as they go flying by toward the
unsuspecting spoofed host.

Since nmap uses libpcap you can already spoof a source address on your
same network and still get the reply, so this isn't as far fetched as it
sounds. I did a similar thing with icmpenum available at
http://razor.bindview.com/ in the tools section, which does distributed
host enumeration via icmp packets. Hopefully I'll get some time and take a
real serious look at nmap soon because I think this would be a fairly
interesting feature.

- Simple Nomad - No rest for the Wicca'd -
- thegnome_at_nmrc.org - www.nmrc.org -
- thegnome_at_razor.bindview.com - razor.bindview.com -

On Sat, 18 Mar 2000, Lorell Hathcock wrote:

> Greetings!
>
> I understand that in version 2.0 of nmap, nmap will run parallel processes
> or scans simultaneously. Has anyone done any work with a nmap scan from a
> distributed set of servers? What are the pros and cons of such an approach?
>
> It seems like a few of the pros would be a faster scan is possible of
> larger networks. Also, it seems a scan could be done more "stealthily" if
> a broad set of servers were brought to bear on it. It would look like a
> decoy attack when in fact it wasn't.
>
> Some of the cons are that it could be difficult to distribute commands to
> each of the member servers and to recombine the results of the scan.
>
> Any thoughts?
>
> Thanks!
>
> Lorell Hathcock
>
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
>
Received on Mar 21 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos