On Mon, 03 Jun 2002, Steve Maks wrote:
[context lost thanks to top-posting :p]
> Take a look at the rtt options in nmap (min/max/initial_rtt_timeout), it's
> pretty much required to modify them when you are scanning hosts with -P0.
> Depending on your connection and the target's connection, you can greatly
> improve the scan speed.
Yes, but one has to keep in mind it depends a lot of the network
lossage: we have seen very unreliable results with nmap - on
unreliable networks that is, but when doing a pentest, we can't
refuse customers because they have bad connectivity, can we ? :)
So back to the subject: scanning large networks is a real problem as
a pentester. It can take several nmap runs to adjust the rtt
according to the lossage, and to have the more accurate snapshot of
the tested network. And then we need to:
. scan again with fixed source ports
. scan once more while playing with the ttl
All of this is very time consuming, and there is no handy solution I
know. I think we need new paradigms here (yes, no less), but I'm sure
some of you have already thought about this ...
<sci-fi on>
Imagine now an ipv6 world where /48 networks at least are the norm
...
</sci-fi on>
- yann.
--
Yann.Berthier@hsc.fr -*- HSC -*- http://www.hsc.fr/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jun 03 2002
Intro
