Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: faster scans? (nmap)
From: Gregory Duchemin <c3rb3r () sympatico ca>
Date: Tue, 04 Jun 2002 13:54:05 +0100

hello,

Additionnaly, and if the firewall accepts ougoing icmp traffic from itself, u should try to firewalk it with the remote ip for wich "fast scans" and pings gave nothing, doing so (using the same port numbers than fast scan) u would see if the remote target is allowed by firewall rules giving you an additionnal clue that either the host exist and is down or the firewall is misconfigured (too much permissive -> host doesn't exists). Basically, with fast scan, u known that remote addr didn't respond to syn probes, but getting back a time exceeded reply from firewalk probes give u a confirmation that host is allowed but not available (not existing or down). Try firewalk, first, with a host/port pair u know to be up just to be sure it is a reliable technic in your context, avoiding a time waste. but still nothing for sure, indeed the host may run its own filters while being up, and by default your best bet remain the big full scan in syn scan (-sS) at least u avoid a complete three handschake for responding ports. [:)]
Gregory



Andreas Junestam wrote:

Hi,

there is one more way to do this, but it assumes the machine to listen
on atleast one well-known port. Do a SYN sweep (fscan is easy to use
for this if you're stuck under windows) of the entire class B, but only
scan for 10-20 well-know ports and without pinging, such as ftp, ssh,
telnet, dns, http, finger, fw-1 ports, netbios, rpcportmap, https,
ldap, cisco ports and so on. This will not take more than 10-20 sec
per host. When you have pinned down most machines with this (and maybe
combined with an ordinary ping sweep), just hit all found machines with
a full blown nmap scan.

/andreas

wirepair wrote:

Thanks for the responses:
- The -PT option is great, if you know the host is
listening on that specific port, otherwise it's kinda of
useless. Remember a firewall is most likely sitting
infront intercepting these packets, if the IP does not
exist the firewalls going to drop (and not send a rst) the
packet. This gives us no information to work from heh.
- The -T Insane (5) -T Aggressive (4) Options don't
exactly help either, Insane gives up after 75 seconds if
no response is seen, (keep in mind a machine that may have
a service listening on port 23592, this would never get
picked up, nmap would quit after 75 seconds of scanning
[unless it hit this by random]) So that rules this option
out. Aggressive timed out in 300 seconds same deal as
before with Insane.
- strobe didn't seem to work any faster in this case, I
tried that as well.
*sigh* people need to not disable icmp echo reply :)
Any other suggestions? (Thanks to all of you who did
respond)
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]