Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)
From: Marco Ivaldi <raptor () mediaservice net>
Date: Sat, 26 Jan 2008 15:48:23 +0100 (ora solare Europa occidentale)


On Thu, 24 Jan 2008, offset wrote:

I'm using both nmap and unicornscan currently to try and determine which may be more accurate for my discovery. I haven't looked at scanrand in awhile, so I'm not sure of its merits lately.

Speaking about asyncronous TCP scanning, you may want to take a look at Inode's singsing library:

(soon to be hosted at http://lab.mediaservice.net/)

Specifically, you should try the "zucca" scanner with something like the following command line:

# ./zucca -h x.x.x.x/x -i eth0 -b 10 -p 1-65535 -c
(adjust bandwidth and ports according to your needs)

I bet you'll be impressed by its speed, even though your uplink speed is limited. Even better, you can easily develop your own TCP port scanner based on the singsing library.

So the question, do I consider the nmap results of 'closed' as something I should include as being "live"? Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to report that as "live". I'm assuming that for nmap it considers a port 'closed' if it gets a RST flag back. This delves into the conversation of interpretation of results versus just reporting the flags it sees compared to the rest of the network.

Of course, a host that replies with a TCP RST should be considered alive.


Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]