Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Nmap
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 3 Oct 2011 15:49:46 +0200 (ora legale Europa occidentale)


On Sat, 1 Oct 2011, Mel Chandler wrote:

The best way I can think of off the top of my head is to do two
similar scans, one with a ping scan and the other looking for open
ports but without pinging (-Pn) dumping them to two different files
and do a diff between them.  Granted if you have a host out there
without any ports open (or you just didn't scan for the port it had
open) you'll miss it.  Maybe someone else has a better idea?

If your target network is large, Nmap may take a long time to perform a full TCP scan. Instead, you might wanna try an asyncronous stateless TCP scanner such as scanrand or singsing [1]. Remember to watch for closed ports as well, which return TCP RSTs responses.

Also, targeted UDP scans performed with payload-based scanners such as Unicornscan or Metasploit Framework's udp_sweep can help identifying active hosts with no exposed TCP services. Don't forget to try specific tools in order to identify UDP services, e.g. ike-scan and onesixtyone.

Finally, less intrusive methods such as DNS scanning (via Nmap -sL, bruteforce tools such as fierce.pl, or DNS AXFR if available) and Google searches can sometimes do wonders;)

PS. Of course, if you are on the same network segment as your targets, ARP scan is the way to go, either with Nmap or something like arp-scan.

[1] http://lab.mediaservice.net/code/singsing/

Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://www.mediaservice.net/
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]