Re: Nmap notes from a few conferences

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Jun 2009 19:37:33 -0700
Fyodor <fyodor () insecure org> wrote:
...
> > * People don't seem to know about nbstat.nse and are still talking
> >   about nbtscan.  Ron did some very good work with nbstat.  I don't
> >   think people know how scan a very large network for UDP/137
> > quickly. In our documentation I think we should try to highlight
> > how to use nbstat.nse really quickly.
>
> It sounds like you have some ideas related to quick UDP scanning?
> Maybe you could add some examples/information to the nbtscan NSEDoc?

Well UDP scanning is always going to be slow unless you can be
massively parallel.  Since with nbstat you're only looking for UDP port
137 you should be able to do something like:

$ sudo nmap -v -T5 -PN -sUC --script=nbstat -p 137 -n --min-hostgroup
16384 --min-rtt-timeout 1000 --min-parallelism 4096 <big networks here>

Unfortunately, I just tried that and NSE deadlocks immediately.  No
scripts complete.  If I take out the script portion I can scan a /16
for just port 137 with the above command in about 50 seconds.  I tried
removing --script and adding -sV but that caused:

nmap: gh_list.c:347: gh_list_remove_elem: Assertion `list->count == 0 || (list->first && list->last)' failed.
Aborted

David and I ran into this before with huge hostgroups.  At the time we
thought Nsock was unable to handle so many sockets.

In terms of fast UDP scanning, nbstat is a special case because it is
just one port.  Actually creating that many UDP sockets though seems to
make NSE and Nsock pretty unhappy though.  When I wrote the original
version of nbstat and tested it, I was able to use huge hostgroups and
it ran fine.  Ron did add a lot of features and NSE has changed a lot
since then.

...
> >   that the documentations and examples are out there.  This is
> > mostly what my DDCSW presentation was about.
>
> Do you have slides or a video recording online?

With the caveat that this was a 15 minute presentation because DDCSW
was discussion and question/answer oriented and also that the target
audience was not your typical nmap-dev subscriber, the abstract and
presentation link are:

Effectively Scanning Huge Networks with Nmap to find backdoors and
suspicious services:

On a large network a tool like Nmap may feel like a toy. Just as you
can't extend your core network with a $25 Linksys router from Best Buy,
you can't just fire up Nmap, tell it to scan a handful of /16s and expect
anything useful to happen. Scanning large networks requires a solution
that scales, maintains good speed, and can be automated. Fortunately
with the appropriate use of Nmap's many options and a few wrapper
scripts Nmap can be made to scan very large networks smoothly with
useful results. This presentation will provide the necessary scripts,
knowledge, and checklist needed to start up scanning your organization.
This presentation will also cover using Nmap for some tasks normally
thought of as Nessus- only like Windows password auditing, MS08-067
checking, Conficker scanning, etc.

Link:
http://noh.ucsd.edu/~bmenrigh/nmap_ddcsw.pdf

Brandon


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkovIkAACgkQqaGPzAsl94LokQCgskUMUCoY5GtacIZrQ/2SExn2
gNYAn1Vy5JkBXUnXHFke2R8ZsYWFFuCr
=Gv6y
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org