[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Nmap



Yet another note, this one ARP-related: while true that most devices on
your local network will respond to ARP, it's important to note (as the
wording of "almost certain" implies) that it is possible to purposely
suppress ARP responses to all but a few hosts. I know for certain that the
Linux kernel has a module (and associated toolset) specifically for that
sort of thing called arptables, with usage very similar to iptables if
you're already familiar with that.

There's also a tool (again on *nix) called arping, which is ping but with
ARP requests. Device firewalls (or at least Windows's built in firewall)
tend(s) not to block ARP requests or replies, so arping might be able to
show you those firewalled hosts, too. (That doesn't mean those hosts aren't
properly configured to correctly block incoming traffic, however!)

On Mon, Jan 2, 2012 at 2:10 PM, Gage Bystrom <themadichib0d@xxxxxxxxx>wrote:

> (I don't have the original, so ill qoute this guy)
>
> Nmap has an option to change how it determines if a host is up by
> attempting a port connection instead. I find this to be highly effective.
> Using a couple of standard ports are the best, such as 80, 21, etc. If you
> only have a few ports your searching for, then drop host discovery and scan
> those specific ports, youd get the same results but a tad bit less
> overhead(mainly in the sense of stealth or an obsession with not wasting
> bandwidth if you can help it)
> On Jan 2, 2012 1:00 PM, "S Walker" <walker_s@xxxxxxxxxxxxx> wrote:
>
>>
>> Just an added note to the current replies (which are all great for hosts
>> not in the local broadcast domain): It is almost certain that every device
>> in your local network will respond to an ARP request. nmap does this by
>> default anyway (-PR for local networks), but it's worth bearing in mind, as
>> something local that won't respond to an ARP request is almost certainly
>> not reachable.
>>
>> S
>>
>> ----------------------------------------
>> > Date: Mon, 2 Jan 2012 12:03:42 -0500
>> > Subject: Re: Nmap
>> > From: juan.quine@xxxxxxxxx
>> > To: pen-test@xxxxxxxxxxxxxxxxx
>> >
>> > Sorry for the late answer...
>> >
>> > But when you scan for machines that do not answer to ping (it means
>> > answer with an echo reply for each echo request), you could try using
>> > timestamp, and will return timestamp reply, and also information
>> > request and wait for an information reply
>> >
>> > Both coould be useful also to detect equipments that do not answer to
>> > ping. And if you want something more "noisy" maybe a network discovery
>> > or a -P0 option.
>> >
>> > Here is a summary of message types with their port (for ICMP protocol).
>> >
>> > 0 Echo Reply
>> > 3 Destination Unreachable
>> > 4 Source Quench
>> > 5 Redirect
>> > 8 Echo
>> > 11 Time Exceeded
>> > 12 Parameter Problem
>> > 13 Timestamp
>> > 14 Timestamp Reply
>> > 15 Information Request
>> > 16 Information Reply
>> >
>> > More detail on: http://www.faqs.org/rfcs/rfc792.html
>> >
>> > Hope it will be useful.
>> >
>> > Regards,
>> >
>> > Juan Pablo.
>> >
>> > On Sun, Oct 2, 2011 at 4:35 PM, John M. Martinelli
>> >  wrote:
>> > > This would work but it would be kind of "noisy" to open port scan
>> > > every host. Also probably a little more time consuming.
>> > >
>> > > Adding in syn scan or open port scan will create more time required as
>> > > we're now looking for open ports. What if all ports are closed? Will
>> > > it respond to a certain type of ICMP?
>> > >
>> > > I think a great question to ask is: "What is the least-impactful way I
>> > > can very quickly determine what hosts are alive?" without a
>> > > traditional ping sweep.
>> > >
>> > > On Sat, Oct 1, 2011 at 10:37 PM, Jeffory Atkinson  wrote:
>> > >>
>> > >> All depends on what you are trying to achieve. I would assume that
>> you are not concerned about monitoring devices seeing you have done a ping
>> sweep with nmap. I agree with others a port scan is going to give you the
>> best idea if a host is active. There are Many instances filtering devices
>> can drop icmp or respond for hosts behind them.  Open ports and services
>> are the best identifiers. A port has to be open in some form (open or
>> filtered) to interact with in-bound connections. I would recommend a -sS
>> (syn) scan you can opt for standard services or add -p1- for all 65k+
>> ports. All ports will verify and services/demons running. There are other
>> options if bandwidth is an issue.
>> > >>
>> > >>
>> > >> On Sep 30, 2011, at 5:17 PM, Ukpong  wrote:
>> > >>
>> > >> > Can somebody suggest the best NMAP commands for identifying hosts
>> that
>> > >> > are not responding to ICMP ping requests ?
>> > >> >
>> > >> >
>> ------------------------------------------------------------------------
>> > >> > This list is sponsored by: Information Assurance Certification
>> Review Board
>> > >> >
>> > >> > Prove to peers and potential employers without a doubt that you
>> can actually do a proper penetration test. IACRB CPT and CEPT certs require
>> a full practical examination in order to become certified.
>> > >> >
>> > >> > http://www.iacertification.org
>> > >> >
>> ------------------------------------------------------------------------
>> > >> >
>> > >>
>> > >>
>> ------------------------------------------------------------------------
>> > >> This list is sponsored by: Information Assurance Certification
>> Review Board
>> > >>
>> > >> Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require a
>> full practical examination in order to become certified.
>> > >>
>> > >> http://www.iacertification.org
>> > >>
>> ------------------------------------------------------------------------
>> > >>
>> > >
>> > >
>> ------------------------------------------------------------------------
>> > > This list is sponsored by: Information Assurance Certification Review
>> Board
>> > >
>> > > Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require a
>> full practical examination in order to become certified.
>> > >
>> > > http://www.iacertification.org
>> > >
>> ------------------------------------------------------------------------
>> > >
>> >
>> >
>> >
>> > --
>> >
>> > ===============================================
>> > |_|0|_| Ing Juan Quiñe, CISSP, OSCP, GISP, ISO 27001 LA, Cobit-F.
>> > |_|_|0| visita: http://hackspy.blogspot.com/
>> > |0|0|0| a.k.a. HaCKsPy - from Security Wari Projects, now PeruSEC
>> >
>> > "... hacking is a way to live your life, not a day job or semi-ordered
>> > list of instructions found in a thick book ..." Anthony Bunyan
>> > "... Live your life as if you will die tomorrow but learn as if you
>> > will live forever ..." Mahatma Gandhi
>> > "... Romper un sistema de seguridad los acerca tanto a ser hackers
>> > como encender autos puenteando cables los convierte en ingenieros
>> > automitrices ..."
>> > "... Nada es tan importante, ni tan urgente que no pueda ser hecho con
>> > seguridad ..."
>> >
>> > ------------------------------------------------------------------------
>> > This list is sponsored by: Information Assurance Certification Review
>> Board
>> >
>> > Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require a
>> full practical examination in order to become certified.
>> >
>> > http://www.iacertification.org
>> > ------------------------------------------------------------------------
>> >
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Information Assurance Certification Review
>> Board
>>
>> Prove to peers and potential employers without a doubt that you can
>> actually do a proper penetration test. IACRB CPT and CEPT certs require a
>> full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------
>>
>>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/