Penetration Testing mailing list archives

Re: faster scans? (nmap)

From: Gregory Duchemin <c3rb3r () sympatico ca>
Date: Tue, 04 Jun 2002 15:42:34 +0100


That gives me an idea, one could use two hosts for quick n dirty full scans,

one host using nmap for syn scans in burst mode (low timeout) with thespoofed ip (-s option) of the 2nd hostwhile the other, possibly waiting in a remote friendly lan, is justsniffing at syn/ack or rst replies and configured to not send any rstback to the scanned target.this may avoid local system/network congestion for some people andintermediate networks congestion as well since two different networkpaths might be used for both requests and replies if any.

but still helpless in remote low bandwidth situations however.
Gregory



JLETOUX () bouyguestelecom fr wrote:

Another solution i used before to use is quite similar to this one...
But i was forging packets for targeted host, and putting my computer in
sniffing mode (tcpdump +tcpslice)
Then a tiny script was getting hosts from which i got response. Like this,
sending packet is very fast and your net stack is not suffering from number

of connections, because there isn't ;)Have a nice day =)

Regards,

Jean-Marc LE TOUX
Jar Jar Binks: Monsters out there, leaking in here. Weesa all sinking and no
power. Whena yousa thinking we are in trouble?(Episode 1, Star wars)

PS: for forging, take a look at iwu.c, located in
http://www.hsc.fr/ressources/outils/idswakeup/download/IDSwakeup-1.0.tgz

-----Message d'origine-----
De:     Andreas Junestam [SMTP:andreas () atstake com]
Date:   mardi 4 juin 2002 09:57
À:      wirepair
Cc:     pen-test () securityfocus com
Objet:  Re: faster scans? (nmap)

Hi,

there is one more way to do this, but it assumes the machine to listen
on atleast one well-known port. Do a SYN sweep (fscan is easy to use
for this if you're stuck under windows) of the entire class B, but only
scan for 10-20 well-know ports and without pinging, such as ftp, ssh,
telnet, dns, http, finger, fw-1 ports, netbios, rpcportmap, https,
ldap, cisco ports and so on. This will not take more than 10-20 sec
per host. When you have pinned down most machines with this (and maybe
combined with an ordinary ping sweep), just hit all found machines with
a full blown nmap scan.

/andreas

wirepair wrote:

Thanks for the responses:
- The -PT option is great, if you know the host is
listening on that specific port, otherwise it's kinda of
useless. Remember a firewall is most likely sitting
infront intercepting these packets, if the IP does not
exist the firewalls going to drop (and not send a rst) the
packet. This gives us no information to work from heh.
- The -T Insane (5) -T Aggressive (4) Options don't
exactly help either, Insane gives up after 75 seconds if
no response is seen, (keep in mind a machine that may have
a service listening on port 23592, this would never get
picked up, nmap would quit after 75 seconds of scanning
[unless it hit this by random]) So that rules this option
out. Aggressive timed out in 300 seconds same deal as
before with Insane.
- strobe didn't seem to work any faster in this case, I
tried that as well.
*sigh* people need to not disable icmp echo reply :)
Any other suggestions? (Thanks to all of you who did
respond)
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

--------------------------------------------------------------------------
--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/

--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: faster scans? (nmap), (continued)
- - - Re: faster scans? (nmap) Gregory Duchemin (Jun 04)
- Re: faster scans? (nmap) Michael Starr (Jun 03)
  - How to portscan a Class B effectively RT (Jun 03)
    - Re: How to portscan a Class B effectively batz (Jun 03)
  - Re: faster scans? (nmap) Yann Berthier (Jun 03)
- Re: faster scans? (nmap) Anders Thulin (Jun 04)
- Re: faster scans? (nmap) miguel . dilaj (Jun 03)
- RE: faster scans? (nmap) Steve Maks (Jun 03)
  - Re: faster scans? (nmap) Yann Berthier (Jun 03)
- RE: faster scans? (nmap) JLETOUX (Jun 04)
  - Re: faster scans? (nmap) Gregory Duchemin (Jun 04)