Penetration Testing mailing list archives
Re: Discovering Live Hosts
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 8 Aug 2007 12:12:03 -0700 (PDT)
In particular, I have seen Symantec Raptor firewalls respond that way on several occassions. I have rarely seen it with some others, depending on something in the configuration that I did not have the opportunity to examine and I don't know which models. But the Symantec Raptors, definitely. I am presently scanning a network where I see responses from each and every single IP address with port 139 closed. I presume that not every single IP has a Windows machine behind it blocking file & print services. This appears to be a spurious result. I'm painfully aware of how long it takes to scan a large range for even a limited set of ports, but only wanted to point out a problem with the question. One approach might be to ask the client if they know what IP addresses are active or assigned and then see whether you can reach them through a variety of methods. Or does the customer even know what addresses are in use? Yes, arp spoofing, and port monitoring as well, will only show you traffic on your current network, but it may reveal traffic to/from hosts within your target range in communication with hosts on your LAN; assuming you're even on a customer LAN and not looking across the internet. I mention it because that is the perspective from which I am usually working and because Nikhil did not specify how he would be connecting to the target network. It end up a useless suggestion, but another possibility for some cases. How you connect to the target networks would be helpful information. --- rajat swarup <rajats () gmail com> wrote:
On 8/8/07, Sat Jagat Singh <flyingdervish () yahoo com> wrote:1)You hint that your targets may be behind afirewall.I wonder if this is known. If so, a tool called firewalk may assist you. See also http://www.packetfactory.net/Projects/firewalk/ 2) A syn scan (nmap switch -sS) will have false positives in some cases. I often find that some firewalls respond as if every port is open foreverysingle IP address. A full TCP connect is the onlywayto identify if the host is truly live (nmap switch -sT). It takes longer, but you can't be sure thehostis up or down if the firewall is masking allresponsesuntil you actually connect to each and every port. 3) Yes, I said "each and every port." Some hosts don't respond to ICMP. Some may be behind afirewallthat masks the responses. Some services may havebeenremapped to unusual ports. Some hosts support no typical services, but do have something listeningonan unusual port. I'll offer one other thing to try, though, whichmighthelp. Capture network traffic to see who istalkingon the network. Filter on the target network IDs. Will they let you have a monitor port on the local switch? Can you arp spoof to gain the ability to capture packets? If you get a packet capture, youmayoften see communications with systems that you maynotbe otherwise able to reach at all.Sat..are you sure it was a firewall or was it something like a portsentry that actively throws off scans by showing spurious open ports? For my knowledge could you elaborate which firewall parameters (and which firewalls) do that? Nmap has a firewall detection capability as it can fingerprint but that is at the cost of time. Also, we're looking at a class A & B here. Connecting to "each and every port" would be possible if you have the budget for many months. Most pen tests wouldn't have the time / budget for the same. Realistically, you can't find all hosts on such large network. Let's not forget DHCP and DNS timeouts working. One tip: if you are not too concerned abt DNS resolutions (at the cost of loosing hosts that would only resolve on a DNS but don't respond to anything) try using -n option on nmap to avoid DNS resolutions, I've seen it saves a lot of time. Also, don't forget to use the --max-rtt-timeout for enhanced timing. Arp spoofing would only help in sniffing the traffic...it's still not an effective way to enumerate as you will only know the frequently used servers + Arp spoofing is applicable if the client is on the same network as the tester. No kind of sniffing can be as effective as scans but sniffing could be used in *conjuction* with other stuff already talked about. HTH, -- Rajat Swarup http://rajatswarup.blogspot.com/
____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Discovering Live Hosts, (continued)
- Re: Discovering Live Hosts rajat swarup (Aug 07)
- Re: Discovering Live Hosts pand0ra (Aug 08)
- Re: Discovering Live Hosts Jure Krasovic (Aug 07)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts John M. Martinelli (Aug 07)
- Re: Discovering Live Hosts Vivek P (Aug 08)
- Re: Discovering Live Hosts Lee Lawson (Aug 08)
- Re: Discovering Live Hosts Nikhil Wagholikar (Aug 07)
- Re: Discovering Live Hosts Alcides (Aug 08)
- Re: Discovering Live Hosts Sat Jagat Singh (Aug 08)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Sat Jagat Singh (Aug 08)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- RE: Discovering Live Hosts ragdelaed (Aug 08)
- Re: Discovering Live Hosts Dan Catalin Vasile (Aug 08)
- Re: Discovering Live Hosts rajat swarup (Aug 08)
- Re: Discovering Live Hosts Fabrizio (Aug 08)