Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)

From: "Robert E. Lee" <robert () outpost24 com>
Date: Sun, 27 Jan 2008 21:39:19 +0100
On Thu, 2008-01-24 at 15:49 -0600, offset wrote:

Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm using -mU -r10 on a set of 9 ports.


I assume you are using fantaip, and the -s option as well?


I'm finding in unicorn scan that I'm seeing fewer results all listed as 'open' than nmap.


Unfortunately, 10pps is way too slow for -msf (TCP protocol specific
stimulus sending) mode scanning.  While the batch scans are interrupted
for time sensitive things like completing the 3-way handshake, the 10pps
limit is still honored.  Some of the remote systems being probed are
going to time out the connection attempt before unicornscan gets around
to completing the handshake.

This is a limitation that I've talked to Jack (the unicornscan author)
about before.


In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it is these 'closed'
status hosts that are resulting in more IPs listed than what I see in unicornscan.


If you want to see responses in addition to 'open' listed, you can use
the -E option with unicornscan.  You might consider setting up a
postgres database and feed the output from unicornscan directly to a
database.  The web front-end is really useful for picking through all of
the results.  If you need help getting that going, feel free to ask.


So the question, do I consider the nmap results of 'closed' as something I should include as being "live"?
Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to report nothat as "live".  I'm assuming
that for nmap it considers a port 'closed' if it gets a RST flag back.  This delves into the conversation of
interpretation of results versus just reporting the flags it sees compared to the rest of the network.


In TCP scanning, closed means RST/ACK. -U in unicornscan will not
"interpret" these packets, and will just tell you what flags were
received, ie TCP--R-A---  for RST/ACK.

Cheers,

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert () outpost24 com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: