Penetration Testing mailing list archives

Re: Nmap

From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 3 Oct 2011 15:49:46 +0200 (ora legale Europa occidentale)

Hi,

On Sat, 1 Oct 2011, Mel Chandler wrote:

The best way I can think of off the top of my head is to do two
similar scans, one with a ping scan and the other looking for open
ports but without pinging (-Pn) dumping them to two different files
and do a diff between them.  Granted if you have a host out there
without any ports open (or you just didn't scan for the port it had
open) you'll miss it.  Maybe someone else has a better idea?

If your target network is large, Nmap may take a long time to perform afull TCP scan. Instead, you might wanna try an asyncronous stateless TCPscanner such as scanrand or singsing [1]. Remember to watch for closedports as well, which return TCP RSTs responses.

Also, targeted UDP scans performed with payload-based scanners such asUnicornscan or Metasploit Framework's udp_sweep can help identifyingactive hosts with no exposed TCP services. Don't forget to try specifictools in order to identify UDP services, e.g. ike-scan and onesixtyone.

Finally, less intrusive methods such as DNS scanning (via Nmap -sL,bruteforce tools such as fierce.pl, or DNS AXFR if available) and Googlesearches can sometimes do wonders;)

PS. Of course, if you are on the same network segment as your targets, ARPscan is the way to go, either with Nmap or something like arp-scan.


[1] http://lab.mediaservice.net/code/singsing/

--
------------------------------------------------------------------
Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Nmap Ukpong (Oct 01)
- Re: Nmap Mel Chandler (Oct 01)
  - Re: Nmap james (Oct 01)
  - Re: Nmap Marco Ivaldi (Oct 03)
- Re: Nmap Tim Gonzales (Oct 01)
  - Re: Nmap Jerry (Oct 01)
- Re: Nmap Jeffory Atkinson (Oct 01)
  - Re: Nmap John M. Martinelli (Oct 03)
    - Opinions on Burp Suite Web App Scanner Derrenbacker, L. Jonathan (Oct 12)
    - Re: Opinions on Burp Suite Web App Scanner pand0ra (Oct 12)
    - Re: Opinions on Burp Suite Web App Scanner Fabio Cerullo (Oct 12)
    - Re: Opinions on Burp Suite Web App Scanner Matt Gardenghi (Oct 12)
    - RE: Opinions on Burp Suite Web App Scanner Ben de Bont (Oct 12)
    - Re: Opinions on Burp Suite Web App Scanner Meenal Mukadam (Oct 19)

(Thread continues...)