IndianZ(indianz@indianz.ch)@Tue, Oct 05, 2004 at 10:49:02PM +0200:
Does anybody know from a ultimative icmp-network-crawler. Should help to
discover a lot of devices on a large network of 3COM-Bridges/-Switches?
With SNMP, braa seems a good choice - any other input welcome...
Braa doesn't scale well (try doing a /16 with it, and you'll see what I mean),
so it depends on how many boxes you're looking for. You may have better luck
with unicornscan, from the OSSTMM Security Analyst Correlation Engine (OSACE)
tool suite. If you go to http://www.sourceforge.net/projects/osace under
files, you can download unicornscan.
With unicornscan, you can make any custom payload you want. There are a number
of default SNMP payloads already in there, such as public, private, secret in
version 1 and version 2c, but there is no reason you can't convert a wordlist
into a custom payload conf file. The point of using unicornscan for the job is
that you have a lot of fine grained control over how you introduce the stimulus
and measure the response. Unicornscan was made so we don't have to create
924387239487 different tools, we only have to dream up the content that we want
to introduce. If you need help making the payload file, join the OSACE mailing
list (http://lists.sourceforge.net/lists/listinfo/osace-users) and ask there.
We'll help you as this is a perfect application of why we made this tool :).
A quick example... if I wanted to SNMP walk the entire
172.16.0.0-172.16.255.255 range at 1000 packets per second, I would type:
unicornscan 172.16.0.0/16:161 -mU -pvr 1000 -R2
Broken down, that's saying:
172.16.0.0/16 - 172.16.0.0-172.16.255.255 is the range
:161 - 161 is the port
-mU - UDP is the mode of the scanner
-p - impatient mode. Tell me what you see as packets come in
-v - verbose level 1. Show me a little bit more detail
-r 500 - rate of 500 packets per second
-R 2 - Repeat the scan twice
If you want to look for ARP replies on a local net, you could type:
unicornscan 192.168.22.0/24 -mA -pvr 500
-mA - Arp scan mode
and it'll give you output something like:
192.168.22.110 is 00:00:b4:b6:d1:b5 (EDIMAX COMPUTER COMPANY)
192.168.22.150 is 00:03:2f:01:03:dc (Global Sun Technology, Inc.)
192.168.22.199 is 00:50:bf:17:7f:1e (MOTOTECH INC.)
192.168.22.254 is 00:10:db:0a:5c:d0 (NetScreen Technologies,
Inc.)
We're also adding ICMP to the TCP/UDP base. Soon you'll be able to scan for
any ICMP Type/Code combination you want (echo request, timestamp, etc etc).
For more information on Unicornscan in particular, you can visit
http://www.unicornscan.org where we have the getting started guide and FAQ.
Otherwise, please stick to the SourceForge page as we're now using them for
mailing lists and TODO management as people step up to help support the project.
Robert
--
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033
------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be stopped
before they impact your network. To learn how Internet Security Systems keeps
organizations ahead of the threat with preemptive intrusion prevention,
download the new whitepaper, Defining the Rules of Preemptive Protection, and
end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------
