Re: Mapping Class A network ( any easy trick?)

On Tue, 8 Feb 2005, John Thomas wrote:

> I am about to do a penetration testing on a “Class A
> network” and wondering how I can map the network
> without pinging 17 million IPs.(nmap -Sp 10.0.0.0/8)
>
> I did some research and the best information I got is
> from one of the earlier post on this
> list(http://seclists.org/lists/pen-test/2004/Jul/0067.html)
> . It was to use broadcast IPs for pings. But it may miss some subnets.
>
> Is that the best way to it? If not, please advise

Probably not.  For very good reasons (smurf attacks, namely), broadcast 
pings are disabled in most networks.  Besides which; you don't necessarily 
know where the broadcasts are on the network.  Guessing isn't much use 
unless it's a very homogenous network of all convienant class Bs, and 
figuring out where the broadcasts are (ala the link above) is likely to be 
more work than just pinging all IPs with something very fast.  You'd be 
surprised at how fast 17 million packets can get sent.

I'd definitely recommend scanrand.  It's a part of the Paketto Keiretsu 
package from Dan Kaminsky, and is much better than nmap for extremely 
large network probing.

http://www.doxpara.com/read.php/code/paketto.html

Poke around the site, there's some newer code that wasn't linked to from 
the main page if memory serves.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061