Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Scanning for "live" hosts, nmap vs unicornscan (scanrand?)

from [offset] Network Security [Permanent Link]
Subject: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)
Date: Thu, 24 Jan 2008 15:49:17 -0600 
I'm trying to scan network ranges for "live" IPs to feed to a vulnerability 
scanner.

I'm using both nmap and unicornscan currently to try and determine which may be 
more accurate for my discovery.
I haven't looked at scanrand in awhile, so I'm not sure of its merits lately.

I want to stress that I am after accuracy versus speed, but also not scanning 
the full port ranges for discovery.

Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm using 
-mU -r10 on a set of 9 ports.

Nmap, I'm using -sT -PS on 10 TCP ports, then -sU -pU: on a set of 9 ports no 
attempt at network throttling.
It is my understanding that nmap tries to do some calculations on speed/latency 
and why I split out each nmap
scan into network ranges where I believe the speed will be similar.  Meaning, 
my international scans will be
a separate scan than my domestic scans because I'm not sure if nmap will adjust 
up/down in speed/latency when it
hits a new network.

My upload link is 128k (yes I know, it sucks), but that is what I'm working 
with and hence the packet rate of 10pps.

I'm finding in unicorn scan that I'm seeing fewer results all listed as 'open' 
than nmap.

In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it is 
these 'closed'
status hosts that are resulting in more IPs listed than what I see in 
unicornscan.

So the question, do I consider the nmap results of 'closed' as something I 
should include as being "live"?
Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to 
report that as "live".  I'm assuming
that for nmap it considers a port 'closed' if it gets a RST flag back.  This 
delves into the conversation of
interpretation of results versus just reporting the flags it sees compared to 
the rest of the network.

Also, on the merits of providing packets and looking for a stimulus, it does 
seem intriguing that maybe I try
this using scapy to determine how each scanner interprets 'open' versus 
'closed' versus 'filtered', etc.  I'm not
sure what kind of maximum throughput I can get with using scapy for a port/host 
discovery scanner.

Thanks in advance,
-- 
offset

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: VoIP Pen test, Perez, Carlos (Puerto Rico)
Next by Date:  Wfuzz v1.4 - The web bruteforcer, Christian Martorella
Previous by Thread:  ESX Vmware Physically connected to different segments, Albert R. Campa
Next by Thread:  Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?), Robert E. Lee
Indexes:  [Date] [Thread] [Top] [All Lists]