Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)

from [Robert E. Lee] Network Security [Permanent Link]
Subject: Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)
Date: Sun, 27 Jan 2008 21:39:19 +0100 
On Thu, 2008-01-24 at 15:49 -0600, offset wrote:

Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm 
using -mU -r10 on a set of 9 ports.


I assume you are using fantaip, and the -s option as well?


I'm finding in unicorn scan that I'm seeing fewer results all listed as 
'open' than nmap.


Unfortunately, 10pps is way too slow for -msf (TCP protocol specific
stimulus sending) mode scanning.  While the batch scans are interrupted
for time sensitive things like completing the 3-way handshake, the 10pps
limit is still honored.  Some of the remote systems being probed are
going to time out the connection attempt before unicornscan gets around
to completing the handshake.

This is a limitation that I've talked to Jack (the unicornscan author)
about before.


In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it 
is these 'closed'
status hosts that are resulting in more IPs listed than what I see in 
unicornscan.


If you want to see responses in addition to 'open' listed, you can use
the -E option with unicornscan.  You might consider setting up a
postgres database and feed the output from unicornscan directly to a
database.  The web front-end is really useful for picking through all of
the results.  If you need help getting that going, feel free to ask.


So the question, do I consider the nmap results of 'closed' as something I 
should include as being "live"?
Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to 
report nothat as "live".  I'm assuming
that for nmap it considers a port 'closed' if it gets a RST flag back.  This 
delves into the conversation of
interpretation of results versus just reporting the flags it sees compared to 
the rest of the network.


In TCP scanning, closed means RST/ACK. -U in unicornscan will not
"interpret" these packets, and will just tell you what flags were
received, ie TCP--R-A---  for RST/ACK.

Cheers,

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert@outpost24.com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  John the ripper patch problems, rajat swarup
Next by Date:  RE: ESX Vmware Physically connected to different segments, Loupe, Jeffrey J
Previous by Thread:  Scanning for "live" hosts, nmap vs unicornscan (scanrand?), offset
Next by Thread:  Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?), Marco Ivaldi
Indexes:  [Date] [Thread] [Top] [All Lists]