Offset,
On Thu, 24 Jan 2008, offset wrote:
I'm using both nmap and unicornscan currently to try and determine which
may be more accurate for my discovery. I haven't looked at scanrand in
awhile, so I'm not sure of its merits lately.
Speaking about asyncronous TCP scanning, you may want to take a look at
Inode's singsing library:
http://singsing.woolly-sheep.net/
(soon to be hosted at http://lab.mediaservice.net/)
Specifically, you should try the "zucca" scanner with something like the
following command line:
# ./zucca -h x.x.x.x/x -i eth0 -b 10 -p 1-65535 -c
(adjust bandwidth and ports according to your needs)
I bet you'll be impressed by its speed, even though your uplink speed is
limited. Even better, you can easily develop your own TCP port scanner
based on the singsing library.
So the question, do I consider the nmap results of 'closed' as something
I should include as being "live"? Can I adjust unicornscan to tell me
that if it gets a 'closed' on a host, to report that as "live". I'm
assuming that for nmap it considers a port 'closed' if it gets a RST
flag back. This delves into the conversation of interpretation of
results versus just reporting the flags it sees compared to the rest of
the network.
Of course, a host that replies with a TCP RST should be considered alive.
Cheers,
--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
