[REVS] Exploring Host Discovery Using NMap

From: support@securiteam.com
Date: 11/24/02

  • Next message: support@securiteam.com: "[UNIX] XSS in PostNuke Rogue" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 24 Nov 2002 08:57:07 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Exploring Host Discovery Using NMap
    ------------------------------------------------------------------------

    SUMMARY

    The following whitepaper explores some methods for host discovery, paying
    the most attention to discovering hosts behind a firewall with an explicit
    policy. The whitepaper itself doesn't provide new information, however it
    does a great job in explaining the basics of NMap usage, and how it can be
    leveraged to provide even better results.

    DETAILS

    Introduction:
    As a Computer Security Engineer that regularly conducts external
    penetration tests, a recurring challenge seems to arise when assessing
    organizations with a large allocation of IP address space. What does one
    do when faced with multiple class B's, a few class C's, and a limited
    amount of time? Do you stick all of the address space in your favorite
    scanner and hit the Go button, wait till it's done and hope the results
    are accurate? How can you be sure that your scanner found all the hosts
    that are accessible? Do you even know the method your scanner uses to
    discover which hosts are alive?

    This document attempts to answer the above questions, and will illustrate
    (at a very technical level) the methodology that Mark uses to accurately
    discover which hosts are accessible prior to conducting port scanning or a
    vulnerability assessment.

    Note: Some may say that unless one performs a scan on all 65535 TCP and
    UDP ports on every possible IP address in the range, that the penetration
    tester isn't being thorough enough. While Mark does agree that in order to
    be completely thorough, one must perform a scan as stated, but Mark has
    rarely, if ever had the luxury of performing such a scan, as it usually
    takes a considerable amount of time. An underlying theme about Information
    Security is about striking a balance and weighing the pros and cons. If
    being absolutely thorough and time is of no consideration, you'll more
    than likely want to run a full, blind scan on all IP addresses. If
    however, a balance can be struck between being thorough and completing the
    project on time, read on - you may learn some techniques to improve both
    the accuracy and efficiency of your scans.

    ADDITIONAL INFORMATION

    The complete whitepaper can be downloaded by going to:
     <http://moonpie.org/writings/discovery.pdf>
    http://moonpie.org/writings/discovery.pdf

    The tool used by the whitepaper can be downloaded from:
     <http://moonpie.org/tools/discover.tgz>
    http://moonpie.org/tools/discover.tgz

    The information has been provided by <mailto:moonpie@moonpie.org> Mark
    Wolfgang.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages