Re: faster scans? (nmap)

From: Gregory Duchemin (c3rb3r@sympatico.ca)
Date: 06/04/02


Date: Tue, 04 Jun 2002 13:54:05 +0100
From: Gregory Duchemin <c3rb3r@sympatico.ca>


hello,

Additionnaly, and if the firewall accepts ougoing icmp traffic from
itself, u should try to firewalk it with the remote ip for wich "fast
scans" and pings gave nothing, doing so (using the same port numbers
than fast scan) u would see if the remote target is allowed by firewall
rules giving you an additionnal clue that either the host exist and is
down or the firewall is misconfigured (too much permissive -> host
doesn't exists).
Basically, with fast scan, u known that remote addr didn't respond to
syn probes, but getting back a time exceeded reply from firewalk probes
give u a confirmation that host is allowed but not available (not
existing or down).
Try firewalk, first, with a host/port pair u know to be up just to be
sure it is a reliable technic in your context, avoiding a time waste.
but still nothing for sure, indeed the host may run its own filters
while being up, and by default your best bet remain the big full scan in
syn scan (-sS) at least u avoid a complete three handschake for
responding ports. [:)]

Gregory

Andreas Junestam wrote:

>Hi,
>
>there is one more way to do this, but it assumes the machine to listen
>on atleast one well-known port. Do a SYN sweep (fscan is easy to use
>for this if you're stuck under windows) of the entire class B, but only
>scan for 10-20 well-know ports and without pinging, such as ftp, ssh,
>telnet, dns, http, finger, fw-1 ports, netbios, rpcportmap, https,
>ldap, cisco ports and so on. This will not take more than 10-20 sec
>per host. When you have pinned down most machines with this (and maybe
>combined with an ordinary ping sweep), just hit all found machines with
>a full blown nmap scan.
>
>/andreas
>
>wirepair wrote:
>
>>Thanks for the responses:
>>- The -PT option is great, if you know the host is
>>listening on that specific port, otherwise it's kinda of
>>useless. Remember a firewall is most likely sitting
>>infront intercepting these packets, if the IP does not
>>exist the firewalls going to drop (and not send a rst) the
>>packet. This gives us no information to work from heh.
>>- The -T Insane (5) -T Aggressive (4) Options don't
>>exactly help either, Insane gives up after 75 seconds if
>>no response is seen, (keep in mind a machine that may have
>>a service listening on port 23592, this would never get
>>picked up, nmap would quit after 75 seconds of scanning
>>[unless it hit this by random]) So that rules this option
>>out. Aggressive timed out in 300 seconds same deal as
>>before with Insane.
>>- strobe didn't seem to work any faster in this case, I
>>tried that as well.
>>*sigh* people need to not disable icmp echo reply :)
>>Any other suggestions? (Thanks to all of you who did
>>respond)
>>-wire
>>_____________________________
>>For the best comics, toys, movies, and more,
>>please visit <http://www.tfaw.com/?qt=wmf>
>>
>>----------------------------------------------------------------------------
>>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>>Service. For more information on SecurityFocus' SIA service which
>>automatically alerts you to the latest security vulnerabilities please see:
>>https://alerts.securityfocus.com/
>>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>
>



Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: DENY x REJECT
    ... >The best way to differ between a port which the firewall is configured ... a Destination Port Unreachable message should be ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: firewall appliance help
    ... Subject: firewall appliance help ... internet/outside the firewall that arent firewalled (trusted host (If you ... know the ip of a trusted host, then you can portscan internal machines)). ... > This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)