RE: Graphical NMAP

From: Robert E. Lee (robert_at_dyadsecurity.com)
Date: 10/30/03

  • Next message: johnadams: "Re: Graphical NMAP" 
    Date: Thu, 30 Oct 2003 12:04:10 -0800
To: "pen-test@securityfocus.com" <pen-test@securityfocus.com>

    One more thing to throw into this conversation:

    Dan Kaminsky - http://www.doxpara.com of Paketto Keiretsu fame is
    working on some very cool updates to the scanrand tool. Currently it
    has the ability to output to SQL servers, which allows for some very
    sophisticated data correlation queries. You can also dump this
    information into other various tools for graphical summaries of the
    information.

    Just for kicks you might want to check out the following dump output:
    http://www.dyadsecurity.com/sample_dump

    This is just a taste of the graphical representations that are possible
    with your scan output. As an additional ISECOM - http://www.isecom.org
    related project I am working with Dan on a front-end to his tools with
    an emphasis on how to graphically represent this data.

    For now, if you're interested in playing with it, I'd suggest you find a
    copy of one of Dan's more recent talks (check the Black Hat conference
    repositories). These talks contain enough information to start playing
    with the new scanrand stuff.

    Just a quick usage primer:
    To dump to a mysql DB, create a new database and user account with full
    permissions to the new db.

    Create a new table in your new database:
    create table demotable (abs_tv_sec integer unsigned, abs_tv_usec integer
    unsigned, rel_tv_sec integer unsigned, rel_tv_usec integer unsigned,
    stat char(5), src varchar(64), dst varchar(64), port integer unsigned,
    hopcount integer unsigned, trace_hop integer unsigned, qos integer
    unsigned, trace_src varchar(64), trace_dst varchar(64), trace_mid
    varchar(64));

    Kick off a listening scanrand thread that dumps directly to your
    database:
    scanrand2 -e -L -s key -t0 -T demotable -M1 | mysql -u <mysql username>
    -p "demodb"

    Now you can do any set of scans/traceroutes that you want and have it
    all dump directly to your scanrand listener and populate your mysql
    database:
    scanrand2 -i <ip to send from> -S -s key -b200k
    <ip_range_to_scan>:<ports_to_scan>

    Now for a good sample query:
    select hopcount,dst,port,stat,trace_mid from demotable where src="<ip
    you sent from>" and stat!="DOWN" order by dst,port;

    That query shows you ICMP error messages, and active TCP ports. It
    orders it by the destination, and then by the port on the destination.
    It also shows you your hopcount (distance), and the server IP that send
    the ICMP message back to you. The possible ways to represent this data
    are numerous, and will be very "pretty"/graphical soon.

    If you have any other questions about this particular project, I'll try
    to keep up to date with my email account :). Also, if you're interested
    in helping with the coding of the front-end stuff, I could definitely
    use additional volunteers.

    Thanks,

    Robert

    Robert E. Lee
    CTO, http://www.dyadsecurity.com
     
    3400 Irvine Ave, Building 118
    Newport Beach, Ca 92660
    T (949) 486-6600
    F (949) 486-6001
    robert@dyadsecurity.com

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_pen-test_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: johnadams: "Re: Graphical NMAP"