RE: Nmap




Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway (-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is almost certainly not reachable.

S

----------------------------------------
Date: Mon, 2 Jan 2012 12:03:42 -0500
Subject: Re: Nmap
From: juan.quine@xxxxxxxxx
To: pen-test@xxxxxxxxxxxxxxxxx

Sorry for the late answer...

But when you scan for machines that do not answer to ping (it means
answer with an echo reply for each echo request), you could try using
timestamp, and will return timestamp reply, and also information
request and wait for an information reply

Both coould be useful also to detect equipments that do not answer to
ping. And if you want something more "noisy" maybe a network discovery
or a -P0 option.

Here is a summary of message types with their port (for ICMP protocol).

0 Echo Reply
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo
11 Time Exceeded
12 Parameter Problem
13 Timestamp
14 Timestamp Reply
15 Information Request
16 Information Reply

More detail on: http://www.faqs.org/rfcs/rfc792.html

Hope it will be useful.

Regards,

Juan Pablo.

On Sun, Oct 2, 2011 at 4:35 PM, John M. Martinelli
wrote:
This would work but it would be kind of "noisy" to open port scan
every host. Also probably a little more time consuming.

Adding in syn scan or open port scan will create more time required as
we're now looking for open ports. What if all ports are closed? Will
it respond to a certain type of ICMP?

I think a great question to ask is: "What is the least-impactful way I
can very quickly determine what hosts are alive?" without a
traditional ping sweep.

On Sat, Oct 1, 2011 at 10:37 PM, Jeffory Atkinson wrote:

All depends on what you are trying to achieve. I would assume that you are not concerned about monitoring devices seeing you have done a ping sweep with nmap. I agree with others a port scan is going to give you the best idea if a host is active. There are Many instances filtering devices can drop icmp or respond for hosts behind them. Open ports and services are the best identifiers. A port has to be open in some form (open or filtered) to interact with in-bound connections. I would recommend a -sS (syn) scan you can opt for standard services or add -p1- for all 65k+ ports. All ports will verify and services/demons running. There are other options if bandwidth is an issue.


On Sep 30, 2011, at 5:17 PM, Ukpong wrote:

Can somebody suggest the best NMAP commands for identifying hosts that
are not responding to ICMP ping requests ?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--

===============================================
|_|0|_| Ing Juan Quiñe, CISSP, OSCP, GISP, ISO 27001 LA, Cobit-F.
|_|_|0| visita: http://hackspy.blogspot.com/
|0|0|0| a.k.a. HaCKsPy - from Security Wari Projects, now PeruSEC

"... hacking is a way to live your life, not a day job or semi-ordered
list of instructions found in a thick book ..." Anthony Bunyan
"... Live your life as if you will die tomorrow but learn as if you
will live forever ..." Mahatma Gandhi
"... Romper un sistema de seguridad los acerca tanto a ser hackers
como encender autos puenteando cables los convierte en ingenieros
automitrices ..."
"... Nada es tan importante, ni tan urgente que no pueda ser hecho con
seguridad ..."

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Nmap
    ... But when you scan for machines that do not answer to ping (it means ... answer with an echo reply for each echo request), ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: DNS Pen-Test Tools
    ... echo Recon ... I am doing an internal audit soon of our DNS infrastructure. ... full practical examination in order to become certified. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Source code auditing
    ... As far as books go, the bible when it comes to software security is ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Source code auditing
    ... mistakes and what types of vulnerabilities they will be susceptible to ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: OSCP ?
    ... I like to say that the OSCP training is like a set of carpenter tools. ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)