From: JLETOUX@bouyguestelecom.fr
Date: Tue Jun 04 2002 - 09:45:12 EDT
Another solution i used before to use is quite similar to this one...
But i was forging packets for targeted host, and putting my computer in
sniffing mode (tcpdump +tcpslice)
Then a tiny script was getting hosts from which i got response. Like this,
sending packet is very fast and your net stack is not suffering from number
of connections, because there isn't ;)
Have a nice day =)
Regards,
Jean-Marc LE TOUX
Jar Jar Binks: Monsters out there, leaking in here. Weesa all sinking and no
power. Whena yousa thinking we are in trouble?(Episode 1, Star wars)
PS: for forging, take a look at iwu.c, located in
http://www.hsc.fr/ressources/outils/idswakeup/download/IDSwakeup-1.0.tgz
> -----Message d'origine-----
> De: Andreas Junestam [SMTP:andreas@atstake.com]
> Date: mardi 4 juin 2002 09:57
> À: wirepair
> Cc: pen-test@securityfocus.com
> Objet: Re: faster scans? (nmap)
>
> Hi,
>
> there is one more way to do this, but it assumes the machine to listen
> on atleast one well-known port. Do a SYN sweep (fscan is easy to use
> for this if you're stuck under windows) of the entire class B, but only
> scan for 10-20 well-know ports and without pinging, such as ftp, ssh,
> telnet, dns, http, finger, fw-1 ports, netbios, rpcportmap, https,
> ldap, cisco ports and so on. This will not take more than 10-20 sec
> per host. When you have pinned down most machines with this (and maybe
> combined with an ordinary ping sweep), just hit all found machines with
> a full blown nmap scan.
>
> /andreas
>
> wirepair wrote:
> >
> > Thanks for the responses:
> > - The -PT option is great, if you know the host is
> > listening on that specific port, otherwise it's kinda of
> > useless. Remember a firewall is most likely sitting
> > infront intercepting these packets, if the IP does not
> > exist the firewalls going to drop (and not send a rst) the
> > packet. This gives us no information to work from heh.
> > - The -T Insane (5) -T Aggressive (4) Options don't
> > exactly help either, Insane gives up after 75 seconds if
> > no response is seen, (keep in mind a machine that may have
> > a service listening on port 23592, this would never get
> > picked up, nmap would quit after 75 seconds of scanning
> > [unless it hit this by random]) So that rules this option
> > out. Aggressive timed out in 300 seconds same deal as
> > before with Insane.
> > - strobe didn't seem to work any faster in this case, I
> > tried that as well.
> > *sigh* people need to not disable icmp echo reply :)
> > Any other suggestions? (Thanks to all of you who did
> > respond)
> > -wire
> > _____________________________
> > For the best comics, toys, movies, and more,
> > please visit <http://www.tfaw.com/?qt=wmf>
> >
> >
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please
> see:
> > https://alerts.securityfocus.com/
>
> --------------------------------------------------------------------------
> --
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT