Re: Discovering Live Hosts

From: Sat Jagat Singh (flyingdervish@yahoo.com)
Date: Wed Aug 08 2007 - 11:49:21 EDT


The devil is always in the details, as it is said.
There have been some good suggestions here, but some
additional important points to keep in mind:

1)You hint that your targets may be behind a firewall.
 I wonder if this is known. If so, a tool called
firewalk may assist you. See also
http://www.packetfactory.net/Projects/firewalk/

2) A syn scan (nmap switch -sS) will have false
positives in some cases. I often find that some
firewalls respond as if every port is open for every
single IP address. A full TCP connect is the only way
to identify if the host is truly live (nmap switch
-sT). It takes longer, but you can't be sure the host
is up or down if the firewall is masking all responses
until you actually connect to each and every port.

3) Yes, I said "each and every port." Some hosts
don't respond to ICMP. Some may be behind a firewall
that masks the responses. Some services may have been
remapped to unusual ports. Some hosts support no
typical services, but do have something listening on
an unusual port.

All this makes identifying live hosts through a scan
alone take a very long time in some cases if your
initial target pool is large. Sorry, failure to get
typical responses from a scan do not prove that a host
is unreachable. It is logically impossible to prove
the absence of a phenomena. Following the above
exhaustive measures will help assure that you have
turned over every stone to try.

I'll offer one other thing to try, though, which might
help. Capture network traffic to see who is talking
on the network. Filter on the target network IDs.
Will they let you have a monitor port on the local
switch? Can you arp spoof to gain the ability to
capture packets? If you get a packet capture, you may
often see communications with systems that you may not
be otherwise able to reach at all.

Best of luck

--- Nikhil Wagholikar <visitnikhil@gmail.com> wrote:

> Hello List,
>
> I need some suggestions and inputs from all
> Pen-testers around the
> world on this issue.
>
> I have been alloted a set of IP Address Pool for
> pen-testing. So my
> first task is to find out live IP Addresses out of
> the given Pool of
> IP Addresses (Class A & Class B). I know, that
> normal ping (ICMP)
> won't help me, because now-a-days firewalls can be
> configured to drop
> ICMP requests. So if I ping (ICMP) the hosts to find
> live IP Address,
> it won't help me.
>
> Performing a full port scan for the whole IP Address
> Pool range is
> also not recommended solution, since my whole and
> sole target is just
> to find Live IP Addresses out of given Pool of IP
> Addresses i.e.
> either UP or DOWN thats it!!
>
> Now second thought that comes to my mind is TCP
> Ping. Nmap has a very
> beautiful option built into it i.e. -sP or -PT or
> -PS. But by default
> it tries to connect to port 80 if no port is
> specified along with it.
> If the remote IP Address doesn't have HTTP/HTTPS
> service running on
> it, but has some other service (like FTP, SMTP etc)
> running on it,
> then even this option would fail. Besides this, if
> suppose SMTP is
> configured on port 26 instead of traditional port
> 25, then it would
> add a twist to this situation. Hence specifying well
> known ports along
> with -PT or -PS option is also not a effective
> method of discovering
> live hosts from given IP Address Pool. Added to
> this, specifying large
> number of well known ports along with this options
> (-PT. -PS), leads
> Nmap to exit abruptly by throwing Buffer Overflow
> related error.
>
> Can anyone kindly guide me, as to how to find live
> IP Addresses from a
> given Pool of IP Addresses (Range of IP Addresses)
> with as less false
> positive results as possible and as quickly as
> possible? Is there any
> tool out (no matter shareware or freeware), which
> focuses on finding
> live IP Addresses from Pool of IP Addresses?
>
> --
> Nikhil Wagholikar
> Information Security Analyst
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE
> today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
>
>

       
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT