From: Marco Ivaldi (raptor@mediaservice.net)
Date: Sat Jan 26 2008 - 09:48:23 EST
Offset,
On Thu, 24 Jan 2008, offset wrote:
> I'm using both nmap and unicornscan currently to try and determine which
> may be more accurate for my discovery. I haven't looked at scanrand in
> awhile, so I'm not sure of its merits lately.
Speaking about asyncronous TCP scanning, you may want to take a look at
Inode's singsing library:
http://singsing.woolly-sheep.net/
(soon to be hosted at http://lab.mediaservice.net/)
Specifically, you should try the "zucca" scanner with something like the
following command line:
# ./zucca -h x.x.x.x/x -i eth0 -b 10 -p 1-65535 -c
(adjust bandwidth and ports according to your needs)
I bet you'll be impressed by its speed, even though your uplink speed is
limited. Even better, you can easily develop your own TCP port scanner
based on the singsing library.
> So the question, do I consider the nmap results of 'closed' as something
> I should include as being "live"? Can I adjust unicornscan to tell me
> that if it gets a 'closed' on a host, to report that as "live". I'm
> assuming that for nmap it considers a port 'closed' if it gets a RST
> flag back. This delves into the conversation of interpretation of
> results versus just reporting the flags it sees compared to the rest of
> the network.
Of course, a host that replies with a TCP RST should be considered alive.
Cheers,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT