From: Moonen, Ralph (Moonen.Ralph@kpmg.nl)
Date: Wed Feb 09 2005 - 13:05:23 EST
Hi,
Apart from the timing issues (I agree totally) I still think that you
cannot call nmap+nbtstat or nmap+nessus or whatever combinatioin
'penetration testing'. To me that is Vulnerability Analysis. VA on a
class A is tricky enough. Pentesting (ie attempted exploitation of all
discovered vulenrabilities) on a full class A is extremely difficult.
Impossible for 1 man and his laptop, given average population of
networks.
I assume that stealth is not an issue here, and if indeed not, then my
choice for the mapping and scanning would be to have a few lappies (like
your setup) crunch away unattendend (but with humans on call 24/7) for
as long as it takes. For the actual testing (exploiting) I usually
concentrate on the business critical environments and the devices that
those environments most heavily depend on. No use pentesting each and
every workstation.
But usually, it never gets that far. You find so much sh*t during the
first scans and so when you've totally 0wn3d the SAP environment within
half a day it's pretty clear what needs to happen first.
--Ralph
-----Original Message-----
From: Tim [mailto:tim-pentest@sentinelchicken.org]
Sent: woensdag 9 februari 2005 18:10
To: Moonen, Ralph
Cc: John Thomas; pen-test@securityfocus.com
Subject: Re: Mapping Class A network ( any easy trick?)
--- Virus checked / op virussen gecontroleerd ---
> You might also want to manage expectations. Pentesting a full class A,
> even given low population of the network will take you months. I think
It can be done faster.
Once upon a time I built a system with primarily shell/python/perl which
used nmap and nbtscan to scan all RFC1918 addresses in a large company.
With a LOT of timing optimization options, and a very focused set of
ports we were scanning for, we were able to scan this many IPs in 2-3
days. However, we had to distribute the scan across 8 linux machines,
each of which ran 4 scanning threads in parallel. We didn't utilize any
broadcasts, of course.
It is a pain, and I don't recommend doing it unless you have a good
reason, but it can be done with enough effort.
The more recent versions of nmap supposedly has a more efficient
scanning engine. Definately use the newest stuff.
tim
ps- Our scanning network could scan 300+ IPs/sec on average (majority of
IPs didn't have hosts, of course) and during the scan, a few older
firewalls tipped over. Be careful.
--------------------------------------------------------------------------------------------------------------------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht.
KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur.
Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure.
KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code.
--------------------------------------------------------------------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT