Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: System alive/dead

  1. #1
    Member
    Join Date
    Aug 2004
    Posts
    95

    System alive/dead

    How do you determine a system is alive or dead in a network?

    I tried ping, telnet, ftp and telneting to different ports, snmp ping. I also tried Nmap but it dose not work when firewall is installed (ex. XP with sp2).

    Is there any other tools or methods through which I can determine the system status.
    I can sniff as it is in network to determine the position, suppose if the system is outside network?

    It will be very helpful.... Please let me know

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    You mentioned nmap... Have you tried something like 'nmap -sF -P0 -p 1-65550 -vvv -O <ip-address>' ?

    There are lots of little ways to discover machines on a network, most of which require a good deal of patience if there are no active ports open, etc..

    Have a look at things like DHCP Pings, ARP Requests, UDP Pings, etc. And set up a sniffer on the same network segment as the host (snoop, tcpdump, ethereal, etc.).

    -- spurious

    [Edit]
    Hint: What do you think traffic to and from this host (initiated/established) would look like to a third party? Even with no ports open you can tell a lot about a machine by the kinds of traffic you 'hear' associated with it. Even better if you can get some ARP requests ("ARP --> Who has 08:20:FG:26:03 Tell 192.168.22.7 <--- 192.168.22.3 has 08:20:FG:26:03..." )

    Get OpenSolaris http://www.opensolaris.org/

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    How about some more info such as if its a remote host and are you on the same subnet? You can sniff traffic till you get a packet from said host. But more info is needed to fully answer your question
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Like Darksnake said, sniff the line and wait for the machine to broadcast. This can be SMB, ARP, etc. XP's firewall won't allow you to filter outbound... so you are bound to see something from that host within a couple of minutes. This only works on your subnet though.

    There are other methods... such as scanning. Just because the firewall is blocking doesn't mean that you can't tell its there. You will often see filtered ports from firewalled hosts. They will reject the packets instead of drop them, giving themselves away.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Member
    Join Date
    Aug 2004
    Posts
    95
    arp, snmp, DHCP pings works fine. I can sniff and analyse the traffic to determine the OS and system status, but if the system is in my network?

    The system I am talking is not in my network? and nmap -sF -P0 -p 1-65550 -vvv -O &lt;ip-address&gt; dose not work when firewall is running in the opposite machine. I tried udp too... but no results.

    I am not able to scan the machine, so there is no way I can look at the open ports?
    Please help me out....

  6. #6
    Member
    Join Date
    Aug 2004
    Posts
    95
    spurious_inode , This is the reply I am getting when i try nmap as you adviced.

    C:\nmap&gt;nmap nmap -sF -P0 -p 1-65535 -vvv -O &lt;target&gt;

    Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2004-11-24 06:53 India St
    andard Time
    Failed to resolve given hostname/IP: nmap. Note that you can't use '/mask' AND
    '[1-4,7,100-]' style IP ranges
    Initiating FIN Scan against &lt;target&gt; [65535 ports] at 06:53
    FIN Scan Timing: About 0.31% done; ETC: 10:35 (3:41:11 remaining)

    It dose not end....

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    C:\nmap&gt;nmap nmap -sF -P0 -p 1-65535 -vvv -O &lt;target&gt;

    You have to change &lt;target&gt; to the hostname or ip that you want to scan...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Member
    Join Date
    Aug 2004
    Posts
    95
    yes I tried changing the target and almost all types of scan possible with nmap, its not working ...... against win xp sp2

    please let me know if there is some way out....

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    C:\nmap&gt;nmap nmap -sF -P0 -p 1-65535 -vvv -O &lt;target&gt;

    Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2004-11-24 06:53 India Standard Time
    Failed to resolve given hostname/IP: nmap
    Apparently nmap thinks you want to scan a host named "nmap".
    Try:
    nmap -sF -P0 -p 1-65535 -vvv -O &lt;target&gt;

    Peace always,
    &lt;jdenny&gt;
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  10. #10
    Member
    Join Date
    Aug 2004
    Posts
    95
    its like that beacuase i had pasted it (nmap appears only once). That was a mistake bacause of copy paste...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •