March 13th, 2006, 08:24 PM
Sorry if we were talking at cross-purposes... my bad...
I think the best way for the future is to run p0f at certain places on the network to capture live machines passively. But that requires pre-planning and precludes consultants and contractors coming in and doing a thorough and accurate auto-discovery of a network.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 13th, 2006, 11:21 PM
If you are on the same network you can use the arp scan feature and firewall or not, it'll respond... (-sP -PR)
If not, rather than not sending a ping (-P0), you can use a common list of ports that you would expect to be open/closed and get a decent idea of whether or not the system is up or a firewall is filtering you out... (-PT 23,25,80,135,139,445 for example to do a TCP ping rather than ICMP, i.e., do a -sP -PT 23,25,80,135,139,445 ; which ports used depends heavily on your environment). The theory is explained in the documents for nmap, so I, like others, would highly recommend you read them closely.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
March 14th, 2006, 12:25 AM
I've been using nmap for some time to test LANs, including firewalls. A stealth scan (-sS) will often betray hosts that other options won't find. Particularly Windows XP firewalls. Stealth scans still don't find Windows hosts behind a Norton firewall though. I posted some results on this just last week.
“Everybody is ignorant, only on different subjects.” — Will Rogers
March 14th, 2006, 12:41 AM
In response to manuals,
The manual on insecure, nmaps main site, is very thorough and has a wealth of information. I'd definitely recommend reading it in its entirety before any other nmap tuts.
March 14th, 2006, 10:58 AM
Re: Finding hosts on subnet using nmap.
How large can these networks typicall get?
Originally posted here by rogueactivex
When I'm at a client's network sometimes I have the task of trying to find active hosts within the network. Lately I've been using the ping sweep command for NMAP and saving my results to a file, like so:
nmap -oN activehosts.txt -vv -sP 192.168.0.0/24
However the thought occurred to me "what if a client is blocking ICMP pings"? That might be the case, at which point that client PC would be "hidden" from my sweep. So what's the best most efficient way to hunt for active clients on a network, preferably using nmap?
What type of information needs to be known about the clients?
How long do you realistically wish to hunt for clients?
Does it need to be cmd line based?
On small networks, I typically use this LAN Scanner . Famatech makes a few free utilities that make small tasks extremely simple.