Scanning for "live" hosts, nmap vs unicornscan (scanrand?)

From: offset (offset@ubersecurity.org)
Date: Thu Jan 24 2008 - 16:49:17 EST

• Next message: Christian Martorella: "Wfuzz v1.4 - The web bruteforcer"
• Previous message: Albert R. Campa: "ESX Vmware Physically connected to different segments"
• Next in thread: Robert E. Lee: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Reply: Robert E. Lee: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Reply: Marco Ivaldi: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm trying to scan network ranges for "live" IPs to feed to a vulnerability scanner.

I'm using both nmap and unicornscan currently to try and determine which may be more accurate for my discovery.
I haven't looked at scanrand in awhile, so I'm not sure of its merits lately.

I want to stress that I am after accuracy versus speed, but also not scanning the full port ranges for discovery.

Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm using -mU -r10 on a set of 9 ports.

Nmap, I'm using -sT -PS on 10 TCP ports, then -sU -pU: on a set of 9 ports no attempt at network throttling.
It is my understanding that nmap tries to do some calculations on speed/latency and why I split out each nmap
scan into network ranges where I believe the speed will be similar. Meaning, my international scans will be
a separate scan than my domestic scans because I'm not sure if nmap will adjust up/down in speed/latency when it
hits a new network.

My upload link is 128k (yes I know, it sucks), but that is what I'm working with and hence the packet rate of 10pps.

I'm finding in unicorn scan that I'm seeing fewer results all listed as 'open' than nmap.

In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it is these 'closed'
status hosts that are resulting in more IPs listed than what I see in unicornscan.

So the question, do I consider the nmap results of 'closed' as something I should include as being "live"?
Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to report that as "live". I'm assuming
that for nmap it considers a port 'closed' if it gets a RST flag back. This delves into the conversation of
interpretation of results versus just reporting the flags it sees compared to the rest of the network.

Also, on the merits of providing packets and looking for a stimulus, it does seem intriguing that maybe I try
this using scapy to determine how each scanner interprets 'open' versus 'closed' versus 'filtered', etc. I'm not
sure what kind of maximum throughput I can get with using scapy for a port/host discovery scanner.

Thanks in advance,

-- 
offset
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Christian Martorella: "Wfuzz v1.4 - The web bruteforcer"
• Previous message: Albert R. Campa: "ESX Vmware Physically connected to different segments"
• Next in thread: Robert E. Lee: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Reply: Robert E. Lee: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Reply: Marco Ivaldi: "Re: Scanning for "live" hosts, nmap vs unicornscan (scanrand?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:21 EDT