From: Robert E. Lee (robert@outpost24.com)
Date: Sun Jan 27 2008 - 15:39:19 EST
On Thu, 2008-01-24 at 15:49 -0600, offset wrote:
> Unicorn Scan, I'm using -msf -r 10 on a set of 12 TCP ports, for UDP, I'm using -mU -r10 on a set of 9 ports.
I assume you are using fantaip, and the -s option as well?
> I'm finding in unicorn scan that I'm seeing fewer results all listed as 'open' than nmap.
Unfortunately, 10pps is way too slow for -msf (TCP protocol specific
stimulus sending) mode scanning. While the batch scans are interrupted
for time sensitive things like completing the 3-way handshake, the 10pps
limit is still honored. Some of the remote systems being probed are
going to time out the connection attempt before unicornscan gets around
to completing the handshake.
This is a limitation that I've talked to Jack (the unicornscan author)
about before.
> In nmap, I'm seeing 'open' and 'closed', some hosts report only 'closed', it is these 'closed'
> status hosts that are resulting in more IPs listed than what I see in unicornscan.
If you want to see responses in addition to 'open' listed, you can use
the -E option with unicornscan. You might consider setting up a
postgres database and feed the output from unicornscan directly to a
database. The web front-end is really useful for picking through all of
the results. If you need help getting that going, feel free to ask.
> So the question, do I consider the nmap results of 'closed' as something I should include as being "live"?
> Can I adjust unicornscan to tell me that if it gets a 'closed' on a host, to report nothat as "live". I'm assuming
> that for nmap it considers a port 'closed' if it gets a RST flag back. This delves into the conversation of
> interpretation of results versus just reporting the flags it sees compared to the rest of the network.
In TCP scanning, closed means RST/ACK. -U in unicornscan will not
"interpret" these packets, and will just tell you what flags were
received, ie TCP--R-A--- for RST/ACK.
Cheers,
Robert
-- Robert E. Lee Chief Security Officer Outpost24 - One Step Ahead http://www.outpost24.com SE Phone: +46 455-61-2320 US Phone: +1 801-924-5902 email: robert@outpost24.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:22 EDT