From: robert@dyadsecurity.com
Date: Wed Oct 06 2004 - 09:25:27 EDT
IndianZ(indianz@indianz.ch)@Tue, Oct 05, 2004 at 10:49:02PM +0200:
> Does anybody know from a ultimative icmp-network-crawler. Should help to
> discover a lot of devices on a large network of 3COM-Bridges/-Switches?
> With SNMP, braa seems a good choice - any other input welcome...
Braa doesn't scale well (try doing a /16 with it, and you'll see what I mean), so it depends on how many boxes you're looking for. You may have better luck with unicornscan, from the OSSTMM Security Analyst Correlation Engine (OSACE) tool suite. If you go to http://www.sourceforge.net/projects/osace under files, you can download unicornscan.
With unicornscan, you can make any custom payload you want. There are a number of default SNMP payloads already in there, such as public, private, secret in version 1 and version 2c, but there is no reason you can't convert a wordlist into a custom payload conf file. The point of using unicornscan for the job is that you have a lot of fine grained control over how you introduce the stimulus and measure the response. Unicornscan was made so we don't have to create 924387239487 different tools, we only have to dream up the content that we want to introduce. If you need help making the payload file, join the OSACE mailing list (http://lists.sourceforge.net/lists/listinfo/osace-users) and ask there. We'll help you as this is a perfect application of why we made this tool :).
A quick example... if I wanted to SNMP walk the entire 172.16.0.0-172.16.255.255 range at 1000 packets per second, I would type:
unicornscan 172.16.0.0/16:161 -mU -pvr 1000 -R2
Broken down, that's saying:
172.16.0.0/16 - 172.16.0.0-172.16.255.255 is the range
:161 - 161 is the port
-mU - UDP is the mode of the scanner
-p - impatient mode. Tell me what you see as packets come in
-v - verbose level 1. Show me a little bit more detail
-r 500 - rate of 500 packets per second
-R 2 - Repeat the scan twice
If you want to look for ARP replies on a local net, you could type:
unicornscan 192.168.22.0/24 -mA -pvr 500
-mA - Arp scan mode
and it'll give you output something like:
192.168.22.110 is 00:00:b4:b6:d1:b5 (EDIMAX COMPUTER COMPANY)
192.168.22.150 is 00:03:2f:01:03:dc (Global Sun Technology, Inc.)
192.168.22.199 is 00:50:bf:17:7f:1e (MOTOTECH INC.)
192.168.22.254 is 00:10:db:0a:5c:d0 (NetScreen Technologies, Inc.)
We're also adding ICMP to the TCP/UDP base. Soon you'll be able to scan for any ICMP Type/Code combination you want (echo request, timestamp, etc etc).
For more information on Unicornscan in particular, you can visit http://www.unicornscan.org where we have the getting started guide and FAQ. Otherwise, please stick to the SourceForge page as we're now using them for mailing lists and TODO management as people step up to help support the project.
Robert
-- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert@dyadsecurity.com M - (949) 394-2033 ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the Threat When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:07 EDT