From: Kyle Starkey (kstarkey@siegeworks.com)
Date: Mon Oct 24 2005 - 14:57:43 EDT
While this is a rather rough requirement the simple math is astronomical
((65535 port * 2) * .001 sec/port) (16,277,214 hosts per class A) = 68 YEARS
to complete the scan... Firguring one host with one process running...
Now figure 20 hosts running 20 scan instances at one time it ends up STILL
taking you over 60 days just to complete the scan and this DOESN'T include
vulnerability info... So you now have all this data how do you make sense of
it...
There are some good solutions to this problem that will be much more secure
and give a way more understandable picture of what the security of this
network looks like.
Install a distrubuted scanner across the network and segment the networks
into easily scannable sections by geography and network type. This will
allow you to speed up the scanning because a scanner inside an access
controlled network can use icmp to discover all the hosts before beginning
the exhausting task of enumerating all 130,000 ports. I like nCircles IP360
product to do this, but it could be done with nmap on small boxes sending
output back to a central server.
Grab router and firewall configuration information for the whole network and
virtualize the network using Skybox software. Skybox allows you to make a
virtual map of your entrie network including all its access control and
routing components, as well as run virtual attacks from any location both
inside and outside of this network. Import the port data into skybox and
run an attack virtualization from the INTERNET perspective.
Once you have all this information into Skybox you will KNOW what is
available to the INTERNET as well as having a better understanding of the
STATE of network security on the entrie CLASS A. While skybox really is a
risk management suite and more built to allow corporations to manage risk as
it is seen relative to corporate assets it would handle this problem
extrememly well. Then you could as an added bonus be able to categorize
security by RISK and not by which vulnerability is the highest on some made
up scale.
Please be aware this is the short hand version of what could easily end up
being a 10 page document on vuln scanning and its usefullness to the
corporate security team versus risk management and its use to the company as
a whole....
If anyone wants to get into that discussion offline drop me an email, but I
am not sure it REALLY meets the terms of use for this foum...
-Kyle
Kyle R. Starkey
Senior Security Consultant
CISSP # 31718
Siegeworks LLC
Email: kstarkey@siegeworks.com
Cell: 435-962-8986
-----Original Message-----
From: tarunthenut@gmail.com [mailto:tarunthenut@gmail.com]
Sent: Monday, October 24, 2005 6:33 AM
To: pen-test@securityfocus.com
Subject: Scanning Class A network
Hello All,
Recently I was given a task to carry out a port scan of an entire valid
Class A range (Dont ask me what the huge pool of valid IP's was for :) ).
The scan needed to be carried out externally, and not from within the
network to identify hosts and ports exposed to the Internet.
The problem compounded cause of the following limitations :
1. ICMP was not allowed in the network
2. The IP range was to be scanned every month for the entire port range fro=
m
1-65535 for TCP & UDP
After searching for a suitable scanner which could scan such a large range
in reasonable time, I could think of only nmap, nessus, superscan and ISS.
But because of the limitations stated above,all the tools took a huge
amount of time (ran into month).
I have struggled with options within the tools, tried configurable
parameters (host time out, parallelism, RTT etc) and divided into smaller
class C networks and scanned.but still the scan seems to take ages even if
it is
Any advise would be welcome :)
Cheers
tarunthenut
----------------------------------------------------------------------------
-- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:05 EDT