RE: Discovering Live Hosts

["ragdelaed" <ragdelaed@gmail.com>]

1. scanrand quick the segment.  Might want to throttle it down.
2. nmap port ping -PS for default port 80, or define a port range
(-PS21,22,23,25,53,80,443,3389,5900).
3. nmap ping sweep -sP.
4. other quick and dirty scan. (hping, etc)
5. stick all results in a file, cut only the ip addresses out,
sort|uniq|sort.

This should give you a list of hosts on the target segment that are alive
and responding in some fashion. 

In order to find ALL hosts, you would have to nmap each individual ip
address with all ports. This is extremely slow.

In order to find the QUICKEST amount of hosts, scanrand  or nmap for
specific ports with the defaults or minimal switches. This will miss some
hosts.

In order to find the most hosts in a decent amount of time, its necessary to
meet in the middle. I like scanrand because of the speed, I like nmap
because of the reliability and reproducibility. I like to use both. 

There is no ultimate solution. If I stick a host out there and have apache
listen on 10293, how will you find that? If its one host in a class B, then
good luck. 

After you have the list of hosts that respond, feed that back into nmap to
do a full scan. Once you have that, then you can script a query for each
with amap or something else to find out what is living on the port, or do
other things with the list. 




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------