Monday, August 22, 2005

Scanning tools help build a network inventory

I was able to use some hacker tools legitimately, for purposes of developing a device inventory in a large distributed network. The point of the exercise was to figure out which IP addresses were live, and then to identify these live devices.

The utility nmap was used for the initial scan. Two consecutive scans were performed, the first a ping scan:
nmap -sP -iL ip-master-range -oG ip-alive-ping

Then a so-called TCP ping scan:
nmap -sP -PA -iL ip-master-range -oG ip-alive-tcp

The TCP ping scan sends a SYN packet to an open port. If either a SYN-ACK or a RST are received, then the address is live. If nothing comes back, the device either is not there or TCP is filtered en route.

The two lists were sorted and merged to remove duplicates.

A nice little c program called onesixtyone was used for the snmp scan. This program accepts a file of ip addresses and a file of community strings. It goes through the entire list of addresses for each community string. The program returns the ip address, the working community string and the snmp system description. The description sometimes provides detailed information about the device. Sometime, the description is maddeningly brief.

A more precise description of the device make and model is provided by the system object ID MIB variable. I wrote a script that took the results of onesixtyone, read this variable, and created a nice comma separated file of ip address, community string, system object id, and system description.

I made some effort to grab telnet login banners en masse. The two available programs were amap and grabbb. I wrote off grabbb immediately. I was struggling with the command arguments (the README file was useless) and got these rude haxor error messages (“"illegal portlist supplied, check your eyes, lamer”). What little information was in the README said that it only captures the first line of output (not good enough) and it wasn’t really designed for telnet.

The other program, amap, was more professionally packaged. It is positioned as a generic application identification tool. It can optionally send “stuff” to open ports and based on the response tries to guess what service is actually behind the port (useful if someone is hiding a Web server or something behind a non-standard port). This program has a very well written README as well. Oh, and it handles multiple lines of output very well. Often the output includes screen formatting codes. I used a perl script to scrub these and just generate a plain character string.

It takes a while to perform a banner-grab. I estimated about 22 seconds per host.

For specific devices I grabbed the arp table from the remote routers and looked at the first bytes of device mac address. I used the perl module Net::Telnet::Cisco for this. The module was very easy to use and provided reasonable performance. One obvious gotcha – don’t print anything to standard out while communicating with the router. Anything sent to standard out will be sent to the router console session, not to your terminal.


Post a Comment

<< Home