Suggestion: Allow to scan all the subnet

[gustavo-iniguez-goya]

Besides the MITM module, the subnet target could have enabled the Port scanner and the Service inspector modules.

I've taken a look at it, and the native library should return the target IP besides the ports opened.

[sorano]

Yeah this is a good suggestion! :+1:

[gustavo-iniguez-goya]

WiP #352

[tux-mind]

not exactly the same stuff of #352

as now, on the show_portcount branch, we make a quick scan on every found host. I personally think that this is quite crappy.

It's more smart to trigger a network quick port scan on startup. sadly right now the nmap handler supports only per-host scan.

anyway the cSploitd protocol support a multiple target scan, I have just to work on it.

[gustavo-iniguez-goya]

yeah, that's exactly what I thought of #352, map the net on start up. A scan of a subnet returns per port open (extremely fast btw): "Discovered open port 22/tcp on 192.168.1.1", so it's quite close to the current regex. Adding this option would ease to map the net, I guess.

[tux-mind]

@gainan I was testing nmap network synScan .

it looks very slow... can you find out which parameters are the best for this purpose ? I known that you have access to large populated networks :wink:

as from my test, per-host scan is faster ( it scan only hosts that network-radar find ).

[gustavo-iniguez-goya]

I'll perform more tests, but this is an example of mapping a 192.168.0.0/20 subnet:

root@b:/ # time ./nmap -vvv -Pn -n --top-ports 100 --system-dns 192.168.0.0/20 Nmap done: 1022 IP addresses (110 hosts up) scanned in 292.11 seconds Raw packets sent: 19323 (818.644KB) | Rcvd: 7517 (303.406KB) 4m52.15s real 0m6.81s user 0m9.39s system

root@b:/ # time ./nmap -vvv -T4 -n -F --system-dns --privileged -Pn 192.168.0.0/20 Read data files from: /data/data/org.csploit.android/files/tools/nmap Nmap done: 1023 IP addresses (89 hosts up) scanned in 230.68 seconds Raw packets sent: 16589 (698.396KB) | Rcvd: 5808 (236.406KB) 3m50.72s real 0m5.28s user 0m7.82s system

Maybe we could make a list of common interesting ports, in order to decrease the number of ports to scan (~20-30 ports), like: 21,22,23,25,53,80,110,143,139,389,443,993,995,3128,3309,8000,8080, etc.. Or even an option on the settings with a list of default ports, to allow the user select which ports to scan on every start up.

Or maybe divide the subnet if it's too large, and spawn n scans (192.168.0.1-192.168.6.254, 192.168.7.1-192.168.15.254, ...). Anyway, I think we'll be limited by the net throughput and system resources.

[fat-tire]

left this on IRC but jic:

Could you replace this line with:

  private final static Executor EXECUTOR = Executors.newFixedThreadPool(16);

...on a giant 250 host subnet and see if it works a little better?

[tux-mind]

Hi fat-tire, thanks for the suggestion. Did you seen any performance improvement reducing maximum number of shared threads ? Maybe at boot I think ... When you receive tents of hosts in a few moments.

[tux-mind]

wow, as report privately by @gainan per-host scan take at least 20 minutes on networks with more than 250 hosts ( 1GHz single core device ). I have to implement network port scan. this solution is not usable at all, because use all available phone resources for a long time.

[gustavo-iniguez-goya]

well, less than 20mins, about 5-8mins the mobile starts working normal, but it's noticeable that the app is generating too much load (when closing the app there were ~50 nmaps running in background).

A related problem I see is, that the hosts list is a live list. I mean, in many subnets there's no a fix number of hosts, there're always hosts that connect and disconnect from the AP, and that generates a load on the device that never ends. But having this into account, launching a single nmap will map the net on start up, but will not detect successive connection/disconnection events.

[tux-mind]

good catch @gainan :+1:

will:

• scan the whole network on boot
• scan new hosts after that scan

the problem is that we do not have information about already scanned hosts if they do not have open ports. maybe we have to play with nmap options to show all found hosts.