[unisog] Determining local servers and banners

Are Leif Garn}sjordet a.l.garnasjordet at usit.uio.no
Wed Apr 6 05:43:20 GMT 2005

On Mon, 4 Apr 2005, Harry Hoffman wrote:

> We are in the process of writing some apps to do this but I wanted to
> see if anyone else is doing this, how they are doing it, and perhaps any
> potential pitfalls...
> So, we are looking to determine all servers running in our IP space and
> then grab any banners that we may find. We currently have a way to do
> this for TCP where we look for the Syn/Ack bits set and the src networks
> to be ours:
> tcpdump -i eth0 -w file.dmp 'tcp[13] == 18' and src net '( 192.168.1 or
> 192.168.2 )'
> We read this file and feed it into a perl script which fires off a bunch
> of nmap scans to pull back the banners of the IP/Port found to be a server.
> So, this gives us TCP servers and does a pretty good job...
> We don't have a way, currently, to grab udp servers. I understand that a
> similar setup could be done with argus and the "-M hostsvc" flags and I
> am currently investigating this option. Is anyone doing this?
> I'm quite interesting to hear how others are solving this problem. Nmap
> against 65000 ports to find a "quiet" ftp server isn't really an option.

We here at the University of Oslo have a perl based system as you
describe. All our scans is saved a postgress db with a apache frontend. We
pingscan all subnetts around the clock and portscan active hosts with
nmap. At all times we have some TCP & UDP scanns going (not sure how many
but can check). I think we managed to UDP scan all our 15 000 active nodes
in about 3 months. Every node is at least tcp scanned once a week.

This system is mainly used to find non complient computers (win95/NT4/Pre
OSX MACs, non standard Samba etc) and "rough" services (smtp, ftp,
webservers etc).

At the moment we are looking to cross check the database against our
router logs, we want to find machines "firewalling" us...


More information about the unisog mailing list