(Caveat: I do NERC CIP work and we use a command line script to look at netstat, lsof, etc. rather than using nmap and potentially knocking over PLCs, etc.)
Having said that, look at specifying the packet timing rather than using the regular T options. Also, specify UDP ports to known services like ntp and your basic Windows services - I do that for non-SCADA port mapping already given time limits on engagements. I don't think you'll have a big issue with syn over connect scans but that idea doesn't hurt. Use -sV and grab your banners especially taking the time for full connect. You may even want to spend a couple minutes going through the scripts and tuning a couple to grab more information. On Nov 27, 2012 1:48 PM, "Bruce Barnett" <[email protected]> wrote: > I'm going to have a short-time access to a SCADA test lab, and I want > to run a port map to characterize the services available. > > There are about 7 networks (virtual and real), with 6 physical > Ethernet ports. I want to discover all services, on all networks. I > don't need stealth, and I want to avoid scans that might crash older > devices. I also don't want to get half-done and realize that I made > the wrong choices, and have to do it again. > > I was thinking of using -sS, but I am concerned some devices might > crash if there are too many half-open connections . > So should I use -sT instead - I think. > And -r would make the scan more "repeatable" if some device crashes. > So any comments on using these options: > > nmap -r -v -sT -sU 10.1.1.0/24 10.2.0.0/24 -oX scan1.xml -oG > scan1.txt > repeat for next interface....., etc. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
