blob: 24db5762143109fdeea9321a0a474f341d2e5d09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
No one believes an hypothesis except its
originator, but everyone believes an
experiment except the experimenter.
J.Anon, 1823
[0] General
As larger the target network (10.0.0.0/8 is large) is as
faster you can scan (-X -l 5000+).
Use 'spreadmode' (-X) whereever possible.
Use an unused ip from your local network for spoofing.
(bscan comes with its own arp-daemon to handle arp-requests
to the spoofed ip)
[1] Scanning your own LOCAL network:
If you get packet loss and missing scan results while
scanning your local network, please lower the scan rate.
Your host is unable to resolve 1000 arp's per second
and therefor drops packets.
Try some smaller values at about 50-100 hosts/second.
[2] Why is 'spreadmode' so much better ?
First: its non-linear and so more 'stealthy'.
Default timeout for most IDS is around 4 mins.
If you scan linear [not spreadmode] you hit
the target network several thousand times the second.
Second: The last router has to resolve all mac's for
the hosts on the target network.
There is no router that can resolve 1000+ mac's per second.
'Spreadmode' tries to guess the 'router distance' and
send packets to different routers [non-linear].
It tries to achieve the maximum time-distance between
two packets hit the same router.
It's up to the reader to proof that a random scan
is inadequate in this situation.
[3] Does bscan work on other media than ethernet ?
Short answer: NO!.
Long answer: I'll add support for other media's later.
[4] Does it work through NAT ?
Yes. But be aware that most NAT-systems are unable to keep the
state of 100.000 seconds. Try reducing the scan-speed (-l 100?)
for instance.
|
