[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: number of users accessing a wireless network

On Fri, 04 Apr 2008 13:54:29 +1100
Rich Healey <healey.rich@gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Celejar wrote:
> > On Mon, 31 Mar 2008 15:12:33 +1100
> > Rich Healey <healey.rich@gmail.com> wrote:
> > 
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Kamaraju S Kusumanchi wrote:
> >>> My current network configuration is
> >>>
> >>> ISP --> wireless router ---> comp1
> >>>                         ---> comp2
> >>>                         ---> comp3
> >>>
> >>> The wireless router is wrt54g. The computers might be running Debian, M$
> >>> etc., Is it possible to figure out the number of users and IP addresses of
> >>> active connections served by the router?
> >>>
> >>> thanks
> >>> raju
> >> put them all in the same subnet (ie 192.168.0.128-255) and then nmap -sS
> >> - -PN 192.168.0.128/25 | grep [uU][Pp]
> > 
> > IIUC, this will only work for machines that are listening on at least
> > one open port.  BTW, isn't -sS the default?
> > 
> > Celejar
> > --
> > mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> > ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
> > 
> > 
> no, -sS is a syn stealth it throws SYN packets out of sequence hoping to
> elicit a RST from the server since it hadn't ACK or ACK/SYN'd.

A SYN / stealth scan, which is, as I wrote, the nmap default, has
nothing to do with throwing packets out of sequence; it sends SYN
packets, which are the perfectly legitimate beginnings of standard
TCP three way handshakes.  The SYN scan is called a half-open scan,
because the attacker never completes the three way handshake, but
that's not why RSTs are received in reply; the TCP stack is indeed
supposed to reply with a RST if nothing is listening on the port (the
port is 'closed').

> Anyway it requires root to do.
> 
> Also the -sS negates the need for them to be listening, really they just

Both the SYN (-sS) and the TCP connect (-sT) scans will receive RSTs
from closed ports; for our purposes there's not much difference between
them.

> need to be a running a not particularly stealthy os, windows will get
> picked up from the 130's where netbios sits, and only some hardened

Of course it will; those ports are open!  My mail asked about systems
without open ports.  Additionally, even Windows systems can easily be
hidden with personal firewalls.

> kernels don't get picked up by -sS

Any system that simply drops incoming packets, without replying with
RSTs, will be invisible to the sort of port scanning you describe.  A
simple personal firewall will do exactly that, often by default.
[Shorewall doesn't stealth ident / auth (TCP 113) by default.]  In any
event, if you have anything listening on any port being scanned, you
will be seen; if you don't, and your system is configured to silently
drop incoming packets to closed ports, you won't.  It doesn't really
depend on any exotic hardening of the kernel, unless by hardening you
inclued a standard iptables based firewall.  I am aware, BTW, of the
heated debate as to whether there's any real security gain by
stealthing all ports.

My original mail was inaccurate, though.  The RSTs will reveal the
existence of systems even without open ports, as long as they are not
firewalled.

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: