Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

Also I was thinking of how when you set an IP on a windows machine and if it's taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

Fun...

*looks up in the sky whistling.... pointing to dynamik* It's Friday!

sil.

That's an awesome writeup.  Thanks!

Is that a challenge? Sorry, I was up until 1:30AM working on my coworker's cubicle...

http://i360.photobucket.com/albums/oo46/adynamik1/cups1.jpg

http://i360.photobucket.com/albums/oo46/adynamik1/cups2.jpg

http://i360.photobucket.com/albums/oo46/adynamik1/cups3.jpg

http://i360.photobucket.com/albums/oo46/adynamik1/cups4.jpg

There are over 1300 2oz cups there. We put Pinesol in the first couple hundred, but it got overwhelming...

Yatz, sorry for the delay in responses. I use all sorts of experiments on pentests. Remember, my point of view is, as a pentester, my role is to get in as responsibly as possible. I dictate the tools to use as its my role to be the attacker. In no shape form or fashion is someone ever going to be able to say: "Ok scriptkiddiots, we know you're out there, if you hit our networks, can you preferably ONLY use metasploit!" The reality is, many tools have different pros and cons.

In fiddling around with networking, studying, tampering in my labs, on my work network (I do in-house pentesting for my company, SIG audits for ourselves and clients) I'm always playing this strange game with myself called: "I can beat myself!" Where on the one hand I'm attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks... Trial and error.

Besides, as some have seen on the Metasploit versus Canvas, no one tool fits all and I've found when I fiddle with my own tools sometimes, I get more tuned results and I can tinker with parameters more granularly to give me either complete stealth (bounce/idle scans) or complete immunity (decoy + target's_networks_hosts_in_the_mix)

As for false positives, again, it depends. Because I know what I'd be targetting, I can focus specifics after it. This is something that many tools don't do. Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS. False positives are pretty easy to weed out since my attack space is so low when I'm actually attacking.

Think about the following for a moment. Say I run nmap against a machine which yields 20 services running... I add -sV for version information and in the end, I end up with say 10 potential exploits per service. I now have 200 possibilities. By doing my own tests to validate what nmap or whatever other scanner I'm using, I might be able to find say 2 exploits for only 5 ports. I have 10 exploits to tinker with/test and weed out those fp's as opposed to wondering what to do with 200.

[quote author=yatz link=topic=5851.msg31137#msg31137
This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

...

I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, "Hey, that's what sil was talking about!"  I don't have it handy, but to summarize it said, "Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios." 
[/quote]

You can always make time On average, I get on about 5 conference calls and meetings I shouldn't be at (don't care to be at per week). Sometimes even 3-4 a day. Vendor meetings, interop conference calls, boring FINRA babbling I have to hear. During this time I always try to keep myself amused and busy. This is while @ work... On the weekends, I try to dedicate at least 2 hours to checking out what's going on in the world of forensics, malware and "hackerdom" When I see something interesting, I bookmark it so that I can go back the next time I have to get on the phone with a vendor...

My bosses sort of don't like it since when I'm at meetings I don't care to be, my mind is far off in security land wondering what to do next. I do this out of interest a love for it so I'm just lucky to get paid for what I do. However, take note at that statement... "I do this out of interest and love" I believe when you take this approach the burden of things like "making more money via certs, passing a test, going further" are lowered and one's ability to retain, understand and progress are strengthened.