Hello,

I typically won't post these types of topics unless I'm really desperate, which is the case. I have done much research by myself but still need some assistance and the clock is ticking :/

I am a whitehat that was employed by an organization [sorry I probably shouldn't say by whom] that hired me for my mitm, arp posioning, and packet injection skills. Quite honestly I'm not near as experienced as the majority of the users on here but they seemed to think I could do the job.

The only problem is they seem to have me doing everything outside of my expertise and have me scanning the ol WAN for external host discovery.

Only problem is that the firewall seems pretty resilient [or I'm just pathetic] and I am not getting any hosts returned on my external scans.... At all. One range I scanned let's say just for example 192.168.0.0/24 [obviously just a local example, not the real range I'm scanning]. And I get 30 some on hosts on the internal scan. Okay great. I hop outside of the network and start doing external scans. Nothing. I can't get ANYTHING!

I'll be honest. I'm no nmap guru. I've read through the "Nmap Network Scanning" book by Gordon Lyon and used a few of his suggested methods and still, nothing.

My first attempts I tried mixing various types of SYN an ACK probes and still can't seem to achieve any king of success.

An example of one of my attempts:
-PE -PA -PS21-25,80,113,31339 -PA80,113,443,10042 -g 53

I'm not asking anyone to do my homework for me. Maybe just point me in the right direction. Again I hate to ask for any help but I have to report on SOMETHING. Haha thanks in advance for any advice.

Oh and I wish I could disclose more information on the network but don't think that would be a good idea.

Did they give you the block of external IP's to test or is this a black box scenario?

If this is the block they gave you, you might want to slow down your nmap scans. It's possible the FW knows you're slamming it with nmap scans and is just dropping your traffic. It's also possible they spotted you and are dropping all traffic from your IP.

I would try the -t (i think) flag in nmap to change the interval so that it slows your scans WAY down. I would probably also try from a different server with a different public IP just in case they blocked your IP as a matter of Incident Response.

-C

Sounds like you need to do a bit of recon before you hit such a wide range of IPs. For example, ping their webserver. Does that IP fall into one of the blocks they gave you?

If so, scan that so you can be sure you're getting some results back.

Recon and info gathering is a critical first step.