What is Pwnscan and the Underlying Methods Used to Perform Network Discovery
Introduction
The ability for Pulse to discover and continuously monitor assets on the network requires the Pwnscan Automated Scanner Service to be started and running. The Pwnscan service can be found by selecting the sensor from the Sensors page, then by selecting Services.
When the Pwnscan service is enabled and running the sensor performs continuous discovery of assets and any Tasks involving network discovery are not required. In fact, creating tasks to perform network discover may by redundant and result with introducing unnecessary traffic on the network.
How does Pwnscan work?
With the Pwnscan service enabled, the sensor will use the eth0 interface in a promiscuous state, listening for ARP and DHCP broadcast related traffic on the local area network subnet the sensor is located within. When a broadcast is observed, the sensor will create a record for the asset, then subsequently scan the asset using Nmap, looking for open ports, services, operating system information, etc. The time between the broadcast being detected by the sensor and the information being displayed to Pwn Pulse is often three minutes or less.
For some network topologies the use of Pwnscan may not be desirable. Alternatively, there may be a desire to selectively scan assets on the local area network or outside the local area network. To accommodate different use-cases, Pulse additionally provides five built-in Network Discovery related tasks that can be used to perform on-demand scanning of target(s) desired, on a regularly scheduled basis.
The five, built-in methods and how they will operate are as follows:
- Network Discovery: DEFAULT uses Nmap to scan the local network subnet (based upon the IP and netmask assigned to the sensor's eth0 interface) to identify the live hosts, then scan each host for the Nmap Top 1,000 ports.
Network Discovery: BASIC is performed in the same manner as Network Discovery: Default with the exception the user may specify the target IP address (x.x.x.x) or target range (x.x.x.x/x) and the port(s) to be scanned.
Note
If the ports: field is left blank, then the Nmap Top 1,000 ports are scanned. If ports are being specified, use comma delimited or hyphen to indicate a range of ports.
Network Discovery: SIMPLE uses ARP-Scan to scan the target IP (x.x.x.x) or target range (x.x.x.x/x) specified, the goal of which is to determine if the target is live, nothing else is discovered about the asset/s.
Note
This is an extremely FAST method to discover live hosts within the local network subnet. If the target(s) specified are on a connecting remote subnet, it is not expected targets will be discovered in other subnets unless ProxyARP is enabled on the router in between.
Network Discovery: SERVICE uses Nmap with
-sV -O
switches to scan the target IP (e.g. x.x.x.x) or target range (x.x.x.x/x) specified, the goal of which is to identify live hosts, listening ports, services and operating system for each.Note
If the ports: field is left blank, the the Nmap Top 1,000 ports are scanned. If ports are being specified, use comma delimited or hyphen to indicate a range of ports.
Network Discovery: AGGRESSIVE uses Nmap with
-T Aggressive -A -v
switches to aggressively scan the target IP (x.x.x.x) or target range (x.x.x.x/x) specified, the goal of which is to identify live hosts, open ports (of all possible 65,535), service detection, version detection, OS detection, and script scanning.Warning?
This is an INTENSIVE SCAN
Though it is possible, it is NOT recommended to run this against a target range. Instead it is recommended to test an individual target IP address when this level of detail is required. Depending on the network, this method of scanning may overwhelm switches or cause an Denial of Service (DoS) to assets or to the LAN.
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.