Slide 1

Fighting Zombies with FastNMAP &
Npwn: A Case Study At Washington
REN-ISAC Techburst
Thursday, April 29st, 2010
Brian Allen, CISSP
[email protected]
Network Security Analyst,
Washington University in St. Louis
Washington University in St. Louis, MO
Private University Founded in 1853
3,000+ Full Time and Adjunct Faculty
13,000+ Full and Part Time Students
13,000+ Employees
4000+ Students Living on Campus
Decentralized Campus Network
Business School
Law School
Arts & Sciences
Medical School
Social Work
Art & Architecture
Engineering School
Decentralized Campus Network
NSS = Network Services and Support
NSO = Network Security Office
A Short Discussion of .EDU Politics
and Potential Pitfalls of Scanning
A Short Discussion of .EDU Politics and
Potential Pitfalls of Scanning
• Give Notice to Departments Before Scanning
• The Period Between Scans is Not Too
Important : 1 week < X < A Couple Months
• A Switch’s One Minute Heartbeat was Missed,
and School’s Network Engineers Were Paged
• KVM Switch Hung – It was Old and Needed to
be Updated, Then it Handled the Scan Fine
• Identify Devices with Problems, Exclude Them,
Work to Fix them
My Scanner: Dell PowerEdge R805
2x Quad-Core AMD Opteron 2.4GHz
16GB Memory
2x 146GB 10K Hard Drives
4x Broadcom NetXtreme II 5708 1GbE Onboard
Need to upgrade to an Intel Pro/1000 PCIExpress card ($100-200)
NMAP Scripting Engine
• I kept 92 nse scripts like:
• I removed all the brute force ones + others like:
– "smb-check-vulns.nse“
– "smb-brute.nse"
FastNMAP Command
# nmap -sL -n |
egrep '^Nmap scan‘ |
awk '{print $5}‘ |
NPWN Command
#./ -x -s 7 -d ./log/ Status Update
• Took three days to scan
• Much of the campus sits behind firewalls
• Can only scan the MedSchool’s 93 /24 subnets
once per month
• Am not scanning any of our private IP space
(student subnets, wireless, etc)
• Usually find about 3000 IP addresses online
Some Interesting Npwn Tags
Any Questions?

similar documents