Scanning Networks

posted onJuly 17, 2003
by hitbsecnews

By: Krishna


This article first appeared over at our affiliate site eBCVG.com. The original article can be found here

Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections. First we will determine whether the target machine is alive or not. This can be done by sending a icmp echo request packet to the server. The server would respond with a icmp echo reply showing that it’s alive. The process to do this on a range of hosts or ipaddresses is known as ping sweep. Of the many methods used, we will look on ICMP ping and echo port ping.

ICMP ping

Your machine will send an icmp echo request (type 8) to the target machine and
it would respond with an icmp echo reply(type 0) if it is alive. You can use the
Unix ping command to do this:

[root@ns2 root]# ping -c 3 66.218.71.86
PING 66.218.71.86 (66.218.71.86) from 203.41.193.140 : 56(84) bytes of data.
64 bytes from 66.218.71.86: icmp_seq=1 ttl=51 time=207 ms
From 203.41.193.137: icmp_seq=2 Redirect Host (New nexthop: 202.5.165.81)
64 bytes from 66.218.71.86: icmp_seq=2 ttl=51 time=204 ms
64 bytes from 66.218.71.86: icmp_seq=3 ttl=51 time=203 ms

--- 66.218.71.86 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2019ms
rtt min/avg/max/mdev = 203.938/205.171/207.287/1.503 ms
[root@ns2 root]#

At the end it will give you a summary, showing statistics of number of packets
received and sent and the %age of packet loss.

Echo port ping

This makes use the echo service running on the target machine which runs on port
7. Whatever you send it, will be echoed back to you. So if you see that it
echoed back what you sent, then you can be sure that the target machine is
alive.

Two interesting tools on Linux is Fping and Nmap

Fping

Fping sends multiple icmp request packets simultaneously and processes the reply
as they occur. This makes ping sweeps faster. Fping can be feeded with an
ipaddress or can be given a list of ipaddress on a file.

[root@Krishna]# fping -a -g 203.122.1.0 203.122.1.80
203.122.1.9
203.122.1.26
203.122.1.37
203.122.1.47
203.122.1.54
203.122.1.42
203.122.1.68
203.122.1.80
[root@Krishna]#

Type fping -h for a full listing of available options.

Nmap

Nmap is a powerful tool that can do a lot more than ping sweep.
To use nmap for ping sweeping use the –sP argument.
[root@ns2 root]# nmap -sP 203.122.58.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#

If ICMP is blocked on the firewall of the target machine, additional techniques
can be used to determine whether systems are alive.
Nmap provides a advanced option called TCP ping scan. It is initiated with the
argument –PT with a port number such as port 80, since packets to this port is
allowed by many firewall and border routers to the systems on their
demilitarized zone (DMZ).

[root@ns2 root]# nmap -sP -PT80 203.122.58.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#

Icmpenum

This tool from Simple Nomad (http://www.nmrc.org/project/misc/icmpenum-1.1.1.tgz)
.
Even if the border router or firewall blocks ICMP echo packets , the systems
status of being alive can be determined by looking for a different ICMP type,
like icmp time stamp request and icmp info requests.
[krishna]# icmpenum –i2 –c 192.168.1.0

In the above example, we enumerated the entire 192.168.1.0 class C network using
an icmp time stamp request . Icmpenum can send spoofed packets to avoid
detection. Use the s argument to send spoofed packets and passively listen for
responses with the p switch.

Icmpquery

Icmpquery can be found at http://packetstormsecurity.com/UNIX/scanners/icmpquery.c
Ping sweeps makes use of icmp echo packets , but there are a lot more types of
icmp packets which can be used to gather valuable information about the system.
For example you can request the time ona system by sending an ICMP type 13
message (TIMESTAMP) and you can request the netmask of a particular device with
the ICMP type 17 message (ADDRESS MASK REQUEST).
To query a routers time, you can run the command:
[root@ns2 files]# ./icmpquery -t 213.206.75.252
213.206.75.252 : Sun Jun 8 16:46:30 2003
[root@ns2 files]#

and to query a routers netmask, use

[Krishna]# icmpquery –m 213.206.75.252

Windows tools:

To do ping sweeps in windows, try the freeware pinger from Rhino9 (http://nmrc.org/snt).
Some other tools for windows are Ping Sweep from Solarwinds (http://www.solarwinds.net)
WS_Ping ProPack (http://www.ipswitch.com) NetScan Tools (http://www.nwpsw.com)

Port Scanning:

Port scanning is the process of connecting to TCP and UDP ports on the target
system to determine what services are running or in a listening state.
Identifying listening ports is essential to determine the type of operating
system and application in use on the system.

Types of port scanning:

1.) TCP connect scan: This type of scan connects to the target port and
completes a full three way handshake (SYN, SYN/ACK and ACK).
2.) TCP SYN scan: This is also called half-open scanning because it does not
complete the three-way handshake, rather a SYN packet is sent and upon receiving
a SYN/ACK packet it is determined that the target machines port is in a
listening state and if an RST/ACK packet is received , it indicates that the
port is not listening.
3.) TCP FIN scan: This technique sends a FIN packet to the target port and based
on RFC 793 the target system should send back an RST for all closed ports.
4.) TCP Xmas Tree scan: This technique sends a FIN,URG and PUSH packet to the
target port and based on RFC 793 the target system should send back an RST for
all closed ports.
5.) TCP Null scan: This technique turns off all flags and based on RFC 793 , the
target system should send back an RST for all closed ports.
6.) TCP ACK scan: This technique is used to map out firewall rulesets. It can
help determine if the firewall is a simple packet filter allowing only
established connections or a stateful firewall performing advance packet
filtering.
7.) TCP Windows scan: This type of scan can detect both filtered and
non-filtered ports on some systems due to anomaly in the way TCP windows size is
reported.
8.) TCP RPC scan: This technique is specific to UNIX systems and is used to
detect and identify Remote Procedure Call (RPC) ports and their associated
program and version number.
9.) UDP scan: This technique sends a UDP packet to the target port. If the
target ports responds with an “ICMP port unreachable” message, the port is
closed, if not then the port is open. This is a slow process since UDP is a
connectionless protocol, the accuracy of this technique is dependent on many
factors related to utilization of network and system resources.

We will now discuss some of the more popular and time proven port scanners.
Strobe

Download it from ftp://ftp.rpmfind.net/linux/redhat/7.1/en/powertools/i386/RedHat/RPMS/s…

It is one of the fastest and most reliable TCP scanners, it can also grab the
associated banner of a particular port. Strobe is a TCP scanner and does not
provide UDP scanning capability, as such it can be easily detected by the target
machine.

[root@ns2 files]# strobe 213.206.75.252
strobe 1.04 (c) 1995-1997 Julian Assange (proff@suburbia.net).
213.206.75.252 21 ftp File Transfer [Control] [96,JBP]
-> 220-FTP server ready.

-> 220 Only anonymous FTP is allowed here

213.206.75.252 80 http www www-http World Wide Web HTTP
www World Wide Web HTTP [TXL]
[root@ns2 files]#

For a UDP port scanner try udp_scan by SATAN(Security Administrator Tool for
Analyzing Networks).

Netcat

This is known to be called the Swiss army knife in security toolkit. It provides
both TCP and UDP scanning capabilities. The -v and -vv options provide verbose
output, the -z option is used for port scanning, and the -w2 option provides a
timeout value for each connection. By default nc uses TCP ports, the -u option
is so used to specify UDP scanning.

[root@ns2 files]# nc -v -z -w2 203.122.61.154 1-140
ns2.spectra.com [203.122.61.154] 111 (sunrpc) open
ns2.spectra.com [203.122.61.154] 80 (http) open
ns2.spectra.com [203.122.61.154] 53 (domain) open
ns2.spectra.com [203.122.61.154] 23 (telnet) : No route to host
[root@ns2 files]#

[root@ns2 files]# nc -u -v -z -w2 203.122.61.154 1-140
ns2.spectranet.com [203.122.61.154] 132 (?) open
ns2.spectranet.com [203.122.61.154] 131 (?) open
ns2.spectranet.com [203.122.61.154] 130 (?) open
ns2.spectranet.com [203.122.61.154] 129 (?) open
ns2.spectranet.com [203.122.61.154] 128 (?) open
ns2.spectranet.com [203.122.61.154] 127 (?) open
ns2.spectranet.com [203.122.61.154] 126 (?) open
punt!
[root@ns2 files]#

Network Mapper (nmap)

Nmap from http://www.insecure.org/nmap is a all in one tool. To see a possible
list of options use

[root@ns2 files]# nmap –h

[root@ns2 files]# nmap -sP 192.168.0.172

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host ns2.krishna.com (192.168.0.172) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[root@ns2 files]#

Nmap allows you to enter ranges in CIDR(Classless Inter-Domain Routing) block
notation. The –oN will save the output to a human-readable format and use –oM
to save it in a tab-delimited file.

[root@ns2 files]# nmap –sF 203.122.58.0/24 –oN outfile

Windows based port scanners

NetScanTools Pro 2000 http://www.nwpsw.com
SuperScan http://www.foundstone.com/rdlabs/termsofuse.php?filename=superscan.exe
WinScan: http://www.prosolve.com
IpEye http://www.ntsecurity.com
NetCat http://www.atstake.com/research/tools/nc11nt.zip
WUPS http://www.ntsecurity.nu
Fscan http://www.foundstone.com/rdlabs/termsofuse.php?filename=fscan.exe

Krishna
http://www.KrisinDigitalAge.com

1.) A Guide To A New Generation of Phreaking - Part 1 - decimalz
2.) MBSA: Microsoft Baseline Security Analyzer - adrenaline
3.) Scanning Networks - Krishna
4.) Mutual Trust Networks: Rise of a Society - Ruchir Jha
5.) Review of Yellow Dog Linux 3.0 - L33tdawg
6.) Camouflaging Nmap Scans - Whistler
7.) When your server ends up a Warez site - Obscure

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088