Scanning

[caffeine20]

Scanning
By:
Caffeine overlord

A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port <http://searchNetworking.techtarget.c...212807,00.html> number, the computer provides. Port scanning, a favorite approach of computer cracker <http://searchSecurity.techtarget.com...211852,00.html>, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.
Types of port scans include:
vanilla <http://WhatIs.techtarget.com/definit...213272,00.html> - An attempt to connect to all ports (there are 65,536)
Strobe - An attempt to connect to only selected ports (typically, under 20)
Stealth scan - Several techniques for scanning that attempt to prevent the request for connection being logged
FTP Bounce Scan - Attempts that are directed through an File Transfer Protocol <http://searchNetworking.techtarget.c...213976,00.html> server <http://WhatIs.techtarget.com/definit...212964,00.html> to disguise the cracker's location
Fragmented Packets - Scans by sending packet <http://searchNetworking.techtarget.c...212736,00.html> fragments that can get through simple packet filters in a firewall <http://searchSecurity.techtarget.com...212125,00.html>
UDP - Scans for open User Datagram Protocol <http://searchWebServices.techtarget....214157,00.html> ports
Sweep - Scans the same port on a number of computers


This definition came from, <http://searchsecurity.techtarget.com/>

Ok the first thing your going to want to do is get the correct tools to do the job correctly, to find the tools go here <http://www.geocities.com/cafenekilla> then go to my hacking 101 section they are listed under tools.

The first logical step obviously is determining whether the target computer is alive, you can do this with network ping sweeps (basically sweeps a block of I.p’s to see if any computers are on the other end) normally all this does is send an ICMP ECHO type 8 ping to a target system in hopes of getting the response ICMP ECHO_REPLY type0 thus telling you its alive.

Ping sweeps:

There are a lot of tools that you can use to do this with I will try to cover (if your using Unix/Linux use fping, which works much faster than ping) the main utility I use for this that works on both Linux and windows is NMAP which can be found here, <http://www.insecure.org/nmap> . Under the -sp option in NMAP you can do a ping sweep like this:

Nmap -sp 185.154.33.0/20

Starting nmap v. 2.53 by fyodor@insecure.org <mailto:fyodor@insecure.org>

Host (185.154.33.0) Appears to be a subnet broadcast (returned 2 extra pings)
Host (185.154.33.1 ) Appears to be up
Host (185.154.33.4 ) Appears to be up
Host (185.154.33.8 ) Appears to be up
Host (185.154.33.11) Appears to be up
Host (185.154.33.12) Appears to be up
Host (185.154.33.14) Appears to be up
Host (185.154.33.15) Appears to be up
Host (185.154.33.17) Appears to be up
Host (185.154.33:18) Appears to be up
Host (185.154.33.20) Appears to be up

NMAP run completed -- 20 IP addresses 11 hosts up scanned in 8 seconds

That’s fairly self explanatory…..

If nmap’s ported windows version isn’t working great for you, try this freeware pinger from Rhino9 called pinger v 1.0 which can be found here <http://www.nmrc.org/> it is one of the fastest pingers that vie ever used and I highly recommend it to windows users. Its fast because it sends out multiple ICMP packets in parallel then waits for responses. Other good ping sweepers include ws ping which can be downloaded here <http://www.ipswitch.com/> and netscan tools from here <http://www.nwpsw.com/>.

When ICMP traffic is blocked possibly from a firewall/router you can try a little port scanning ,(basically scanning one IP for a range of open ports).

NMAP will scan an ip for open ports with the use of the -sp command and a port number (TCP ping scan). Port 80 (www port) works a lot of the time routers usually let you through. Output from nmap would look something like this:

Nmap -sp -pt80 185.154.33.0/20

Starting nmap v. 2.53 by fyodor@insecure.org <mailto:fyodor@insecure.org>

Host (185.154.33.0) Appears to be a subnet broadcast (returned 2 extra pings)
Host (185.154.33.1 ) Appears to be up
Host (185.154.33.4 ) Appears to be up
Host shadow (185.154.33.8 ) Appears to be up
Host (185.154.33.11) Appears to be up
Host (185.154.33.12) Appears to be up
Host (185.154.33.14) Appears to be up
Host (185.154.33.15) Appears to be up
Host (185.154.33.17) Appears to be up
Host (185.154.33:18) Appears to be up
Host (185.154.33.20) Appears to be up

This method can be quite effective. You should try this with different ports as well.

Prevention: to prevent people from performing the afore mentioned techniques you can, the main ways of doing this include network based IDS programs like snort from <http://www.snort.org/>. threes a cool windows based utility to detect host based pings is Genius which is now at version 3.1 located at <http://www.indiesoft.com/> (genius doesn’t detect ICMP ECHO, just TCP pings)

_________________________________________________________________

Port Scanning

Port scanning is just a systematic approach to finding what ports are listening or running services on a target machine, this is done by connecting to TCP and UDP ports and waiting for a reply. One should be able derive the following info on a computer after running a successful scan. The TCP and UDP services running, applications and versions associated with different services, and of course the OS the target is running.

Types of scans

1. TCP connect scan--This scan just connects and completes the three way handshake.

2. TCP syn scan---only a syn packet is sent, if a syn/ack packet is received usually the port is listening. If an rst/ack packet is received it usually indicates target is not listening

3. TCP fin scan--sends a FIN packet to target, the target should send back an rst for all closed ports (usually only works on unix stacks)

4. TCP xmas tree scan-- sends a FIN, URG, and PUSH packet to the target port. System should send back an RST for all closed ports.

5. TCP null scan-- this will turn off all flags, again the system should send back an RST for all closed ports.

6. TCP ACK scan--this technique helps you find more info on the firewall rulesets.

7. TCP windows scan--this scan takes advantage of the way freeBSD, AIX etc.. reports TCP windows sizes. To find the ports.

8. TCP RPC scan--this scans for Remote Procedure Call (RPC) ports (unix only)

9. UDP scan--all this does is send a UDP packet and we either get ICMP port unreachable or not, if we do get it shows us that the port is open otherwise its closed.

Although the most powerful scanning tools are Linux based the majority of newbys are more likely to use nice GUI based windows APPs so ill try to cover a couple good programs.



SuperScan, was made by foundstone and can be downloaded from there website at <http://www.foundstone.com/> I personally use this one because its FREE!!! Woohooo.




NetScan Tools Pro,

This tool offers a barrage of different utilities in one nice clean cut GUI, unfortunately it costs money but you can download a trial version from here <http://www.nwpsw.com/> .

If you are running win 2000 get ipEye its great.


The same person that made ipEye also made WUPS another powerful UDP port scanner which can be downloaded here, <http://ntsecurity.nu/>.

The only thing I can say is if you want a TCP, UDP, and stealth port scanner all in one the only scanner that comes to mind is Nmap which is a little slow on the ported windows version.

[allenb1963]

Hmmmm...if this is an original work, as it is supposed to be, then why am I finding this and this and this?

Dude....this is the very last place to pull a fast one...not smart.
Of course, if you can prove me wrong and show yourself to be the original author, I'll be happy to retract this post.

[caffeine20]

ok, youve got to be kidding me, first of all i stated that the definition was copied in the tutorial right underneath the definition,

This definition came from, <http://searchsecurity.techtarget.com/>

secondly the types of scans are just that. they are factual information that i have written up from reading numerous tutorials and books on the subject, and did not come from any of those sights. i was simply stating the types of different scans, which any tutorial about scanners is going to have about the same info, my wording came directly from my head. none of those lists are the same as the one i gave, they all have simalar points too them because they all describe scanning(like i had to state that). i think that your time would be better spent giving me some constructive critisism, other than this fodder that your feed ing me about my list being similar, of course its similar.

i understand that a lot of people are in the habit of copying other peoples work and pasting there handle at the top, but the least you can do is investigate it, and if it turns out to be plagurized then you can complain. until then keep it to yourself .

this was not meant as a flame, but next time dont be so quick to judge

The original tutorial along with others I have written are on my webpage, this tutorial is available with pictures on my page.

-caffeine ()verlord