TCP Port scanner under development
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: TCP Port scanner under development

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    TCP Port scanner under development

    Dear All,

    I'm writing a TCP port scanner - it is nearly finished. I wondered if anyone would be interested in reviewing my code and/or testing it?

    Ok, I realise that the first reply to this would have said "Why not just use nmap"

    So I will reply now to save you the trouble of asking.

    ---

    "Why not just use nmap"

    Slowscan by Slarty is a port scanner which under some circumstances, outperforms nmap by several orders of magnitude. It has none of the advanced features of nmap (It doesn't ping, UDP scan, Idle scan, OS version detect or protocol version detect).

    However it can scan a lot of ports in a short amount of time with a reasonably high level of accuracy.

    Slowscan behaves similarly to nmap with -sS, -P0

    If you've ever used nmap -sS -P0 you will know that it spends an enormous amount of time trying to scan hosts which are down before eventually timing out. This is because nmap does not port scan hosts in parallel (it does ping them in parallel which is why the -P0 is important).

    Slowscan does all its scanning using a high level of parallelisation. Its timing settings consist of a minimum time between sent packets, syn timeout, and number of retries. It scans each host serially, but over a large number of hosts it scans entirely in parallel.

    Because it behaves like -sS it is fairly unobtrusive in normal operation. Each port will have a maximum of n SYN packets sent to it (per host) and nothing more. Servers which are up and sending resets will be skipped very quickly. Servers which are down will take a little longer but not delay things too much, as there are no extra unnecessary packets sent (ala nmap)

    A future version will also create a temporary local firewall rule to prevent resets being sent out, thus reducing the bandwidth usage further.

    NB: this is Linux only at the moment, and fairly likely to stay that way (Unless someone feels like porting it_

    Cheers
    Slarty

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Sounds very sweet slarty. I'd definately be interested in testing it out. I'd also enjoy looking over the source code. We have a linux box set-up to scan the residences, and using nmap is a real pain because it does subnet scans and it slows down when it finds hosts that aren't up/aren't responding. If this proves to be faster, it'll definately be nice to incorporate into the scanning. I'm not much of a programmer but the code should be interesting, and I know the programs I work will with enjoy it a great deal.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok, here is the first general release version. It's still not finished but slightly more complete.

    Don't do bad stuff with it.

    Linux only - requires root access. README file enclosed.

    Slarty

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Very nice. I like that I don't have to edit cpp files to change the ports. I'll definately be incorporating this into my scanner, it'll be a lot easier than using nmap since I just want specific open ports and you return the word open and the ip and the port all on the same line, every time

    One little thing I've noticed. When you scan by CIDR mask, you tend to get a couple warnings because it tries to send to .0 and .255. Any chance of fixing up those warnings, make it so it only scans from 1 - 254 when you specify a mask of 24 and crap like that? Not like it's a big deal, just thought I'd mention it.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Slarty,

    Very cool project! I'm not that strong a coder... but I'll take a look at the code anyhow.

    Well, I just scanned a XP SP1 box (new install with just a couple minor changes) with all critical updates and the scan was accurate. I have norton internet security 2003 installed (updated before scan) with the host I'm scanning from allowed all access.

    Target: Windows XP SP1 BOX with all available critical updates.
    Scanning from RedHat 9.0 (Linux version 2.4.20-30.9 (bhcompile@porky.devel.redhat.com) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Wed Feb 4 20:44:26 EST 2004)

    I'll attach some detailed port info along with the results of your scanner and the results of an nmap scan that you described.

    Speed was OK, but nmap was faster. I only scanned one host though.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Originally posted here by phishphreek80

    Speed was OK, but nmap was faster. I only scanned one host though.
    It won't beat nmap on a single host.

    Nor on a network with mostly "up" hosts if pinging is enabled.

    It beats nmap on larger networks or where there are "down" or un-pingable hosts.

    Slarty

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    slarty: I realized that. Thats why I said that I only scanned one host. I wasn't really complaining though.
    Just making a observation because you had mentioned speed.

    I posted an example based on one host. Do you want me to do something similar to what I attached using more hosts? I won't be able to give you the detailed port info per host though.

    Also, it'd be cool if you included in the output how long the scan took.

    Again, very cool project!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Here's another new version

    Minor bugfixes, it's smarter.

    Also it uses iptables to block outgoing resets

    See attached

    Slarty

  9. #9
    Member
    Join Date
    Mar 2004
    Posts
    41
    I think this is great man.
    Only thing is, that I'm implying copy off of fyodor.
    But nmap comes with so many features that alot of scanners don't have so most users will result to. Because of it's flexibility.
    But this program by you is incredible and I think that you are a mastermind for writing it.
    I've been coding a prot scanner as well.
    A windows based port scanner for about 2 years now.
    language = c++ and I still have many many errors, so I just left it alone.
    Good job though.
    \"If knowledge is power. Why doesn\'t everybody read?\"

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I'm not copying off Fyodor - honest!

    My scanner does things fast which his does slowly. On the other hand, his scanner does a great deal that mine does not.

    They are complementary.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •