Port scanning question...
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 38

Thread: Port scanning question...

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243

    Port scanning question...

    ...I admin a public network, a wireless network in a coffeehouse, and every few months it gets really slow due to some hanger-ons infected with spyware or trojans, or maybe they're doing a download thing. I've been able to quickly resolve the issue by running a series of port scans, picking up the offending MAC addresses, then giving them the boot via the router program. What I've noted after doing this a few times though is that I'm missing some of the computers I know are on the network and assume this to be due to the presence of a firewall on those machines. They're just downright inivisible to Angry IP and GFI Languard. Is there a way to port scan the network and pick up these 'invisible' computers? I've experimented with running Ethereal, but it doesn't work with my wireless card in any kind of promiscous mode. Would nmap or netcat pick up these firewalled boxes? I guess I could go into the router and clear the DHCP table, then refresh it and see who's on, but I prefer the network tools. Thanks.

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    It's a weekend so be patient and delete the double post for the same question. You should be able to get ethereal to work. Regardless of wether these guys have a firewall or not, they leave signatures based on their activity. For instance research the P2P ports and scan for them. If they are downloading; those ports will be open. Or search for payload signatures with a packet sniffer. This method could get brutally tedius though as people come and go. You might look at port blocking on the firewall of your network. Nmap or any port scanner will pick them up but you have to do a little research into what you desire. For instance if I google "Kazaa port" or search AO port blocking you would find something.

    It just going to depend on what you accept as ok on the network. In your other thread you asked for the command syntax for nmap. There are hundred of ways to scan with many option to fine tune the desire outcome. But try this (I don't have nmap on this box so it's from memory so I hope it works):

    nmap -sT -p 110-500 198.1.*.1-200

    here is the breakdown:
    -sT runs scan type "tcpconnect" which attempts fast connection on ports
    -p 110-500 will scan ports 100 through 500 - just random numbers in this case
    198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.

    If you spend some time looking around the tutorials you will find a few on Nmap and the man page here . Or download the windows version and check boxes off and push buttons.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by RoadClosed

    nmap -sT -p 110-500 198.1.*.1-200

    here is the breakdown:
    -sT runs scan type "tcpconnect" which attempts fast connection on ports
    -p 110-500 will scan ports 100 through 500 - just random numbers in this case
    198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.
    That will work if the boxes respond to ICMP. If they don't respond to ICMP because of a personal firewall (even windows xp's firewall) then nmap will not find them.

    You will want to use the -P0 switch too. That means don't ping.

    nmap -sT -P0 -p 110-500 198.1.*.1-200

    Same as above, but don't do host discovery.
    This could cause your scan to take a lot longer because you are scaning who knows what.
    You are scanning boxes that are not even there.

    Maybe you want to do a regular scan and then use nmap with the -P0 to scan ips that didn't respond the first time around.

    I know that GFI languard requires host discovery... either SNMP or ICMP.
    Thats why they won't show up in GFI.
    When I was using the eval edition, I found no way to disable host discovery...

    I've never used angry ip scanner.

    BTW: You say that you have access to the router? How do you KNOW the other IPs are there? Physically looking around? Looking at the router arp table? Looking at the router DHCP table? Sniffing?

    Can't you just use a firewall yourself and block all but some apps? What do you want people to be able to do?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Roadclosed: I use nmap on a W2K laptop, besides GFI and Angry IP. Not sure what you mean by "...download the windows version and check boxes off and push buttons" as it's command prompt only on the Windows port (no GUI for Windows!). A thousand pardons for the double post; I'll bag it when I figure out how to, probably tomorrow.

    phishphreek80: There's an office computer that's never showed on my ip scans using GFI or Angry IP. When I nmap it, all it says is no ports are visible. I've scanned it while it was online. Apparently it's using a McAfee firewall that renders it stealthed. Fwiw, Angry IP shows more computers than GFI. And when I experimented with nmapping a range of IP's on the internet one night at my girlfriend's house, we awoke to a disconnection notice from her ISP and that we should check for virii. He-heh, that was a hoot, she freaked, but I had her back online five minutes after taking to techsupport (yes, I socially-engineered that solution!) How would I look at the arp table? I've seen nothing on the router regarding that. The only place I've seen arp is in ethereal the few times I've used it, and some stuff on the Knoppix-STD cd.

    I'm not real up on all the intricacies of TCP/IP and EXACTLY why port scanners behave they way they do and produce varying results, but it seems to me that nmap is the best of the lot. I've used nmap quite a bit on my own webserver and firewall for testing, but usually with the -sV -O -P0 switches. He-heh, remind me to tell you the story of nmapping an army intel machine one night. Eeeek!

    It's been interesting to hack around on the coffeehouse network; I've portscanned a number of computers just to see how they look from the outside in. Believe it or not, software firewalls do a good job in rendering computers invisible (stealth mode), even the built-in XP firewall. And I guess that's what concerns me.

    I'm asking myself how I'll deal with stealthed computers clogging the bandwidth if I don't even know they're there. No doubt they leave traces of activity and I thought ethereal might be a way to deal with it, but like I said Ethereal doesn't play well with wireless cards in promiscuous mode, and I haven't been able to use it for sniffing. The wireless router's in such a place as to render it difficult to connect by cat-5.

    All we're really trying to do at the coffeehouse is provide an easy-to-use wireless experience for customers. It's in a university neighborhood, the density of which lends itself to interlopers on the 'cloud'. WEP is a hassle for lots of folks and no one at the shop would be able to support it, so that's tough to do. And I'm doing this as a favor as much as anything for my buddy, so I need to be quick and dirty. We've got a low-end Linksys wireless-G router, and the DHCP table there gives me NO realtime info, even if I clear it. I'll try nmap again when I'm there and see what happens. The office computer gives me a baseline.

    p.s. -- what's with XTC46?

  5. #5
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    p.s. -- what's with XTC46?

    Originally posted here by XTC46
    could be just me, but this looks like a poor attempt at social-engineering. and what he is really trying to say is "Im a newb and dont know how to use any tool with out a button that says "scan" on it, can somone teach me how to port scan with nmap?"
    XTC46 is merely displaying the standard amount of AO paranoia
    Your post COULD be read as per XTC's post.

    As I've posted elsewhere, we [AO] know nothing about each other, bar what we post / profile.
    So, until you have been here a while, AND posted sufficient times to allow an educated guess as to your capability level and commitment to helping others ???

    Then you WILL be thought of as social engineering .......
    It just goes with the territory, it WILL pass, but it takes time, and effort from YOU.

    [edit]
    as for deleting ........
    just go back to your OTHER post.
    click the edit button at the top of the post.
    Now check the DELETE this post option at the top.

    DO IT NOW, as when you delete the first post, the thread is deleted as well.
    and it's not considered to be good manners to delete someone else's posts.
    So, soonest done, the less the damage

    also double posting will generally attract negs, which while not fatal [in a physical sense] WILL have an impact on the way you are perceived.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243

    foxyloxley...

    ...done, thank you...

  7. #7
    hmm one more question
    is port scanning legal ??
    i did some googling and found out that it was legal ,but it was implemented for US only how about other countries?
    http://www.securityfocus.com/news/126

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    The legality varies from nation to nation so you need to check your particular nation's laws. Even in the US it hasn't been finalized as legal and seems to vary from state-to-state (SuperDMCA in some states, IIRC, would suggest it's illegal).

    That said, however, most ISPs frown on the usage of port scanning and it may violate the AUP (Acceptable Usage Policy) due to potential interference with other users using the same bandwidth.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243

    The legality of port scanning...

    ...it's probably legal if it's part of your job.

    http://seclists.org/lists/nmap-hacke...-Jun/0011.html

    Then again, our legal system's so convoluted, you never really know.

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    ..it's probably legal if it's part of your job.
    Only if it's writing. When it comes to any pen testing it's important to get it in writing for CYA purposes. Otherwise you may get to know "Bubba" faster than you'd like.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •