Port scanning question...

[brokencrow]

...I admin a public network, a wireless network in a coffeehouse, and every few months it gets really slow due to some hanger-ons infected with spyware or trojans, or maybe they're doing a download thing. I've been able to quickly resolve the issue by running a series of port scans, picking up the offending MAC addresses, then giving them the boot via the router program. What I've noted after doing this a few times though is that I'm missing some of the computers I know are on the network and assume this to be due to the presence of a firewall on those machines. They're just downright inivisible to Angry IP and GFI Languard. Is there a way to port scan the network and pick up these 'invisible' computers? I've experimented with running Ethereal, but it doesn't work with my wireless card in any kind of promiscous mode. Would nmap or netcat pick up these firewalled boxes? I guess I could go into the router and clear the DHCP table, then refresh it and see who's on, but I prefer the network tools. Thanks.

[RoadClosed]

It's a weekend so be patient and delete the double post for the same question. You should be able to get ethereal to work. Regardless of wether these guys have a firewall or not, they leave signatures based on their activity. For instance research the P2P ports and scan for them. If they are downloading; those ports will be open. Or search for payload signatures with a packet sniffer. This method could get brutally tedius though as people come and go. You might look at port blocking on the firewall of your network. Nmap or any port scanner will pick them up but you have to do a little research into what you desire. For instance if I google "Kazaa port" or search AO port blocking you would find something.

It just going to depend on what you accept as ok on the network. In your other thread you asked for the command syntax for nmap. There are hundred of ways to scan with many option to fine tune the desire outcome. But try this (I don't have nmap on this box so it's from memory so I hope it works):

nmap -sT -p 110-500 198.1.*.1-200

here is the breakdown:
-sT runs scan type "tcpconnect" which attempts fast connection on ports
-p 110-500 will scan ports 100 through 500 - just random numbers in this case
198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.

If you spend some time looking around the tutorials you will find a few on Nmap and the man page here . Or download the windows version and check boxes off and push buttons.

[phishphreek]

Originally posted here by RoadClosed

nmap -sT -p 110-500 198.1.*.1-200

here is the breakdown:
-sT runs scan type "tcpconnect" which attempts fast connection on ports
-p 110-500 will scan ports 100 through 500 - just random numbers in this case
198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.

That will work if the boxes respond to ICMP. If they don't respond to ICMP because of a personal firewall (even windows xp's firewall) then nmap will not find them.

You will want to use the -P0 switch too. That means don't ping.

nmap -sT -P0 -p 110-500 198.1.*.1-200

Same as above, but don't do host discovery.
This could cause your scan to take a lot longer because you are scaning who knows what.
You are scanning boxes that are not even there.

Maybe you want to do a regular scan and then use nmap with the -P0 to scan ips that didn't respond the first time around.

I know that GFI languard requires host discovery... either SNMP or ICMP.
Thats why they won't show up in GFI.
When I was using the eval edition, I found no way to disable host discovery...

I've never used angry ip scanner.

BTW: You say that you have access to the router? How do you KNOW the other IPs are there? Physically looking around? Looking at the router arp table? Looking at the router DHCP table? Sniffing?

Can't you just use a firewall yourself and block all but some apps? What do you want people to be able to do?

[brokencrow]

Roadclosed: I use nmap on a W2K laptop, besides GFI and Angry IP. Not sure what you mean by "...download the windows version and check boxes off and push buttons" as it's command prompt only on the Windows port (no GUI for Windows!). A thousand pardons for the double post; I'll bag it when I figure out how to, probably tomorrow.

phishphreek80: There's an office computer that's never showed on my ip scans using GFI or Angry IP. When I nmap it, all it says is no ports are visible. I've scanned it while it was online. Apparently it's using a McAfee firewall that renders it stealthed. Fwiw, Angry IP shows more computers than GFI. And when I experimented with nmapping a range of IP's on the internet one night at my girlfriend's house, we awoke to a disconnection notice from her ISP and that we should check for virii. He-heh, that was a hoot, she freaked, but I had her back online five minutes after taking to techsupport (yes, I socially-engineered that solution!) How would I look at the arp table? I've seen nothing on the router regarding that. The only place I've seen arp is in ethereal the few times I've used it, and some stuff on the Knoppix-STD cd.

I'm not real up on all the intricacies of TCP/IP and EXACTLY why port scanners behave they way they do and produce varying results, but it seems to me that nmap is the best of the lot. I've used nmap quite a bit on my own webserver and firewall for testing, but usually with the -sV -O -P0 switches. He-heh, remind me to tell you the story of nmapping an army intel machine one night. Eeeek!

It's been interesting to hack around on the coffeehouse network; I've portscanned a number of computers just to see how they look from the outside in. Believe it or not, software firewalls do a good job in rendering computers invisible (stealth mode), even the built-in XP firewall. And I guess that's what concerns me.

I'm asking myself how I'll deal with stealthed computers clogging the bandwidth if I don't even know they're there. No doubt they leave traces of activity and I thought ethereal might be a way to deal with it, but like I said Ethereal doesn't play well with wireless cards in promiscuous mode, and I haven't been able to use it for sniffing. The wireless router's in such a place as to render it difficult to connect by cat-5.

All we're really trying to do at the coffeehouse is provide an easy-to-use wireless experience for customers. It's in a university neighborhood, the density of which lends itself to interlopers on the 'cloud'. WEP is a hassle for lots of folks and no one at the shop would be able to support it, so that's tough to do. And I'm doing this as a favor as much as anything for my buddy, so I need to be quick and dirty. We've got a low-end Linksys wireless-G router, and the DHCP table there gives me NO realtime info, even if I clear it. I'll try nmap again when I'm there and see what happens. The office computer gives me a baseline.

p.s. -- what's with XTC46?

[foxyloxley]

p.s. -- what's with XTC46?

Originally posted here by XTC46
could be just me, but this looks like a poor attempt at social-engineering. and what he is really trying to say is "Im a newb and dont know how to use any tool with out a button that says "scan" on it, can somone teach me how to port scan with nmap?"

XTC46 is merely displaying the standard amount of AO paranoia
Your post COULD be read as per XTC's post.

As I've posted elsewhere, we [AO] know nothing about each other, bar what we post / profile.
So, until you have been here a while, AND posted sufficient times to allow an educated guess as to your capability level and commitment to helping others ???

Then you WILL be thought of as social engineering .......
It just goes with the territory, it WILL pass, but it takes time, and effort from YOU.

[edit]
as for deleting ........
just go back to your OTHER post.
click the edit button at the top of the post.
Now check the DELETE this post option at the top.

DO IT NOW, as when you delete the first post, the thread is deleted as well.
and it's not considered to be good manners to delete someone else's posts.
So, soonest done, the less the damage

also double posting will generally attract negs, which while not fatal [in a physical sense] WILL have an impact on the way you are perceived.

[brokencrow]

...done, thank you...

[white_pawn]

hmm one more question
is port scanning legal ??
i did some googling and found out that it was legal ,but it was implemented for US only how about other countries?
http://www.securityfocus.com/news/126

[MrLinus]

The legality varies from nation to nation so you need to check your particular nation's laws. Even in the US it hasn't been finalized as legal and seems to vary from state-to-state (SuperDMCA in some states, IIRC, would suggest it's illegal).

That said, however, most ISPs frown on the usage of port scanning and it may violate the AUP (Acceptable Usage Policy) due to potential interference with other users using the same bandwidth.

[brokencrow]

...it's probably legal if it's part of your job.

http://seclists.org/lists/nmap-hacke...-Jun/0011.html

Then again, our legal system's so convoluted, you never really know.

[MrLinus]

..it's probably legal if it's part of your job.

Only if it's writing. When it comes to any pen testing it's important to get it in writing for CYA purposes. Otherwise you may get to know "Bubba" faster than you'd like.