February 6th, 2006, 05:33 PM
Port scan on internal network
Hi all, just setting up a lab at home to test out some IDS's and the like.
I've installed a Windows 2003 server and am running a port scan against it from another PC. It doesn't show port 3389 as 'listening' yet I know it is because 1 - I can connect to it using Terminal Services client and 2 - a 'netstat -an' on the server itself shows the port as listening.
And.... There is no firewall on the server. There was but I disabled it.
Any ideas why it wouldn't show on a scan? I'm just curious....
February 6th, 2006, 05:38 PM
What portscanner are you using, and with what options?
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
February 6th, 2006, 05:42 PM
Are you scanning the UDP or TCP port? - they have the same number but are different ports.
February 6th, 2006, 06:03 PM
I was using Superscan 4.0, didn't set any options, just entered the IP and started the scan, then viewed the results in HTML after. It just showed the NETBIOS port 137 as being open.
February 6th, 2006, 06:13 PM
Actually guys (and gals) using another scanner it showed up. Maybe that Superscan isn't so great or I possibly didn't set something correctly (the more likely option).
February 6th, 2006, 06:39 PM
Hello - I have had multiple issues with SuperScan in the past but I still use it as I prefer its functionality and output.
2 questions though:
1. Did you select the TCP scan? If so, is it on SYN or Connect. (I find that only Connect works on my XP machines.)
2. Is port 3389 in your list of ports being scanned? SuperScan only scans for what you tell it to scan.
If all else fails, just Nmap.
Hope that helps,
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu
, The Art of War
February 6th, 2006, 06:44 PM
Not sure if superscan 4 is the new release or the one before it, but the old one only scans TCP ports.
February 6th, 2006, 06:50 PM
I see! I just set Superscan to TCP 'connect' and re-ran the scan and it picked up Port 3389.
Thanks for the advice, I didn't realise some of these scanners had to be told what to do so much.
February 6th, 2006, 06:58 PM
Have you tried any other ones? I've never liked superscan.(im not saying its no good, just that I dont like it)
Nmap is good but you may have to have a good read through the manual pages before you use it, or I personally prefer LANguard, whilst it is not strictly a port scanner (its more of a vulnerability scanner) it is very easy to use and is extremely reliable.
February 6th, 2006, 09:14 PM
We use Superscan fairly often to test responsiveness of IDS sensors. Its quick and relatively easy yet has enough options to trip several alerts. I believe the version we are using is 4.0. If you check out the different tabs across the top, you get some interesting options. When testing IDS responsiveness, try the tab at the top that says Windows Enumeration. Some of those options will trip an IDS. Try creating your own custom port range to sweep... such as known trojan ports.
Its quick, its simple and very small learning curve to implement.
Obviously if you want a larger range of alerts to be tripped, you can pull out some of the heavier guns as Nokia mentioned... Nmap, LANguard, Nessus, etc... some of the live cd's have a lot of great tools like Whoppix (whax) and another I read about today here on AO.....Pentoo