Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Port scan on internal network

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    26

    Port scan on internal network

    Hi all, just setting up a lab at home to test out some IDS's and the like.

    I've installed a Windows 2003 server and am running a port scan against it from another PC. It doesn't show port 3389 as 'listening' yet I know it is because 1 - I can connect to it using Terminal Services client and 2 - a 'netstat -an' on the server itself shows the port as listening.

    And.... There is no firewall on the server. There was but I disabled it.

    Any ideas why it wouldn't show on a scan? I'm just curious....

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    What portscanner are you using, and with what options?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Are you scanning the UDP or TCP port? - they have the same number but are different ports.

  4. #4
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    I was using Superscan 4.0, didn't set any options, just entered the IP and started the scan, then viewed the results in HTML after. It just showed the NETBIOS port 137 as being open.

  5. #5
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    Actually guys (and gals) using another scanner it showed up. Maybe that Superscan isn't so great or I possibly didn't set something correctly (the more likely option).

  6. #6
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Hello - I have had multiple issues with SuperScan in the past but I still use it as I prefer its functionality and output.

    2 questions though:

    1. Did you select the TCP scan? If so, is it on SYN or Connect. (I find that only Connect works on my XP machines.)
    2. Is port 3389 in your list of ports being scanned? SuperScan only scans for what you tell it to scan.

    If all else fails, just Nmap.

    Hope that helps,
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Not sure if superscan 4 is the new release or the one before it, but the old one only scans TCP ports.

  8. #8
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    I see! I just set Superscan to TCP 'connect' and re-ran the scan and it picked up Port 3389.

    Thanks for the advice, I didn't realise some of these scanners had to be told what to do so much.

  9. #9
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Have you tried any other ones? I've never liked superscan.(im not saying its no good, just that I dont like it)

    Nmap is good but you may have to have a good read through the manual pages before you use it, or I personally prefer LANguard, whilst it is not strictly a port scanner (its more of a vulnerability scanner) it is very easy to use and is extremely reliable.

  10. #10
    Member
    Join Date
    Sep 2005
    Posts
    77
    We use Superscan fairly often to test responsiveness of IDS sensors. Its quick and relatively easy yet has enough options to trip several alerts. I believe the version we are using is 4.0. If you check out the different tabs across the top, you get some interesting options. When testing IDS responsiveness, try the tab at the top that says Windows Enumeration. Some of those options will trip an IDS. Try creating your own custom port range to sweep... such as known trojan ports.
    Its quick, its simple and very small learning curve to implement.

    Obviously if you want a larger range of alerts to be tripped, you can pull out some of the heavier guns as Nokia mentioned... Nmap, LANguard, Nessus, etc... some of the live cd's have a lot of great tools like Whoppix (whax) and another I read about today here on AO.....Pentoo
    (http://www.antionline.com/showthread...hreadid=273577)
    %42%75%75%75%75%72%70%21%00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •