Port scanning question...

...I admin a public network, a wireless network in a coffeehouse, and every few months it gets really slow due to some hanger-ons infected with spyware or trojans, or maybe they're doing a download thing. I've been able to quickly resolve the issue by running a series of port scans, picking up the offending MAC addresses, then giving them the boot via the router program. What I've noted after doing this a few times though is that I'm missing some of the computers I know are on the network and assume this to be due to the presence of a firewall on those machines. They're just downright inivisible to Angry IP and GFI Languard. Is there a way to port scan the network and pick up these 'invisible' computers? I've experimented with running Ethereal, but it doesn't work with my wireless card in any kind of promiscous mode. Would nmap or netcat pick up these firewalled boxes? I guess I could go into the router and clear the DHCP table, then refresh it and see who's on, but I prefer the network tools. Thanks.

It's a weekend so be patient and delete the double post for the same question. You should be able to get ethereal to work. Regardless of wether these guys have a firewall or not, they leave signatures based on their activity. For instance research the P2P ports and scan for them. If they are downloading; those ports will be open. Or search for payload signatures with a packet sniffer. This method could get brutally tedius though as people come and go. You might look at port blocking on the firewall of your network. Nmap or any port scanner will pick them up but you have to do a little research into what you desire. For instance if I google "Kazaa port" or search AO port blocking you would find something. ;)

It just going to depend on what you accept as ok on the network. In your other thread you asked for the command syntax for nmap. There are hundred of ways to scan with many option to fine tune the desire outcome. But try this (I don't have nmap on this box so it's from memory so I hope it works):

nmap -sT -p 110-500 198.1.*.1-200

here is the breakdown:
-sT runs scan type "tcpconnect" which attempts fast connection on ports
-p 110-500 will scan ports 100 through 500 - just random numbers in this case
198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.

If you spend some time looking around the tutorials you will find a few on Nmap and the man page here . Or download the windows version and check boxes off and push buttons.

Quote:

---

Originally posted here by RoadClosed

nmap -sT -p 110-500 198.1.*.1-200

here is the breakdown:
-sT runs scan type "tcpconnect" which attempts fast connection on ports
-p 110-500 will scan ports 100 through 500 - just random numbers in this case
198.1.*.1-200 will scan hosts 1 through 200 in the entire 198.1.* network - another random bit of numbers.

---

That will work if the boxes respond to ICMP. If they don't respond to ICMP because of a personal firewall (even windows xp's firewall) then nmap will not find them.

You will want to use the -P0 switch too. That means don't ping.

nmap -sT -P0 -p 110-500 198.1.*.1-200

Same as above, but don't do host discovery.
This could cause your scan to take a lot longer because you are scaning who knows what.
You are scanning boxes that are not even there.

Maybe you want to do a regular scan and then use nmap with the -P0 to scan ips that didn't respond the first time around.

I know that GFI languard requires host discovery... either SNMP or ICMP.
Thats why they won't show up in GFI.
When I was using the eval edition, I found no way to disable host discovery...

I've never used angry ip scanner.

BTW: You say that you have access to the router? How do you KNOW the other IPs are there? Physically looking around? Looking at the router arp table? Looking at the router DHCP table? Sniffing?

Can't you just use a firewall yourself and block all but some apps? What do you want people to be able to do?

Roadclosed: I use nmap on a W2K laptop, besides GFI and Angry IP. Not sure what you mean by "...download the windows version and check boxes off and push buttons" as it's command prompt only on the Windows port (no GUI for Windows!). A thousand pardons for the double post; I'll bag it when I figure out how to, probably tomorrow.

phishphreek80: There's an office computer that's never showed on my ip scans using GFI or Angry IP. When I nmap it, all it says is no ports are visible. I've scanned it while it was online. Apparently it's using a McAfee firewall that renders it stealthed. Fwiw, Angry IP shows more computers than GFI. And when I experimented with nmapping a range of IP's on the internet one night at my girlfriend's house, we awoke to a disconnection notice from her ISP and that we should check for virii. He-heh, that was a hoot, she freaked, but I had her back online five minutes after taking to techsupport (yes, I socially-engineered that solution!) How would I look at the arp table? I've seen nothing on the router regarding that. The only place I've seen arp is in ethereal the few times I've used it, and some stuff on the Knoppix-STD cd.

I'm not real up on all the intricacies of TCP/IP and EXACTLY why port scanners behave they way they do and produce varying results, but it seems to me that nmap is the best of the lot. I've used nmap quite a bit on my own webserver and firewall for testing, but usually with the -sV -O -P0 switches. He-heh, remind me to tell you the story of nmapping an army intel machine one night. Eeeek! :)

It's been interesting to hack around on the coffeehouse network; I've portscanned a number of computers just to see how they look from the outside in. Believe it or not, software firewalls do a good job in rendering computers invisible (stealth mode), even the built-in XP firewall. And I guess that's what concerns me.

I'm asking myself how I'll deal with stealthed computers clogging the bandwidth if I don't even know they're there. No doubt they leave traces of activity and I thought ethereal might be a way to deal with it, but like I said Ethereal doesn't play well with wireless cards in promiscuous mode, and I haven't been able to use it for sniffing. The wireless router's in such a place as to render it difficult to connect by cat-5.

All we're really trying to do at the coffeehouse is provide an easy-to-use wireless experience for customers. It's in a university neighborhood, the density of which lends itself to interlopers on the 'cloud'. WEP is a hassle for lots of folks and no one at the shop would be able to support it, so that's tough to do. And I'm doing this as a favor as much as anything for my buddy, so I need to be quick and dirty. We've got a low-end Linksys wireless-G router, and the DHCP table there gives me NO realtime info, even if I clear it. I'll try nmap again when I'm there and see what happens. The office computer gives me a baseline.

p.s. -- what's with XTC46?

Quote:

---

p.s. -- what's with XTC46?

---

Quote:

---

Originally posted here by XTC46
could be just me, but this looks like a poor attempt at social-engineering. and what he is really trying to say is "Im a newb and dont know how to use any tool with out a button that says "scan" on it, can somone teach me how to port scan with nmap?"

---

XTC46 is merely displaying the standard amount of AO paranoia :D
Your post COULD be read as per XTC's post.

As I've posted elsewhere, we [AO] know nothing about each other, bar what we post / profile.
So, until you have been here a while, AND posted sufficient times to allow an educated guess as to your capability level and commitment to helping others ???

Then you WILL be thought of as social engineering .......
It just goes with the territory, it WILL pass, but it takes time, and effort from YOU.

[edit]
as for deleting ........
just go back to your OTHER post.
click the edit button at the top of the post.
Now check the DELETE this post option at the top.

DO IT NOW, as when you delete the first post, the thread is deleted as well.
and it's not considered to be good manners to delete someone else's posts.
So, soonest done, the less the damage :)

also double posting will generally attract negs, which while not fatal [in a physical sense] WILL have an impact on the way you are perceived.

...done, thank you...

hmm one more question
is port scanning legal ??
i did some googling and found out that it was legal ,but it was implemented for US only how about other countries?
http://www.securityfocus.com/news/126

The legality varies from nation to nation so you need to check your particular nation's laws. Even in the US it hasn't been finalized as legal and seems to vary from state-to-state (SuperDMCA in some states, IIRC, would suggest it's illegal).

That said, however, most ISPs frown on the usage of port scanning and it may violate the AUP (Acceptable Usage Policy) due to potential interference with other users using the same bandwidth.

...it's probably legal if it's part of your job.

http://seclists.org/lists/nmap-hacke...-Jun/0011.html

Then again, our legal system's so convoluted, you never really know.

Quote:

---

..it's probably legal if it's part of your job.

---

Only if it's writing. When it comes to any pen testing it's important to get it in writing for CYA purposes. Otherwise you may get to know "Bubba" faster than you'd like.

...in Moulton vs. VC3 that port scanning was legal as long as no damage was done. The Patriot Act upped the ante a bit by classifying any investigation that ran more than $5000 as damages.

Quote:

---

in Moulton vs. VC3 that port scanning was legal as long as no damage was done. The Patriot Act upped the ante a bit by classifying any investigation that ran more than $5000 as damages.

---

Just because the courts ruled it ok, doesn't mean your ISP will agree. Additionally, many of the port scanning tools out there may cause system crashes. Now, while the system itself may not be "damaged" there is, IMO, a real interference to network usage and potential lives at stake (case in point the case you reference -- what if someone was calling in right when the scan occurred and the system went down).

I still wouldn't trust it and would still ask for a written document that states I'm allowed to do a network scan, just as CYA.

Quote:

---

Sourced: PowerPoint Presentation

Scott Moulten

Moulton v. VC3, 2001-1 Trade Cas. (CCH) P 73202, 2000 WL 33310901 (N.D. Ga. 2000),

Two competing companies had contracts for computer consulting services with government agencies – one for the county, and one for a city in that county.

When the city wanted to connect its 911 network with the county, Moulton, an employee of the company with the contract with the county, did a port scan and throughput test on the competitor’s network without the competitor or the city’s consent.

---

...got disconnected once as it is. He-heh, told tech support it was a trojan and got reconnected in a flash. I'm on so many ISPs it's ridiculous...

On the occasions I have used security auditors the permissions you grant and the rights they have are far more restricted than simply "ok, have a go, here's my written permission".

We contract in writing with all the sweet legalese that goes along with it the following, (these refer to both internal attacks and external so they may seem strange in the wrong context... It makes for a long document):-

1. Netblock that may be scanned.
2. Netblock that may be destrucively vuln tested.
3. Netblock that may be potentially destructively pen tested.
4. Hosts that may be destructively vuln tested.
5. Hosts that may be potentially destructively pen tested.
6. Limit of potential destructive testing in _any_ case, (trashing the box completely is disallowed :rolleyes: )
7. Hosts that are "out of bounds" to any potentially destructive testing.
8. Hosts that will be used for the scans, vuln tests and pen tests including idle scans, spoofs etc.
9. That _all_ activity will be dumped by both parties for analysis to verify in the case of issues/problems.
10. Whatever they find they make it look like it's not the fault of the idiot secadmin responsible...

Ok, the last one is a joke..... :D

Quote:

---

ot sure what you mean by "...download the windows version and check boxes off and push buttons" as it's command prompt only on the Windows port (no GUI for Windows!).

---

dont know if you figured it out yet, but they were talking about winmap, Its a GUI front to NMAP that has little check boxes that let you click on the options you wish to use. and yes, it is used for windows.

...it's just a coffeehouse. If it were a corporate environment, certainly a contract would be in order, but all I'm doing is helping a buddy keep his bandwidth open. Lawdy, if this is what high-tech is coming to...

p.s.-- thanks XTC, didn't know we had a front end for nmap on Windows yet. I did a search for it and found nothing. I'm actually quite comfortable with command line.

...how would you audit a small public network like a coffeehouse LAN? The two computers I filtered at the router both had much slower ping times than the others visible to Angry IP (35ms and 80ms) so I figured something was up. And sure enough, once I filtered (disabled) those two MAC addresses, internet access returned to normal for everybody else. As you may surmise, we've had this problem before. My buddy's solution (the owner) has been to powercycle the router and the modem, which works for a short time, but is no real solution. We know the offending computers belong to a youth ministry upstairs as we've been through this before with them. In fact, I'll probably be through there tomorrow, coaching them once again on good computer hygiene (no porn sites, guys, and no music downloads). The fact is, the owner's very appreciative of my help (I get results) and I make every effort to explain to him what I'm doing. I haven't crashed or harmed anyone's computer as far as I know in the hundreds of scans I've run, even on my own systems. Doing harm is not my intent at all. Enabling WEP is no real solution either as the offenders would have the key (they're on the network by the owner's permission).

p.s.--don't worry MsMittens, if anyone's life's at stake, there's plenty of Ye Olde Analog Phones hardwired into the office upstairs. 911 works fine on older phones. ;)

so the final word is that i should keep my pawns off the scan button for a while

Quote:

---

as it's command prompt only on the Windows port (no GUI for Windows!).

---

I must be smokin' crack then, since I have tried a couple. :D Don't like any of them except the one for x-windows, but for santity's sake. Here's one for 3.5

...makes me look like a genius 'round my friends.

Well, I guess all I can do to find the stealthed computers on the network is to run ethereal off a regular nic and look at the ARP table. Ethereal just does not like my wireless card. No big deal, got 'er licked for now. I did some experimenting w/ ZoneAlarm on my office network. It does a very good job of stealthing, as does XP's built-in forewall (believe it or not).

That was always Zone Alarms good feature, it seemed to always do a good job at stealthing ports.
Make sure you have the latest versions of WinPcap, ethereal, wireless drivers and all that. I can't think of why it wouldn't work as long as ethereal or windows can see the wireless network connection. Some software drivers take control away from windows and you have to play with them. But any way, have fun. :)

//EDIT I was thinking about the interface from Layer 1 to Layer 2 on windows boxes. So I poked around a bit and you card has to support rfmon, or "monitor" mode. For this reason I bought a card just for monitoring, an old Orinco. I use linux for the most part but I found this here:

Quote:

---

On Windows, you will not be able to capture in monitor mode on any interfaces, and you might not be able to capture in promiscuous mode, either. You might have some success in promiscuous mode with Centrino interfaces, although you will need Ethereal 0.10.6 or later in order to have the non-data packets recognized and properly dissected.

---

...I'll have to pick up an Orinco. Pretty sure I've got the latest on WinPcap, ethereal, wireless drivers and all that. Seems I'd read about the same on Windows and Ethereal. I'd like to run Knoppix STD off the CD if need be.

in case of ICMP blocked messges use firewalker instead..
it can pass beyond most of the firewalls using random udp port around 56 port used for dns requests..
while using nmap may not be handy in this case bcoz it works only wen most firewall is not blocking ..
u can also use fin scanning using nmap if it works ..
ashtified

hi brokencrow,

I'll take another step. If you move over to linux for this, then with an orinco card you just opened a new can of woop azz. Windows, well pretty much suxors on the security tool list. You can use kismet and then dump the log into ethereal for a nice picture and some IDS componenets. There are some excellent war tutorials on this site so browse through them.

I can see why you might want to ban some serious abusers, but don't you risk pissing off some customers? Maybe your router supports some bandwidth throttles? I mention this because if it were me being scanned, I would not be happy.

...everybody's PO'ed when the bandwidth is gone. :(

We only had to do this once before, back in October. It stinks, but free, easy-to-access bandwidth is part of this coffeehouse's biz. When you get somebody who's parked permanently on the cloud, bumping everybody else off, well, what do you do? Back in October when I did this, I got immediate feedback, and I went upstairs and cleared those machines of any rogue programs and coached the staff members on proper computer hygiene. Guess it didn't take, or maybe it did for awhile. I haven't heard a thing this time around, and they still got two computers on the cloud. So they've got some internet access in the office and probably haven't even figured it out yet. He-heh, here's what's interesting: the two computers still on the cloud are used by chicks, the two that got the boot are used by guys. I'll give you three guesses the kind of sites the guys are going to! :)

Ashtified, you got a download site for firewalker? Did a quick google, but turned up little other than some odd references here and there. Is there a Winders port?

It'll probably be another month or so before I spring for another wireless card. Fortunately this is not a day-to-day problem, but only occurs every few months.

...port scanning is a fact of life on the net. I admin a small network up in Shawnee country (Ohio) that I put a Smoothwall on. I regularly go in and check the logs and it's amazing who's checking the doors. I even seen DoD ip's coming in on port 666 and all I could figure was some gubmint guy looking for a Doom game on a slow day. Our tax dollars at work...

Quote:

---

...port scanning is a fact of life on the net.

---

Sure is, and coming from the "net" is one thing. Coming from within the same network I connected too, over my staight up shot of espresso, could be taken as hostile. That's all I was pointing out. But if there is no bandwidth then there is a problem. Another step. There are alternatives to client invasion. For instance, each internet connection should be presented at the border router/firewall in some fashion because its nating the address (note I am just guessing you use nat but 99.99 sure). So outside of learning, it's a waste to go and try to probe stealthed PCs. Their connection is documented and most likely logged. And if not logged then tables are there in real time. They have to be.

...the DHCP table on the Linksys gives me no realtime info. I can clear it, then renew it, and it'll stay empty until the next time a client logs into the network. A $60-70 router won't tell you much in realtime. Fact is, most folks got no idea they're being scanned, much less even know what a logfile is.

And I respectively disagree with you that port scanning is an invasion. It's an essential admin tool that I've seen used on a slew of networks from time to time. The ping scan gives me a basic feel for who's pulling lot the bandwidth based on the ms time, and that's all I need to know. I could care less about making an intrusion into someone's computer. Furthermore, we've only scanned like that after a few days of problems. It's not like we do it on a regular basis.

You disagree with me even though it's an open public netowrk with no warnings? That's cool, we have a different philosphy here. I am looking from a point of view, I come into a public network, get a connection and wham, I am scanned on every port. Now if I was on a public machine, not my own or connecting to a private network, I would have a different view point. But only slightly modified. I would instantly think the operator was up to something or some smack head on the couch sipping his milky latte. By intrusive I didn't mean you actually entered a client, just that a sweep could be considered intrusive by a user.

You don't have access to NAT tables or ARP tables? That's a bummer. What linksys do you have?

//EDIT You can also look at the DSL or Cable modem for console access or remote access. A ping is NOT a vailid test for bandwidth consumption through your internet gateway. Sorry but it's not as reliable as you think. Consider where you are connected in reference to the client and the technology you are using. In your case it may if the actuall wireless link is slow. In tests I have done, someone could be using up a 100k and a ping would show no difference in time from the resting client and one using 100k.

...it's probably more accurate to say it's a private network available to the public. And who knows what goes on when you got half-a-dozen users hangin' around?

Me? I ALWAYS assume I might be scanned at any time, big deal. I'm inured of this stuff anymore since I've delved deeper into networking and firewalls. Personally, I don't consider scans to be intrusive, and apparently the courts agree. That may change though, and certainly it's considered unethical in some circles. But hey, you got to admin the network somehow.

Sheesh, you should see the software, like IRIS, that the big boys use on those corporate networks. Yow, they can read ANYTHING. I even had a guy hire me to install keyloggers once on his network of five computers. I had mixed feelings about doing that job, but they're his computers and that's what he wanted. The guy was a control freak. Fortunately for his employees, reading the logs was too time-consuming and he was a putz. Thought I'd never say this, but there is no privacy (unless you know what you're doing and are willing to work for it). Welcome to the real world...

...it's a Linksys WRT54G, no NAT or ARP tables from what I can see. Just a DHCP table and a routing table. The DHCP table lists only the LAN's ip's and the MAC's, and the routing table gives me WAN ip's. I respectively disagree with you on ping times on the LAN. They're very indicative of how busy a particular machine is. Crude, but effective.

That's cool. Test it sometime when it's quiet. Ping a machine doing nothing, then download a file on that machine and ping it again from your other box while the file is downloading. It all depends on your overall environment and bandwidth on the network, this side of the gateway. Peace.

...the most recent issue of 2600 has a piece entitled "Tracking Wireless Neighbors". It's written by Sam Nitzburg (www.iamsam.com) and chronicles his adventures with an interloper on his wireless network at home. He describes enabling the logs on his Linksys router, a feature I noted was disabled on the coffeehouse router. He was able to track ingoing and outgoing ip addresses and websites his visitors had accessed. He also utilized nmap and Nessus, but only mentions his machines and network. No mention of port scanning the intruder although if he scanned the full range of his LAN, he would've done just that.

That's a good article. You should note that pinging a machine is tricky. There is NO way to isolate other traffic from his alone. You get a picture of the whole environment on whatever link you are measuring. That includes everyone. And a machine with a fast CPU downloading a large file will ping faster than a machine with a slow CPU running a few apps and downloading a small file. Or they may ping the same when the fast machine is eating all the bandwidth. I am thinking You really have to ping them from the router for a little more accuracy or use more sophistication to measure packet transfers. These are extremes but noteworthy.

...I stand corrected. I tested ping speeds on another network this a.m., a small peer-to-peer. Running Angry IP which will give me ping speeds, I got a baseline on another machine of "0 ms", then I started an OpenOffice download, which runs 65 mb's or so. Ran Angry IP again from my laptop during that download and it still read "0 ms". Sorry if I came off like a know-it-all. I just figured something was up when the 'problem' machines are running 35 ms and 80 ms speeds in contrast to the other machines that day which were in the 0-10 ms range. I'll have another look at that router and see what I can do from that. Really appreciate your perspective...thanks.

...enabled the logs on the router and am checking them now. You can pick up a lot of info this way. Whoever's on 114 has yahoo email. They must be paying for it because they're using an SMTP server. Looks like 111's downloading some music via gnutella from a computer on a RoadRunner network. 101 went to McAfee's website (good girl!). 114 also went to the local university's secure server, probably checking email. Ugh, this is more than I want to know.

You're never alone on the internet, even if the house is empty...

See how much easier that is? :D You know in an instant who's who and what they are doing. Looks like you found the music man who is using gnutella. It's good to only focus on what you need and let the rest fade into obscurity. Road Runner uses a very detailed naming scheme, in most cased you can tell what state and which region they are in just by the host name.

...that was more work than the port scan method I was using. Talked to the big cheese from the youth ministry upstairs today and we'll go through the two computers on Friday. It's a given that someone's always downloading music at the coffeehouse. You see the kids in there all the time with their headphones on. I'm not sure that was the problem so much some uploading going on. I know there's some rogue software floating around upstairs because IMMEDIATELY upon filtering the two MAC addresses, our bandwidth was freed according to that highly-scientific method of observing the blinking indicator lights on the modem. :)

I used to have an office from which I shared my DSL connection to two other small offices. One night my bandwidth was slowed to 26k (that's slower than Ye Olde 56k Modem!) so I started unplugging cables from the router (there was no wireless there). When I unplugged the realtor down the hall, my bandwidth jumped to 600k (normal). Plugged it back in and after five minutes I was back down to 91k and dropping. Unplugged him again and I jumped back up to 600k. Left it that way then followed up with him the next day. He was running Kazaa as a server and leaving the computer on all night. I wouldn't be surprised if something like that was going on up there, or maybe a trojan/worm like Bagle or Netsky.

Thanks.