Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Port Scanners

News See Also Recommended Links Books Recommended Papers OSS Scanners Reference
(regular and trojan ports)
FAQs
Nmap Nessus Perl-based Other generic scanners Commercial Specialized Related tools Honeypots
ICMP-based scanning ICMP tools Detection of port scanning Defeating port scans IDS detection Humor Random Findings Etc

Port scanners and related network vulnerability scanners are not as effective as internal vulnerability scanners, but are much more fashionable tools. Neither port scanners, nor network vulnerability scanners are a silver bullet and both have a lot of limitations, especially for scanning DMZ with proxy and multiple firewalls. 

Scanning is also a favorite pasture of some category of people, who can be subdivided into two broad categories:

With too much firewalls (and internal firewalls becoming a standard part for all Internet exposed servers) the tables are turned against scanners. Simple tricks like using DNS or SMTP ports for scanning are no longer that useful and generally against a well-configured firewall scanner cannot do much.  Also availability of honeypots create significant new difficulties: it is difficult to guess is the detected vulnerable server real or fake.

Still port scanning can be performed as  a "diff scan" based on previous scan results;  in this case the most interesting part is not "absolute" list of ports, but the differences with previous scan. For an example of this approach see localscan

Localscan is a Perl-based frontend for nmap. It allows the user to compare the results of an nmap portscan with the results of a previous nmap portscan made when the subnet or IP range being scanned was in a "known-good" configuration. Essentially, localscan allows the user to use a portscanner and ask "What new ports are open?" instead of just asking "What ports are active?"

That approach might be useful in monitoring hosts on a particular subnet.

Also all major OSes (Solaris, OpenBSD, Linux distributions like RedHat, Suse and  Mandrake ) have internal firewall modules enabled (on RedHat this in included into the installation menu so you can expect more systems that have this feature ;-) and thus do not expose externally all ports for services that are running anymore.  That additionally complicates the picture and make port scans much less useful. 

Some firewall admins go to an additional length and selectively blocks packets with low TTL filter.  Telnet and FTP are gradually became extinguished and SecureID and similar system are more and more used for DMZ authentication. That means that only HTTP, DNS and SMTP are left of really vulnerable services, but now they are limited to a few servers.  Still perimeter scanning has some value as a checking tool.

External perimeter scanning usually triggers IDSes including honeypot-based detection systems. So they should be switched off before scanning. 

Intranet scanning is much more useful especially for large corporation where nobody usually knows where internal networks ends ;-). They are also useful for finding unauthorized services, for example, web servers (common and marginally dangerous) or worse DHCP servers (uncommon but very dangerous :-) 

Also usually on corporate Intranet there are too many poorly configured systems, and many of them are located in remote places. Even on a large DMZ there can be dozens of systems with various level of patches, configuration errors/blunders, etc.

Putting internal scanner in some internal server and then performing log analyses require good understanding of internal infrastructure. That's why hired professional services usually produce such a low quality results.

For terminology for vulnerabilities please consult Common Vulnerabilities and Exposures. For the RPM download of most popular scanners see RPM resource

Nmap
A decent scanner, and used by many other programs to do the scanning. Reasonably fast and flexible scanner with many useful options.  Nmap also tries to do the OS fingerprinting and often makes a pretty good guess on the OS, and in some cases even the version (i.e. Linux kernel version).

Nessus
One of the best free UNIX based intrusion scanners. It's fast, and built around a client server architecture with encrypted communications between the client (Windows, UNIX or Java based) and the server (UNIX based). There is a language for writing plug-ins to do additional scanning and intrusion tests, so if you want to extend the product, or write custom modules you can do so. Nessus starts by scanning the target for open ports and attempts to fingerprint the OS, this is followed by a scan for vulnerabilities, with optional attempts to exploit them (optional since it may crash the machine or otherwise "damage" it). Nessus generates pretty decent output, with explanations of what the problems is, and how to fix it (generally speaking of course), you can also export the output to HTML files.

In lectures we will limit ourselves to just those two scanners.

Dr. Nikolai Bezroukov

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

News

[Jul 22, 2009] SECURITY: Nmap 5.00 Released

Jul 22, 2009 | Insecure.org

"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/ . This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this."

Continied

Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Top articles

Sites

See also Internet Control Message Protocol (ICMP)

Continued

Recommended Papers

Continued . . .


Defeating port scans

9th USENIX Security Symposium Paper Defeating TCP/IP Stack Fingerprinting Matthew Smart, G. Robert Malan, Farnam Jahanian

A practical approach for defeating Nmap OS-Fingerprinting

Camouflaging Nmap Scans July 17, 2003 - by Whistler,©HackinTheBox.

I like to hide my tracks whenever I am in the mood for a little snooping, or at least make it a little less obvious so I don't have to go through the bother of reapplying for another ISP account. Not as though it has ever happened before in this part of the world! Some of us possess that little nagging fear every time we fire up a port scanner and some of us are numb to any sensation what so ever. To those of you who suffer from bouts of emotional distress, I will show you in this article how nmap can be used to help camouflage your scans.


Reference


Open Sourced Port Scanners

Nmap

Nmap is a one of the best generic network scanners. It supports ping scanning (determine which hosts are up), many esoteric port scanning techniques (determine what services the hosts are offering, even if they are firewalled), and TCP/IP fingerprinting (remote host operating system identification). All-in-all this pretty robust free generic port scanner.

Scanning and Defending Networks with Nmap

Nmap addon tool -- nlog

Download: http://nlog.ings.com/nlog/dist/
Alternate Download: ftp://ftp.technotronic.com/newfiles/nlog-1.5.3.tar.gz
Homepage: http://nlog.ings.com
Changelog: http://nlog.ings.com/nlog/dist/README

Nlog is a set of perl scripts that allow you to search through your Nmap 2.x scan logs. Included is a conversion script and a complete CGI interface with 4 extensions and support for more. From your web browser you can search for all hosts with any given port open, operating system, sequence index, or IP address and query common services through the extension scripts.


Nessus

Brief Description: A free, open-sourced and easy-to-use security auditing tool. Nessus is probably the best open-sourced and easy-to-use security auditing tool for Linux, BSD and some other systems. It is multithreaded and plugin based, and has a nice X11 interface. It's extendable using NASL, (Nessus Attack Scripting Language) language (security checks can also be written in C). Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080. The current version performs more than 200 security checks against the remote networks.

Lokks like the best bet among open source scanners. See also

The Nessus program consist of two parts, a server (it does the work of finding the holes, and reporting them back to the client) and a client (it does the work of displaying the results found by the server counterpart).

The server can be installed on a variety of UNIX boxes (including: Linux, BSD and Solaris) and on Windows NT.

There are a variety of clients. One is a GTK based program that can run on any UNIX machine running GIMP, the second is a Java based program (which can be runned on a Windows machine and on an UNIX machine), the third is a Win32 based program (making it possible to run off any Windows NT/95/98 machine).

Actively maintained as of Jan 2001.

Sara

SARA - Security Auditor's Research Assistant -- The Security Auditor's Research Assistant (SARA) is a third generation security analysis tool that is based on the SATAN model which is covered by the GNU GPL-like open license. It takes the advantage of nmap if present. The author of SAINT, Bob Todd, later joined Advanced Research and has been working on SARA. the important plus is that it interfaces with 3rd-party products, such as NMAP and not reinventing the wheel.

Actively maintained as of Jan 2001.

Saint

SAINT http://www.wwdsi.com/saint/(Security Administrator's Integrated Network Tool) is a security assessment tool based on SATAN. This not the same thing as outdated Satan scanner... See also freshmeat.net Project details for Saint

SAINT (Security Administrator's Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTML interface.

Homepage:
http://www.wwdsi.com/saint/

RPM package:

ftp://ftp.wwdsi.com/pub/saint/RPM/

saint-3.4.4-1.i386.rpm as of Feb 2002.


Perl-based

pscan Portable Perl Port Scanner

What is pscan?

pscan is a basic network port scanner written in Perl. There are several goals with pscan. First, portability. Second, simplicity. Third, education.

Portability arises because pscan relies only on Perl internals and two modules (Getopt::Long and Socket) that are included by default in the Perl distribution. pscan is not meant to rival nmap in terms of features, performance, etc. Instead, it is a quick and dirty port scanner that for general use is sufficient, not to mention being faster than grabbing a copy of nmap, whether source or binary.

Simplicity arises from the fact as long as your system has a somewhat modern version of Perl, you should be able to run pscan the moment you download it. There is no need to install additional modules, let alone compile the software, before you can run it.

The education arises as this is also an effort to improve my Perl socket programming, among other areas. This area, no doubt, requires much progress, especially in regards to CIDR and UDP.

nss (Network Security Scanner) - NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. nss is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. The majority of the tests can be performed by any non-privileged user on a typical Unix machine. The only test currently being performed that requires root privileges is the check for a bad hosts.equiv file. This test requires that a fake username (e.g., bin) be fed into rexec. Ethical (and possibly legal) concerns limit the tests that nss will run. nss will not create any files on remote machines nor will it run any non- trivial programs on remote machines. The only non-standard external program it invokes is ypx, a program that attempts to download the password map from a NIS server. ypx was posted in comp.sources.misc and in archived in volume 40. nss also requires the ftplib.pl package if you are running perl version 4.x. ftplib.pl is available from several perl archives such as ftp://anubis.ac.hmc.edu:/pub/perl/library/ftplib.pl.gz This program was developed on a DECstation 5000 running Ultrix 4.4. It has had superficial portability checks made under SunOS 4.1.3 and Irix 5.2 but extensive work has not been performed from those platforms. Copyright 1995 by Douglas O'Neal

The majority of the tests can be performed by any non-privileged user on a typical Unix machine. The only test currently being performed that requires root privileges is the check for a bad hosts.equiv file. This test requires that a fake username (e.g., bin) be fed into rexec. Ethical (and possibly legal) concerns limit the tests that nss will run. nss will not create any files on remote machines nor will it run any non- trivial programs on remote machines. The only non-standard external program it invokes is ypx, a program that attempts to download the password map from a NIS server. ypx was posted in comp.sources.misc and in archived in volume 40. nss also requires the ftplib.pl package if you are running perl version 4.x. ftplib.pl is available from several perl archives such as ftp://anubis.ac.hmc.edu:/pub/perl/library/ftplib.pl.gz This program was developed on a DECstation 5000 running Ultrix 4.4. It has had superficial portability checks made under SunOS 4.1.3 and Irix 5.2 but extensive work has not been performed from those platforms. Copyright 1995 by Douglas O'Neal Everyone is granted permission to use and distribute this program provided that this copyright notice is retained in all copies distributed. Inclusion of this software in any commercial product without the express permission of the author is prohibited. This software is provided "as is" and without any express or implied warranties including the implied warranties of merchantibility and fitness for any particular purpose. In no event shall the authors or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages arising out of the of this software. Written by: Douglas O'Neal Doug.ONeal@jhu.edu

Other


Specialized port scanners

relaycheck

Download: http://david.weekly.org/code/relaycheck.pl
Homepage: http://david.weekly.org/code/

relaycheck scans a network for SMTP hosts that permit "relaying" of email. These servers are vulnerable because a 3rd party could come in and use the mail server to relay mail through the server for the purpose of spamming. relaycheck is a pretty crude tool, but it's fast and functional. It requires perl and libwww.

ftpcheck

Download: http://david.weekly.org/code/ftpcheck.pl
Homepage: http://david.weekly.org/code/

ftpcheck scans hosts and networks for FTP and anonymous FTP archives. It was written as a security analysis tool. ftpcheck is very fast. It can effectively scan a class C network for anonymous FTP sites in less than 5 seconds. It does this by starting a new process for each connection. ftpcheck requires perl and libnet (from CPAN).


Commercial Scanners

ISS NetSonar Netective Balista Other

ISS

WebTrends Security Analyzer

SecuriTeam.com (WebTrends release Security Analyzer)

WebTrends's Security Analyzer home page can be found at: http://www.webtrends.com/products/wsa/default.htm

NetSonar

Cisco Systems' NetSonar Vulnerability Scanner and Network Mapping System 1.0 ($20K traveling license, support contract is extra)

Ballista

Secure Networks' Ballista Security Auditing System 2.4.

Netective (now Bindview product)

Network security hole scanning, network hacking protection


Specialized Scanners and Related Tools

CiscoAuditingTool g0ne <g0ne at shell.scrypt.net> - May 23rd 2000, 22:30 EST

Cisco Auditing Tool is a Perl script which scans cisco routers for common vulnerabilities. It checks for default passwords, easily guessable community names, and the IOS history bug. Includes support for plugins and scanning multiple hosts.

NBChk skalore <skalore at sd2600.net> - November 14th 1999, 14:35 EST

NBChk is a multi-threaded Perl banner-checking utility that is fully configurable and can scan a full/partial class-C network, hosts from a file, or a single host for configured vulnerabilities.

HTTP

R a i n F o r e s t P u p p y Whisker CGI Scanner -- Perl based. Somewhat perverted, but still usable.

Includes the following features:
1) The CGI directory can be pre-defined from the default '/cgi-bin', to your own choosing, or a set of well-known CGI paths.
2) Before checking for vulnerability Whisker will verify that the CGI directory exists, and that the CGI itself exists, reducing the number of false positives.
3) The server type and version is checked prior to any testing, reducing checks for unsupported CGIs (i.e. test for details.idc vulnerability on an Apache server is futile, since this is an IIS vulnerability).
4) Virtual Hosting is fully supported, allowing Whisker to test vulnerabilities against sub-domains within the same server (a feature not supported by all CGI scanners).
5) Whisker can be taught to see through custom made "success" pages, which are usually a result of "not found" errors (this minimizes false positives).
6) Whisker was written in Perl for easy portability and manipulation.
7) Interoperability between products/files such as command separated files, nmap result file, IP subnets and etc.
8) Written in a script language that enables people to easily add new scanning scripts.

DNS


Random Findings

Study Guides for testing, reading, writing, and classroom participation -- interesting side link !!!

NTOScanner126.exe -- The fast TCP/IP port scanner for Windows NT platforms? NTO Scanner v1.26 has been clocked scanning 5,000 ports ine 8 seconds and all 65k in 3:30 mins. It scanned 1,200 ports on 50 hosts in 3 minutes. 5 star Freeware from NT OBJECTives, Inc.. 457.656 kb.

ADMgates ADM Linux-based Wingate scanner, scan entire zones
ADMscan3 Utility to ping hosts in order to map networks
ADMsnmp ADM's SNMP scanner
Allhosts Mass DNS Query
dnsscan Mass DNS query tool to generate host listings for domains/networks
domainscan Utility to mass-resolve IP addresses in class B or C networks
firewalk Firewalk is a network auditing tool that attempts to determine what transport protocols a given gateway will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater then the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.
ftpcheck Perl script to scan class-c networks for machines running FTP
ftpscan FTP-bounce portscanner
halfscan Half opened connection portscanner
hping070-lin hping v0.70 for Linux, tool for testing packet filters
hping070-sol hping v0.70 for Solaris, tool for testing packet filters
ident-scan TCP portscanner that uses identd querying
Identscan Can be useful to determine who is running daemons on high ports that can be security risks.
imapd_scan Shellscript to exploit entire networks using the Linux IMAP vulnerability
IP Tools 2000 Many Network/Internet Information Tools! Multithreaded, Multidocument Interface! Network scanner, Port Scanner, Scan any class C or class B network for any number of open ports. Find information on domain names, owners, and administrators. Find information on users of a UNIX machine. Find what ports you have open, so you can close potential security holes. Graphical ping utility, Graphical DNS/Whois/Finger utility. Graphical utility for testing port commands on servers.
IP.id scan Scanner does not directly contact the target host and is therefore practically untracable.
IPPx Fast multithreaded portscanner, can be controlled via a powerful scriptlanguage to query ports for detailed information like anonymous-access for ftp-servers, weak telnet-passwords and so on. Displays found devices in clear laid out graphics or lists, together with detailed informations like found ports, exchanged data and more.
ipscanmaster Windows based port scanner, multithreaded.
iptools2000 Windows based port scanner with extra tools.
java-cgi-scan Java CGI vulnerability scanner
mountdscan rpc.mountd scanner
mscan Network scanner, checks for various default security problems
mtutest Tool to check packet filters



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: September 12, 2017