-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

                   -= Remote Host Discovery with PortScanning =-

                                -= By Adept =-
                          -= mark@firstworld.net =-
                           
                           -= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


What PortScanning is

Querying TCP or UDP ports to see what responds.  This is often done to identify listening 
services on a remote host, and for many hackers, this is the first step in gathering data 
about their target.

Since this is such a fundamental hacking skill, most of you are experienced with it.  Feel 
free to bring up your favorite methods and tools.  I know I will be leaving quite a few of 
my favorite tools out because...  It's 2AM right now.

Common services on Internet hosts will usually be running somewhere below port 1024.  It 
would make sense to scan every port below 1024 if you wanted to get the most results per 
attempt.  However, some of the most vulnerable services and/or Trojans will be left above 
that port.  For this reason, many portscanners will include a list of common ports, or use 
your Unix box's service listing.  The practice of a known-ports list also returns a very 
high result ratio; however, any practice other than scanning all 65,535 ports will remain 
incomplete.

Steve Gibson from grc.com claims to have found a way to instantaneously scan all 65,535 
ports on your box, and that he is going to come out with a "new FREEWARE HYPER-SPEED PORT 
SCANNER".  Drop an email to this crackhead if you are as interested as me in his "new 
technology."  The interesting thing is if that is really possible, it will take advantage 
of an IP stack development put out in 1970, most likely.  Is there a network or broadcast 
type address for your TCP stack, maybe port 0 if queried correctly?  More importantly is a 
windows kiddie named Steve Gibson going to be the one to find it?


Protocols

TCP scanning is the most common protocol on the internet, and most services run on TCP.  
If you want to find common webservers, ftp servers, or most other services on a box, this 
is the way to go.

There are a few ways to find out if a service is listening on a port.  "Connect" is the 
most basic way, and the easiest for IDS's and firewalls to detect.  A TCP "SYN" scan 
however, does not actually create a TCP connection fully, it only checks for the 
possibility of creating a connection.  The advantage is speed and less chance of being 
detected with SYN, but the downside is that you can't grab "banners" from the port when 
it answers since it never really answers.  A "Connect" scan is all 5 steps shown on next 
page, where a "SYN" scan only goes to step 3.  Snort (the open source flexible IDS) will 
always pick up a SYN or CONNECT scan if you have the right SNORT rules in place.


      TCP A                                                TCP B

  1.  CLOSED                                               LISTEN

  2.  SYN-SENT    --> <SEQ=100><CTL=SYN>               --> SYN-RECEIVED

  3.  ESTABLISHED <-- <SEQ=300><ACK=101><CTL=SYN,ACK>  <-- SYN-RECEIVED

  4.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK>       --> ESTABLISHED

  5.  ESTABLISHED --> <SEQ=101><ACK=301><CTL=ACK><DATA> --> ESTABLISHED

          Basic 3-Way Handshake for Connection Synchronization

UDP scanning is used for scanning lookup-only DNS and SNMP mainly, not too many other 
services are common on UDP.  With UDP a packet is sent to every port that you scan, and 
if there is ANY response, it is regarded as an active port.  This is simply the way UDP 
works in general; it is a low-overhead protocol without error checking.


Common Tools

NMAP by fyodor@insecure.org.  
This is my favorite portscanner.  Available for *NIX and a port is available for NT.  
Beta Versions of NMAP constantly add functionality; Betas do not get ported to NT AFAIK.  
Features include high speed TCP, UDP scans, TCP syn scanning (full tcp connection is not 
made, reduces detection by target).  Also, try the new remote uptime feature in beta 22; 
it calculates the uptime off a number in the headers from most BSD-compatible TCP stacks. 
Find this at insecure.org.

Fscan and Superscan, by Foundstone Inc.
Superscan is cheap and dirty TCP scanning for Windows.  Fscan is a command line scanner, 
with TCP/UDP scanning, port order randomization, and port banner grabbing.  Find these at 
www.foundstone.com.




Name the Operating System


System1:
# nmap -sS x.x.x.x

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on  (x.x.x.x):
(The 1519 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds                   
1025/tcp   open        listen                  

Nmap run completed -- 1 IP address (1 host up) scanned in 83 seconds

System2:
# nmap -sS 208.23.65.90

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on jesuslovesunix.1800contacts.net (208.23.65.90):
(The 1516 ports scanned but not shown below are in state: closed)
Port       State       Service
13/tcp     open        daytime                 
21/tcp     open        ftp                     
22/tcp     open        ssh                     
37/tcp     open        time                    
111/tcp    open        sunrpc                  
113/tcp    open        auth                    
6969/tcp   open        acmsoda                 

Nmap run completed -- 1 IP address (1 host up) scanned in 85 seconds


Links

http://www.insecure.org/nmap - bleeding edge scanning

http://www.foundstone.com - White hat hackers interested in full disclosure and good tools.

http://grc.com - Crackhead named Steve Gibson will hax0r you from his website.

http://www.snort.org - Martin Roesch's open source flexible IDS.

http://packetstorm.securify.com/UNIX/scan_detect/ - UNIX portscanner detection.
Portscanning and Remote Host Discovery.

2600SLC(Confidential)	Page 1	4/6/2001 (0day)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-