|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
|News||See Also||Recommended Links||Books||Recommended Papers||OSS Scanners||
(regular and trojan ports)
|Nmap||Nessus||Perl-based||Other generic scanners||Commercial||Specialized||Related tools||Honeypots|
|ICMP-based scanning||ICMP tools||Detection of port scanning||Defeating port scans||IDS detection||Humor||Random Findings||Etc|
Port scanners and related network vulnerability scanners are not as effective as internal vulnerability scanners, but are much more fashionable tools. Neither port scanners, nor network vulnerability scanners are a silver bullet and both have a lot of limitations, especially for scanning DMZ with proxy and multiple firewalls.
Scanning is also a favorite pasture of some category of people, who can be subdivided into two broad categories:
With too much firewalls (and internal firewalls becoming a standard part for all Internet exposed servers) the tables are turned against scanners. Simple tricks like using DNS or SMTP ports for scanning are no longer that useful and generally against a well-configured firewall scanner cannot do much. Also availability of honeypots create significant new difficulties: it is difficult to guess is the detected vulnerable server real or fake.
Still port scanning can be performed as a "diff scan" based on previous scan results; in this case the most interesting part is not "absolute" list of ports, but the differences with previous scan. For an example of this approach see localscan
Localscan is a Perl-based frontend for nmap. It allows the user to compare the results of an nmap portscan with the results of a previous nmap portscan made when the subnet or IP range being scanned was in a "known-good" configuration. Essentially, localscan allows the user to use a portscanner and ask "What new ports are open?" instead of just asking "What ports are active?"
That approach might be useful in monitoring hosts on a particular subnet.
Also all major OSes (Solaris, OpenBSD, Linux distributions like RedHat, Suse and Mandrake ) have internal firewall modules enabled (on RedHat this in included into the installation menu so you can expect more systems that have this feature ;-) and thus do not expose externally all ports for services that are running anymore. That additionally complicates the picture and make port scans much less useful.
Some firewall admins go to an additional length and selectively blocks packets with low TTL filter. Telnet and FTP are gradually became extinguished and SecureID and similar system are more and more used for DMZ authentication. That means that only HTTP, DNS and SMTP are left of really vulnerable services, but now they are limited to a few servers. Still perimeter scanning has some value as a checking tool.
External perimeter scanning usually triggers IDSes including honeypot-based detection systems. So they should be switched off before scanning.
Intranet scanning is much more useful especially for large corporation where nobody usually knows where internal networks ends ;-). They are also useful for finding unauthorized services, for example, web servers (common and marginally dangerous) or worse DHCP servers (uncommon but very dangerous :-)
Also usually on corporate Intranet there are too many poorly configured systems, and many of them are located in remote places. Even on a large DMZ there can be dozens of systems with various level of patches, configuration errors/blunders, etc.
Putting internal scanner in some internal server and then performing log analyses require good understanding of internal infrastructure. That's why hired professional services usually produce such a low quality results.
For terminology for vulnerabilities please consult Common Vulnerabilities and Exposures. For the RPM download of most popular scanners see RPM resource
A decent scanner, and used by many other programs to do the scanning. Reasonably fast and flexible scanner with many useful options. Nmap also tries to do the OS fingerprinting and often makes a pretty good guess on the OS, and in some cases even the version (i.e. Linux kernel version).
One of the best free UNIX based intrusion scanners. It's fast, and built around a client server architecture with encrypted communications between the client (Windows, UNIX or Java based) and the server (UNIX based). There is a language for writing plug-ins to do additional scanning and intrusion tests, so if you want to extend the product, or write custom modules you can do so. Nessus starts by scanning the target for open ports and attempts to fingerprint the OS, this is followed by a scan for vulnerabilities, with optional attempts to exploit them (optional since it may crash the machine or otherwise "damage" it). Nessus generates pretty decent output, with explanations of what the problems is, and how to fix it (generally speaking of course), you can also export the output to HTML files.
In lectures we will limit ourselves to just those two scanners.
Dr. Nikolai Bezroukov
Jul 22, 2009 | Insecure.org
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/ . This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this."
Google matched content
See also Internet Control Message Protocol (ICMP)
[packet storm ] -- packetstorm.securify.com up-to-date list of major portscanners (and more)
FOCUS on Linux Security Tools -- up-to-date list of scanners (and more)
Nmap homepage -- has a good collection of links
ISS - Internet Security Systems -- IDS snake oil salesmen :-)
TCP-IP Ports - nice page with a lot of links to resources about TCP/IP services port mapping.
Continued . . .
9th USENIX Security Symposium Paper Defeating TCP/IP Stack Fingerprinting Matthew Smart, G. Robert Malan, Farnam Jahanian
A practical approach for defeating Nmap OS-Fingerprinting
Camouflaging Nmap Scans July 17, 2003 - by Whistler,©HackinTheBox.
I like to hide my tracks whenever I am in the mood for a little snooping, or at least make it a little less obvious so I don't have to go through the bother of reapplying for another ISP account. Not as though it has ever happened before in this part of the world! Some of us possess that little nagging fear every time we fire up a port scanner and some of us are numb to any sensation what so ever. To those of you who suffer from bouts of emotional distress, I will show you in this article how nmap can be used to help camouflage your scans.
Snort - The Open Source Network IDS Ports DB -- nice online database, where you can search any port
Trojan TCP/IP Ports companion page to TCP-IP Ports: ports used by trojan horse and backdoor programs.
Nmap is a one of the best generic network scanners. It supports ping scanning (determine which hosts are up), many esoteric port scanning techniques (determine what services the hosts are offering, even if they are firewalled), and TCP/IP fingerprinting (remote host operating system identification). All-in-all this pretty robust free generic port scanner.
Scanning and Defending Networks with Nmap
Nlog is a set of perl scripts that allow you to search through your Nmap 2.x scan logs. Included is a conversion script and a complete CGI interface with 4 extensions and support for more. From your web browser you can search for all hosts with any given port open, operating system, sequence index, or IP address and query common services through the extension scripts.
Brief Description: A free, open-sourced and easy-to-use security auditing tool. Nessus is probably the best open-sourced and easy-to-use security auditing tool for Linux, BSD and some other systems. It is multithreaded and plugin based, and has a nice X11 interface. It's extendable using NASL, (Nessus Attack Scripting Language) language (security checks can also be written in C). Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080. The current version performs more than 200 security checks against the remote networks.
Lokks like the best bet among open source scanners. See also
The Nessus program consist of two parts, a server (it does the work of finding the holes, and reporting them back to the client) and a client (it does the work of displaying the results found by the server counterpart).
The server can be installed on a variety of UNIX boxes (including: Linux, BSD and Solaris) and on Windows NT.
There are a variety of clients. One is a GTK based program that can run on any UNIX machine running GIMP, the second is a Java based program (which can be runned on a Windows machine and on an UNIX machine), the third is a Win32 based program (making it possible to run off any Windows NT/95/98 machine).
Actively maintained as of Jan 2001.
SARA - Security Auditor's Research Assistant -- The Security Auditor's Research Assistant (SARA) is a third generation security analysis tool that is based on the SATAN model which is covered by the GNU GPL-like open license. It takes the advantage of nmap if present. The author of SAINT, Bob Todd, later joined Advanced Research and has been working on SARA. the important plus is that it interfaces with 3rd-party products, such as NMAP and not reinventing the wheel.
Actively maintained as of Jan 2001.
SAINT http://www.wwdsi.com/saint/(Security Administrator's Integrated Network Tool) is a security assessment tool based on SATAN. This not the same thing as outdated Satan scanner... See also freshmeat.net Project details for Saint
SAINT (Security Administrator's Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTML interface.
saint-3.4.4-1.i386.rpm as of Feb 2002.
pscan Portable Perl Port Scanner
What is pscan?
pscan is a basic network port scanner written in Perl. There are several goals with pscan. First, portability. Second, simplicity. Third, education.
Portability arises because pscan relies only on Perl internals and two modules (Getopt::Long and Socket) that are included by default in the Perl distribution. pscan is not meant to rival nmap in terms of features, performance, etc. Instead, it is a quick and dirty port scanner that for general use is sufficient, not to mention being faster than grabbing a copy of nmap, whether source or binary.
Simplicity arises from the fact as long as your system has a somewhat modern version of Perl, you should be able to run pscan the moment you download it. There is no need to install additional modules, let alone compile the software, before you can run it.
The education arises as this is also an effort to improve my Perl socket programming, among other areas. This area, no doubt, requires much progress, especially in regards to CIDR and UDP.
nss (Network Security Scanner) - NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. nss is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. The majority of the tests can be performed by any non-privileged user on a typical Unix machine. The only test currently being performed that requires root privileges is the check for a bad hosts.equiv file. This test requires that a fake username (e.g., bin) be fed into rexec. Ethical (and possibly legal) concerns limit the tests that nss will run. nss will not create any files on remote machines nor will it run any non- trivial programs on remote machines. The only non-standard external program it invokes is ypx, a program that attempts to download the password map from a NIS server. ypx was posted in comp.sources.misc and in archived in volume 40. nss also requires the ftplib.pl package if you are running perl version 4.x. ftplib.pl is available from several perl archives such as ftp://anubis.ac.hmc.edu:/pub/perl/library/ftplib.pl.gz This program was developed on a DECstation 5000 running Ultrix 4.4. It has had superficial portability checks made under SunOS 4.1.3 and Irix 5.2 but extensive work has not been performed from those platforms. Copyright 1995 by Douglas O'Neal
The majority of the tests can be performed by any non-privileged user on a typical Unix machine. The only test currently being performed that requires root privileges is the check for a bad hosts.equiv file. This test requires that a fake username (e.g., bin) be fed into rexec. Ethical (and possibly legal) concerns limit the tests that nss will run. nss will not create any files on remote machines nor will it run any non- trivial programs on remote machines. The only non-standard external program it invokes is ypx, a program that attempts to download the password map from a NIS server. ypx was posted in comp.sources.misc and in archived in volume 40. nss also requires the ftplib.pl package if you are running perl version 4.x. ftplib.pl is available from several perl archives such as ftp://anubis.ac.hmc.edu:/pub/perl/library/ftplib.pl.gz This program was developed on a DECstation 5000 running Ultrix 4.4. It has had superficial portability checks made under SunOS 4.1.3 and Irix 5.2 but extensive work has not been performed from those platforms. Copyright 1995 by Douglas O'Neal Everyone is granted permission to use and distribute this program provided that this copyright notice is retained in all copies distributed. Inclusion of this software in any commercial product without the express permission of the author is prohibited. This software is provided "as is" and without any express or implied warranties including the implied warranties of merchantibility and fitness for any particular purpose. In no event shall the authors or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages arising out of the of this software. Written by: Douglas O'Neal Doug.ONeal@jhu.edu
exscan 0.4 http://exscan.netpedia.net/exscan.html -- exscan is a network/Internet port scanner. It uses the "strobe-scan" technique, which means exscan only scans for certain services, instead of scanning a range of ports. The key feature of exscan which makes it different from other port scanners, is that it returns information on what is running. For example, if the target computer is running a FTP server, exscan will tell you what FTP server is running. In version 0.3, the remote operating system identification will let you know what operating system the target of your scan is running.
GtkPortScan http://www.calpoly.edu/~rbarrero/gtkportscan.html GtkPortScan is a functional Gtk+ port scanner for Linux that is very simple to use. It features dialog boxes for IP address, start port, stop port, a CList windows for returned ports along with buttons for your clicking needs. It will scan an IP address and let you know of the open/available ports through a GUI interface that is user-friendly.
IPPS http://www.lmn.pub.ro/~bruno/ipps/ IPPS is a TCP/IP Port Scanner which provides custom port scan range, subnet scan after the netmask of a host in that network, specified source port for the scan, output to file for letting it work all night without redirecting output in a huge command line.
relaycheck scans a network for SMTP hosts that permit "relaying" of email. These servers are vulnerable because a 3rd party could come in and use the mail server to relay mail through the server for the purpose of spamming. relaycheck is a pretty crude tool, but it's fast and functional. It requires perl and libwww.
ftpcheck scans hosts and networks for FTP and anonymous FTP archives. It was written as a security analysis tool. ftpcheck is very fast. It can effectively scan a class C network for anonymous FTP sites in less than 5 seconds. It does this by starting a new process for each connection. ftpcheck requires perl and libnet (from CPAN).
SecuriTeam.com (WebTrends release Security Analyzer)
WebTrends's Security Analyzer home page can be found at: http://www.webtrends.com/products/wsa/default.htm
Cisco Systems' NetSonar Vulnerability Scanner and Network Mapping System 1.0 ($20K traveling license, support contract is extra)
Secure Networks' Ballista Security Auditing System 2.4.
Network security hole scanning, network hacking protection
CiscoAuditingTool g0ne <g0ne at shell.scrypt.net> - May 23rd 2000, 22:30 EST
Cisco Auditing Tool is a Perl script which scans cisco routers for common vulnerabilities. It checks for default passwords, easily guessable community names, and the IOS history bug. Includes support for plugins and scanning multiple hosts.
NBChk skalore <skalore at sd2600.net> - November 14th 1999, 14:35 EST
NBChk is a multi-threaded Perl banner-checking utility that is fully configurable and can scan a full/partial class-C network, hosts from a file, or a single host for configured vulnerabilities.
R a i n F o r e s t P u p p y Whisker CGI Scanner -- Perl based. Somewhat perverted, but still usable.
Includes the following features:
1) The CGI directory can be pre-defined from the default '/cgi-bin', to your own choosing, or a set of well-known CGI paths.
2) Before checking for vulnerability Whisker will verify that the CGI directory exists, and that the CGI itself exists, reducing the number of false positives.
3) The server type and version is checked prior to any testing, reducing checks for unsupported CGIs (i.e. test for details.idc vulnerability on an Apache server is futile, since this is an IIS vulnerability).
4) Virtual Hosting is fully supported, allowing Whisker to test vulnerabilities against sub-domains within the same server (a feature not supported by all CGI scanners).
5) Whisker can be taught to see through custom made "success" pages, which are usually a result of "not found" errors (this minimizes false positives).
6) Whisker was written in Perl for easy portability and manipulation.
7) Interoperability between products/files such as command separated files, nmap result file, IP subnets and etc.
8) Written in a script language that enables people to easily add new scanning scripts.
cgichk is a Web vulnerability tool that automatically searches for a series of interesting directories and files on a given site. It also includes a whois lookup.
Changes: All directory/file strings have been moved outside of the program into config files so you can edit them without having to recompile. The config file should be now be easy to understand. The -F and -I switches have been changed to lowercase. The options -C (to specify an alternate config file) and -W (to specify an alternate whois server) have been added.
Study Guides for testing, reading, writing, and classroom participation -- interesting side link !!!
NTOScanner126.exe -- The fast TCP/IP port scanner for Windows NT platforms? NTO Scanner v1.26 has been clocked scanning 5,000 ports ine 8 seconds and all 65k in 3:30 mins. It scanned 1,200 ports on 50 hosts in 3 minutes. 5 star Freeware from NT OBJECTives, Inc.. 457.656 kb.
|ADMgates||ADM Linux-based Wingate scanner, scan entire zones|
|ADMscan3||Utility to ping hosts in order to map networks|
|ADMsnmp||ADM's SNMP scanner|
|Allhosts||Mass DNS Query|
|dnsscan||Mass DNS query tool to generate host listings for domains/networks|
|domainscan||Utility to mass-resolve IP addresses in class B or C networks|
|firewalk||Firewalk is a network auditing tool that attempts to determine what transport protocols a given gateway will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater then the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.|
|ftpcheck||Perl script to scan class-c networks for machines running FTP|
|halfscan||Half opened connection portscanner|
|hping070-lin||hping v0.70 for Linux, tool for testing packet filters|
|hping070-sol||hping v0.70 for Solaris, tool for testing packet filters|
|ident-scan||TCP portscanner that uses identd querying|
|Identscan||Can be useful to determine who is running daemons on high ports that can be security risks.|
|imapd_scan||Shellscript to exploit entire networks using the Linux IMAP vulnerability|
|IP Tools 2000||Many Network/Internet Information Tools! Multithreaded, Multidocument Interface! Network scanner, Port Scanner, Scan any class C or class B network for any number of open ports. Find information on domain names, owners, and administrators. Find information on users of a UNIX machine. Find what ports you have open, so you can close potential security holes. Graphical ping utility, Graphical DNS/Whois/Finger utility. Graphical utility for testing port commands on servers.|
|IP.id scan||Scanner does not directly contact the target host and is therefore practically untracable.|
|IPPx||Fast multithreaded portscanner, can be controlled via a powerful scriptlanguage to query ports for detailed information like anonymous-access for ftp-servers, weak telnet-passwords and so on. Displays found devices in clear laid out graphics or lists, together with detailed informations like found ports, exchanged data and more.|
|ipscanmaster||Windows based port scanner, multithreaded.|
|iptools2000||Windows based port scanner with extra tools.|
|java-cgi-scan||Java CGI vulnerability scanner|
|mscan||Network scanner, checks for various default security problems|
|mtutest||Tool to check packet filters|
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March 12, 2019