This paper details many of the techniques used to determine what ports (or
similar protocol abstraction) of a host are listening for connections. These
ports represent potential communication channels. Mapping their existence
facilitates the exchange of information with the host, and thus it is quite
useful for anyone wishing to explore their networked environment, including
hackers. Despite what you have heard from the media, the Internet is NOT
all about TCP port 80. Anyone who relies exclusively on the WWW for
information gathering is likely to gain the same level of proficiency as your
average AOLer, who does the same. This paper is also meant to serve as an
introduction to and ancillary documentation for a coding project I have been
working on. It is a full featured, robust port scanner which (I hope) solves
some of the problems I have encountered when dealing with other scanners and
when working to scan massive networks. The tool, nmap, supports the following:
Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need. Much of the field of advertising is based on this paradigm, and the "to current resident" brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just stick a message in every mailbox and wait for the responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this tremendous global telecommunications network, all reachable through codes on our telephone. Millions of numbers are reachable locally, yet we may only be interested in 0.5% of these numbers, perhaps those that answer with a carrier.
The logical solution to finding those numbers that interest us is to try them all. Thus the field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate the probing of entire exchanges and more. The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you record it. Otherwise the computer hangs up and tirelessly dials the next one.
While wardialing is still useful, we are now finding that many of
the computers we wish to communicate with are connected through
networks such as the Internet rather than analog phone dialups.
Scanning these machines involves the same brute force technique. We
send a blizzard of packets for various protocols, and we deduce which
services are listening from the responses we receive (or don't
Over time, a number of techniques have been developed for surveying the
protocols and ports on which a target machine is listening. They all offer
different benefits and problems. Here is a line up of the most common:
For port scanning, our technique is to use the PORT command to declare that our passive "User-DTP" is listening on the target box at a certain port number. Then we try to LIST the current directory, and the result is sent over the Server-DTP channel. If our target host is listening on the specified port, the transfer will be successful (generating a 150 and a 226 response). Otherwise we will get "425 Can't build data connection: Connection refused." Then we issue another PORT command to try the next port on the target host. The advantages to this approach are obvious (harder to trace, potential to bypass firewalls). The main disadvantages are that it is slow, and that some FTP servers have finally got a clue and disabled the proxy "feature". For what it is worth, here is a list of banners from sites where it does/doesn't work:
*Bounce attacks worked:*
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready. 220 xxx.xxx.xxx.edu FTP server ready. 220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready. 220 lem FTP server (SunOS 4.1) ready. 220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready. 220 elios FTP server (SunOS 4.1) ready
*Bounce attack failed:*
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready. 220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7 220 ftp Microsoft FTP Service (Version 3.0). 220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready. 220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.The 'x's are partly there to protect those guilty of running a flawed server, but mostly just to make the lines fit in 80 columns. Same thing with the ellipse points. The bounce attack is available with the -b
Some people think UDP scanning is lame and pointless. I usually
remind them of the recent Solaris rcpbind hole. Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall. But can you find
which of the more than 30,000 high ports it is listening on? With a
UDP scanner you can!
Prior to writing nmap, I spent a lot of time with other scanners
exploring the Internet and various private networks (note the
avoidance of the "intranet" buzzword). I have used many of the top
scanners available today, including strobe by Julian Assange, netcat
by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan by
Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema.
These are all excellent scanners! In fact, I ended up hacking most of
them to support the best features of the others. Finally I decided to
write a whole new scanner, rather than rely on hacked versions of a
dozen different scanners in my /usr/local/sbin. While I wrote all the
code, nmap uses a lot of good ideas from its predecessors. I also
incorporated some new stuff like fragmentation scanning and options
that were on my "wish list" for other scanners. Here are some of the
(IMHO) useful features of nmap:
-v (verbose): This is highly recommended for interactive use. Among other useful messages, you will see ports come up as they are found, rather than having to wait for the sorted summary list. -r (randomize): This will randomize the order in which the target host's ports are scanned. -q (quash argv): This changes argv to FAKE_ARGV ("pine" by default). It also eliminates all other arguments, so you won't look too suspicious in 'w' or 'ps' listings. -h for an options summary. -R show and resolve all hosts, even down ones.Also look for http://www.dhp.com/~fyodor/nmap/, which is the web site I plan to put future versions and more information on. In fact, you would be well advised to check there right now. (If that isn't where you are reading this).
# nmap -Up 143 220.127.116.11/16 18.104.22.168/16To do a standard tcp scan on the reserved ports of host <target>:
> nmap targetTo check the class 'C' network on which warez.com sits for popular services (via fragmented SIN scan):
# nmap -fsp 21,22,23,25,80,110 warez.com/24To scan the same network for all the services in your /etc/services via (very fast) tcp scan:
> nmap -F warez.com/24To scan secret.pathetic.net using the ftp bounce attack off of ftp.pathetic.net:
> nmap -Db ftp.pathetic.net secret.pathetic.netTo find hosts that are up in the the adjacent class C's 193.14.12, .13, .14, .15, ... , .30:
> nmap -P '193.14.[12-30].*'If you don't want to have to quote it to avoid shell interpretation, this does the same thing:
> nmap -P 193.14.12-30.0-255