Port Scanner ideas?

[ZeroOne]

Hi,

From all the port scanners you have been using, is there a function that you always find missing? I am trying to come up with new ideas for a port scanner, like a cool/powerful feature. Any ideas I'm kind of stuck (It can be anything from GUI to command-line)

Thanks

[MaXe]

Being able to schedule scans directly with the port scanner, without using custom scripting such as bash. (I am not familiar with a default feature within the commandline package that allows this. But the Windows package should have a service that can do this, Inprotect probably has it too: http://inprotect.sourceforge.net/ )

[Cyber.spirit]

Yeah MaXe all of port scanners has same features  but schedule scans is great and something that IDK is can we scan multiple host through command line?? if we can and if it's possible i think it can be good feature for your port scanner.

Good Luck

Regards Cyber.Spirit

[ZeroOne]

MaXe, excellent idea thanks

[ZeroOne]

scan multiple host through command line??

This could slow down the process of scanning as the network interface buffer could get overloaded if the user scans loads of multiple hosts. also can introduce multi-threading risks. thanks for trying though  

[MaXe]

Yeah MaXe all of port scanners has same features  but schedule scans is great and something that IDK is can we scan multiple host through command line?? if we can and if it's possible i think it can be good feature for your port scanner.

I think you should learn more about NMAP, as it has been possible to scan multiple hosts in that tool, since the beginning I assume, as I have been able to do it for the last 10 years.  

Scheduling scans, is possible with Nessus, Qualys, Burp (pro version only afaik), Acunetix, and a variety of other tools. I can schedule almost anything natively in each program, except for NMAP in the command line as far as I am concerned.

scan multiple host through command line??

This could slow down the process of scanning as the network interface buffer could get overloaded if the user scans loads of multiple hosts. also can introduce multi-threading risks. thanks for trying though  

No it won't overload the network interface if you do it with e.g. NMAP. If you use hping and send a syn flood with no timeout, you will most likely overload it, because you will be sending a million packets in a few seconds, while NMAP, even with -T5 (timing: aggressive), will probably never do that for good reasons. Same thing with scanrand.

There is no slowing down of the scanning process, only waiting for the final results. (i.e. it would take longer.)

Plus, what else should you be doing on your own computer, or your dedicated computer having a network purpose, while you scan for open services? Nothing. If you don't know what is available to you, the ethical hacker / penetration tester, there is nothing to attack server-side, so naturally like any other hacker do, you do the scans, even if it's just a simple port scan, and then you dive in further. (See Penetration Testing Frameworks, such as NIST SP800-42, PTES, etc. There's a reason why port scanning, is one of the first (not the very first), process of penetration testing, before you even think about anything else.)

Try:

Code:

nmap -sS -T5 192.168.1.0/24

Or whatever your local IP-address range is. /24 is a CIDR notation, which I won't explain in detail, but in this case it means "192.168.1.0-192.168.1.255". So, you would be scanning multiple hosts with NMAP, and I don't see any problems with that  


Exactly how do you think penetration testers, etc., work when they have to attack a network of 300, 1000, or 10000 hosts? Do you think they specify each single scan manually, or do you think they specify ranges or hosts?  

[ZeroOne]

I was actually speaking of doing this in object oriented programming, this isn't an issue in nmap I know but it is for me, now you got me into thinking of actually doing it, it introduces a lot of multi-threading control but your post was just a reminder for me on how important it is. keep them coming 

[H1t M0nk3y]

Hi ZeroOne,

What language are you using for this? Because when you say "object oriented programming", you know you have to have lots of control over the TCP and/or UDP packets. Depending on which language you are using, this can prove to be quite a challenge, as OO languages are abstracting this layer completely. But that being said, it is always possible. That's why many developers use WinPcap or things like that to really control network communications at a fine level.

But I am sure you already know this, right? 

So what is exactly your goal? Are you trying to write a new tool? Are you working on an exploit? Or are you just playing around (I do that all the time!!)?

[ZeroOne]

Hi ZeroOne,

Hi H1t M0nk3y,

I am using Java for this task, first I didn't know that Java does not have access to the IP layer (the lowest it can get is to Transport Layer), so I did some research and found out about the pcap library. The job was easier after I found out that the JPCAP library exists (not the one on sourceforge), which uses the WinPcap/LibPcap libraries, wraps them up from C to Java including the important functions of pcap such as reading/sending packets, it is actually written for sniffing the network but since it can send packets I am using it to scan ports, I have figured out how to send a packet with controlling flags, also read the flags set in the responding packet form the target also I have a full control of all the headers (introducing spoofing), supporting different protocols (TCP/UDP/ICMP/ARP), I am aware of what happens in the back end when sniffing the packet as Tcpdump provides a very well written document for that (at the kernel space and user space), only not fully aware on how the sending part occur as there is no documents for that. The challenging part is multi-threading (at least for me), imagine the control of threads when the users scans 1000 or 60000 ports, struggling with this, also when the user enters multiple hosts, so its like creating multiple threads of threads.

I am doing this for educational purposes and also provide some functions that are not in other scanners such as schedulers that Maxe suggested and some others, my program isn't strong enough yet (it can't detect the OS) this is a whole topic by itself and requires a lot of researches, really just trying to make it decent/simple at first then will add more complex features such as idle scanning/OS fingerprinting.. and yes it is CHALLENGING!

How about you what languages do you use for this?

Thanks,

[H1t M0nk3y]

Good to see you have already made some progress ZeroOne!

I have been coding in Java for 14 years now and I am currently working on writing a web service scanner (part time) using this language. I have used JPCAP once in the past, but franckly, I don't remember anything...

And yes, I have done enough multithreading to understand your pain when trying to multithread 1000 hosts X 65000 ports. But really, if tools like nmap can't do it, it's for a reason... 

Scanning all ports of each host on an entire network is not practical. You will either exhaust the network, your RAM or your CPU. You have to take a statistical approach. It is like a survey, there is no need to ask the opinion of every single citizen in a given country. A few thousands "wisely picked" will be a close enough representation of the majority.

That being said, I strongly encourage you to continue with your project and multithread your scans. You will learn a lot and you will also find out that it is a viable solution for a single host or something like that. I would be very curious to see your results...

Good luck!