Sign in to follow this  
Followers 0
wethcr

scanning IP range for open ports

16 posts in this topic

For a case study in class I was given approval to scan my campus network for vulnerabilities. For some reason the network admin put all of the computers on a single subnet, so I can scan all computers on the network. Is there a program that scans all of the computers and lists the OS and ports open on the computers? this is purely for education and I was given permission.

0

Share this post


Link to post
Share on other sites

SuperScan3 or 4 Works.

SuperScan4 Download

I would use SuperScan3 but some people I know really like SuperScan4 but I like SuperScan3.

Need any more help just email me.

You can find my email on my personal page.

Later

biosphear

0

Share this post


Link to post
Share on other sites
For a case study in class I was given approval to scan my campus network for vulnerabilities.

If you are scanning for vulnerabilities, I would recommend you use Nessus. If you just want OS and open ports, any of the apps previously listed should give you what you are looking for. I will say that most people reach for nmap when they need to do a scan. SuperScan 4 is nice. It will enumerate the windows hosts it finds. I have no experience with essential net tools, but I googled it and looks like it will meet your needs.

Hope that helps

Uncue

0

Share this post


Link to post
Share on other sites

Careful when you do this, scanning the entire network for all ports (assuming you are doing a connect scan because you have permission) runs the risk of DoS on the network. Just a thought..

0

Share this post


Link to post
Share on other sites

That brings up another point, Nessus can kill a server. I wouldn't run the DoS plugins. I'd also recommend running it in lab that has some servers/workstations that are similar to what you will be running them against on your live network so that you have some idea if it's going to cause problems or not. If you don't have extra machines, you can use vmware to create a couple of virtual machines.

0

Share this post


Link to post
Share on other sites

As was stated before use nmap. It is simply the best out there. You'll need to have root permissions (or I supose administrator on Windows) but it is probably the most accomplished port scanner out there. It'll also profile the system's it scans. Depending on the size of the network it may take a LONG time though.

To scan a network like 10.0.0.1/24 you'd do something like this:

sudo nmap -sS -p1-65535 -P0 -A -vv 10.0.0.*

0

Share this post


Link to post
Share on other sites

If you are behind a cisco router that is keeping track of half open connections, I would recommend not using the -sS switch, instead opting for the -sT (Connect) switch especially since you have permission. By using the -sS switch you will fill up the connection table on the router and no one will be able to route to either side of the router. The default amount of connections the router tracks is something crazy like 3 billion, but that's nothing for an nmap scan of all ports to chew threw. There is no way to tell the router to ignore connections from one workstation.

Edited by Uncue
0

Share this post


Link to post
Share on other sites
If you are behind a cisco router that is keeping track of half open connections, I would recommend not using the -sS switch, instead opting for the -sT (Connect) switch especially since you have permission. By using the -sS switch you will fill up the connection table on the router and no one will be able to route to either side of the router. The default amount of connections the router tracks is something crazy like 3 billion, but that's nothing for an nmap scan of all ports to chew threw. There is no way to tell the router to ignore connections from one workstation.

Wait what?? using -sS means no actual connection is being made how could it fill up the connection table. An -sT scan on all ip addresses and all ports would take much longer.

It also depends on where you are scanning from. If you are scanning from an external location your not going to get all of the computers information your going to get information on how the router/NAT box is configured IE: port forward/triggering etc..The subnet could be easily vulnerable to somebody who is already inside due to lack of firewalls, windows updates (assuming the subnet is a Windows domain) and malware on each computer. There are multiple approaches you need to consider before you run an assessment of your network's security.

Correct me if I am wrong.

Edited by Remix
0

Share this post


Link to post
Share on other sites
Wait what?? using -sS means no actual connection is being made how could it fill up the connection table. An -sT scan on all ip addresses and all ports would take much longer.

Actually -sS means just send SYN Packets and -sT mean complete the connection (this will take longer). Reference here. (I'm providing this for people who don't know, not you Remix) :)

For a TCP connection to be created, there are three parts, SYN, SYN/ACK, and ACK. If you are scanning thru a cisco firewall with the FW feature set that is tracking connections, It keeps track of all the SYNs that are created as your port scanner does a half open scan. The scanning machines respond to your SYNs with SYN/ACKs, but your scanner never completes the connection by responding with ACK packets. This is the reason that the connection table fills up and causes the router to crash. I'm just pointing this out as something to be cautious about.

It also depends on where you are scanning from. If you are scanning from an external location your not going to get all of the computers information your going to get information on how the router/NAT box is configured IE: port forward/triggering etc..The subnet could be easily vulnerable to somebody who is already inside due to lack of firewalls, windows updates (assuming the subnet is a Windows domain) and malware on each computer. There are multiple approaches you need to consider before you run an assessment of your network's security.

Agreed. The only thing that I would add is that not all firewalls/routers are doing NAT. Say you have a Router with the FW feature set blocking connections from in this case the resident LAN from say the Accounting LAN where are all the important information is stored. Their would be no reason for students to access these systems. The would also be no reason for the account LAN to be NATed.

Hope that makes sense. Very good point about know your network before scanning blind. This goes back to why I brought up this point.

Edited by Uncue
0

Share this post


Link to post
Share on other sites

I would use nmap to.

Doesnt Nessus use nmap for port scanning?

Might be interested in trying db_autopwn.

Possibly try x-scan to. Its a nice windows port and vulnerability scanner. It uses nessus plugins for its vulnerabilities.

http://www.xfocus.org/programs/200507/18.html

Edited by xof7
0

Share this post


Link to post
Share on other sites
I would use nmap to.

Doesnt Nessus use nmap for port scanning?

This is how Nessus uses nmap. It actually uses it via a plugin.

http://www.nessus.org/documentation/index.php?doc=nmap-usage

The reason I suggested Nessus is because he specifically said he was looking for open ports, but in the next sentence says vulnerabilities. nmap should be used to find open ports and Nessus for vulnerabilities.

0

Share this post


Link to post
Share on other sites

gcc

0

Share this post


Link to post
Share on other sites
gcc

If he doesnt know any port scanners to use then compiling c code on linux probably isn't up his ally.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0