LITTLEBLACKDOG.COM

Posted: Tue Apr 04, 2006 7:04 pm Post subject: Manual Port Scanners

Okay my boredom at work is never ending.

I posted in the Unix side for help on using snoop but I have not received a reply yet so I am thinking that is a dead end with what I want to do.

I sat down and thought about the problem. They Highly frown upon software being installed, but I have been given the green light on what ever scripts that I want to write.

And I came up with a lame brain idea.
I may not be all that old but I still remember War Dialing from way back in the day. I also remember I think it was A-Dial. I am kind of wanting to do something similar. Before I learned of A-Dials existence I had written a batch file that would go through and test numbers for me. It was a junky little file that died often and I had to manually enter the phone range into the batch file before I ran the file, but it did work.

I am wanting to do the same thing with a port scanner. I am wanting to either write my own script, or learn to do this manually. I did some research the past couple of days and so far I know that I need to create a packet, and I need to setup 2 packets for the 3 way hand shake. I know that the source and destination addresses are 16bit. But passed that I am not sure where to go.

Does anyone have any suggestions on either books or websites that I can go to, to learn more about this. It appears to me that I have to setup packets for specific services and send them to that services port, but from what I read that I can just send a generic packet and then examine the ACK or the RST to see if the port is opened or closed. At this point I don't even care about the service persay but that will eventually come up in the future.

Now most of you will say just use nmap or some other port scanner rather than trying to do it manually, and that would be the smart thing to do. But honestly if I try doing this manually then this will help me with my networking skills, my programming skills, and most importantly give me a project to keep me from killing the people that call me on the phones all day. Very Happy

Any info dump suggestions?

Oh yeah by the way I do not have internet access at work, so the conceptulization will be done at home and the programming will be done at work.

Guide Dog Joined: 08 Nov 2003 Posts: 8419 Location: MN

Skookum wrote:
and most importantly give me a project to keep me from killing the people that call me on the phones all day.

straight up easier to just kill them.

are you doing this on a windows box, or a unix box?

on windows your best bet (for any windows platform with out installing anything) would probably be VB... though how to open a connection on a port I don't know.

The other option on windows (that I can think of) would be to use telnet (don't laugh) you can type in something to the effect of "telnet <IP.add.res.s> <port>" and if it comes back with something like connection refused, that port is closed.... if it tries to connect (i.e. doesn't die with an error right away, or the error is that the connection timed out after a while...) then your golden.... (might be a better way of handleing actual connections... that I don't know)

on a nix box, I have even less Idea how to code something liek taht in bash, though I'm certain telnet will work the same way (only the syntax and the exact errors differ)

and of course if you happen to know what is running on that port you can always type in the commands to get information back... (i.e. "GET / HTTP/1.1" for a web server will dump the contents of the page located at / ) there is documentation out there for how to use IRC though telnet (I've done it a few times) and I know I've seen people send emails though telnet on stmp servers...

Posted: Tue Apr 04, 2006 7:22 pm Post subject:

Why not look at the Source code for Nmap or Amap.

Guide Dog Joined: 08 Nov 2003 Posts: 8419 Location: MN

also (I typed that whole thing with out realizing this...) WHAT KINDA SWEAT SHOP ARE YOU WORKING AT!!!

No internet. No software installs. Idiots on the phones. Go ahead on writing scripts...

I think I've worked there.... I wrote lots of VBscripts to make my life easier... and more efficeint... then I realized I only had go ahead on the scripts because they thought that I was incapable of causing any harm... After I left they must have realized how clean my code was compared to their programmers at the time (who were about as good at codeing as ly is at being sober.) and last I heard they outlawed the use of any of my scripts and wiped the hard drives on both my machines (jokes on them I still have the password to all of their clients computer (remote access), their fedex and ups accounts (though ups is locked out because they didn't pay their billed Twisted Evil

) wep keys for their wireless, and full read write access on their database... if I wanted to be a bastered about the shit I put up with there I would have left them with no useable computers in the building... I just want to put that place behind me and serve as a warning for others) GET OUT PHONE SWEATSHOPS SUCK!

Posted: Wed Apr 05, 2006 4:27 am Post subject:

Quote:
No internet. No software installs. Idiots on the phones. Go ahead on writing scripts...

Yeah, I was one of the major causes of no internet access. Our minimum stats are suppose to be 160 calls a week, I was taking any where from 225 - 300 a week (placing me in the top 5 call takers) and spending the rest of my time online. But we had a big meeting, and a big butt chewing on how I have no sense of urgency, then they yanked my precious internet Mad

Quote:
straight up easier to just kill them.

I have declared psychological warfare on all of them. "I'm sorry ma'am but your server is down, I need you to go flush the toilet that is the farthest away from the server twice while I reboot, it will be back up and running once you get back"

Currently I have written all the Unix scripts that tier 1 and tier 2 use day in and day out. I wrote a bunch of windows scripts too but I was told never to deploy them to anyone. Mad

So basically I am sitting on about 50 or 60 scripts and or shortcuts that I use day in and day out that over triples my call volume but no one else can know and or use them. Go figure.

Anyways enough of the ranting, I can use either OS, Windows XP, Windows 2000 Server, or Solaris 7 AT&T version. I think we have some linux boxes out there some where but I don't think they trust me on those evil

As for the passwords, the only system that I have seen locked down in the Unix system, and I am over halfway through with that. I wrtoe the password list for management and the team leads. Most of our passwords are stored in clear text. And the only ones I don't have are the corporate ones, but if I get bored I will find those ones too.

The telnet thing I have tried and it kind of works, but if I were to do a port scan on a UDP port I don't think that I would receive anything, it would just eventually time out.

I tried writing my own packets in notepad, but realized that I am retarded and I have no idea on how to actually send the packet as a packet and not have it broken up into 50 packets because of the size. I think I only need the TCP or the UDP header and I don't necessarily need any packet information. I might set the Urgency in the packet just to be a prick.

As for the password thing, you should know this one by now Anglachel, when you are doing your exit interview, you non-chalantly walk into the interview with a stack of papers, you hand the person the stack of papers and then wink at them and walk away. Be sure that that stack of papers has every single password that you know of. evil

They can try to change all the passwords, but I have about 5 pages of admin passwords, so that would affect approximatly everyone in the company to change all those passwords. Twisted Evil

Guide Dog Joined: 08 Nov 2003 Posts: 8419 Location: MN

Skookum wrote:
Quote:
No internet. No software installs. Idiots on the phones. Go ahead on writing scripts...

Yeah, I was one of the major causes of no internet access. Our minimum stats are suppose to be 160 calls a week, I was taking any where from 225 - 300 a week (placing me in the top 5 call takers) and spending the rest of my time online. But we had a big meeting, and a big butt chewing on how I have no sense of urgency, then they yanked my precious internet

Quote:
straight up easier to just kill them.

I have declared psychological warfare on all of them. "I'm sorry ma'am but your server is down, I need you to go flush the toilet that is the farthest away from the server twice while I reboot, it will be back up and running once you get back"

Currently I have written all the Unix scripts that tier 1 and tier 2 use day in and day out. I wrote a bunch of windows scripts too but I was told never to deploy them to anyone.

So basically I am sitting on about 50 or 60 scripts and or shortcuts that I use day in and day out that over triples my call volume but no one else can know and or use them. Go figure.

Anyways enough of the ranting, I can use either OS, Windows XP, Windows 2000 Server, or Solaris 7 AT&T version. I think we have some linux boxes out there some where but I don't think they trust me on those

As for the passwords, the only system that I have seen locked down in the Unix system, and I am over halfway through with that. I wrtoe the password list for management and the team leads. Most of our passwords are stored in clear text. And the only ones I don't have are the corporate ones, but if I get bored I will find those ones too.

The telnet thing I have tried and it kind of works, but if I were to do a port scan on a UDP port I don't think that I would receive anything, it would just eventually time out.

I tried writing my own packets in notepad, but realized that I am retarded and I have no idea on how to actually send the packet as a packet and not have it broken up into 50 packets because of the size. I think I only need the TCP or the UDP header and I don't necessarily need any packet information. I might set the Urgency in the packet just to be a prick.

As for the password thing, you should know this one by now Anglachel, when you are doing your exit interview, you non-chalantly walk into the interview with a stack of papers, you hand the person the stack of papers and then wink at them and walk away. Be sure that that stack of papers has every single password that you know of.

They can try to change all the passwords, but I have about 5 pages of admin passwords, so that would affect approximatly everyone in the company to change all those passwords.

I didn't find or steal any of those passwords, they gave them to me...

udp too huh.... hhhmmmm I'll see what I can come up with... I hate udp...

you know you could just "install" angry IP scanner it is a single executable, no real install nessicary, just run it.

Posted: Wed Apr 05, 2006 2:49 pm Post subject:

I did a little test at work today, and I found that SSH through unix gives me some interesting info when I use it on different ports.

When running ssh I can specify a debug code that tells me what is happening such as
ssh -v -v -v serv01 -p 101

The more -v that I put in the more output that I get, although I think it stops displaying junk after the 2nd -v, but I put a 3rd in for good measure.

I was going to try and dig through the source code of nmap, although I can't remember where I installed the thing. It's sad I know, but it gets worse, I installed it 2 days ago, a couple hours before I made this thread. Doh!

It's kind of strange, all the research that I try and do on how to do this, and it is all links to a port scanner, or how to's on a specific port scanner, I have only found 2 sites that have anything remotely close to designing your own.

www.in-f-or.it/informatica/docs/portscan.pdf
and
www.codeproject.com/internet/holefinder.asp

Oh well, back to googling for now.