Scanning Networks / Cek jaringan

Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections. First we will determine whether the target machine is alive or not. This can be done by sending a icmp echo request packet to the server. The server would respond with a icmp echo reply showing that it’s alive. The process to do this on a range of hosts or ipaddresses is known as ping sweep. Of the many methods used, we will look on ICMP ping and echo port ping.

ICMP ping

Your machine will send an icmp echo request (type 8) to the target machine and it would respond with an icmp echo reply(type 0) if it is alive. You can use the Unix ping command to do this:

[root@ns2 root]# ping -c 3 66.218.71.86
PING 66.218.71.86 (66.218.71.86) from 203.41.193.140 : 56(84) bytes of data.
64 bytes from 66.218.71.86: icmp_seq=1 ttl=51 time=207 ms
From 203.41.193.137: icmp_seq=2 Redirect Host (New nexthop: 202.5.165.81)
64 bytes from 66.218.71.86: icmp_seq=2 ttl=51 time=204 ms
64 bytes from 66.218.71.86: icmp_seq=3 ttl=51 time=203 ms

--- 66.218.71.86 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2019ms
rtt min/avg/max/mdev = 203.938/205.171/207.287/1.503 ms
[root@ns2 root]#

At the end it will give you a summary, showing statistics of number of packets received and sent and the %age of packet loss.

Echo port ping

This makes use the echo service running on the target machine which runs on port 7. Whatever you send it, will be echoed back to you. So if you see that it echoed back what you sent, then you can be sure that the target machine is alive.

Two interesting tools on Linux is Fping and Nmap

Fping

Fping sends multiple icmp request packets simultaneously and processes the reply as they occur. This makes ping sweeps faster. Fping can be feeded with an ipaddress or can be given a list of ipaddress on a file.

[root@Krishna]# fping -a -g 203.122.1.0 203.122.1.80
203.122.1.9
203.122.1.26
203.122.1.37
203.122.1.47
203.122.1.54
203.122.1.42
203.122.1.68
203.122.1.80
[root@Krishna]#

Type fping -h for a full listing of available options.

Nmap

Nmap is a powerful tool that can do a lot more than ping sweep.
To use nmap for ping sweeping use the –sP argument.
[root@ns2 root]# nmap -sP 203.122.58.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#

If ICMP is blocked on the firewall of the target machine, additional techniques can be used to determine whether systems are alive.
Nmap provides a advanced option called TCP ping scan. It is initiated with the argument –PT with a port number such as port 80, since packets to this port is allowed by many firewall and border routers to the systems on their demilitarized zone (DMZ).

[root@ns2 root]# nmap -sP -PT80 203.122.58.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (203.122.58.1) appears to be up.
Host (203.122.58.2) appears to be up.
Host (203.122.58.5) appears to be up.
Host (203.122.58.6) appears to be up.
Host (203.122.58.9) appears to be up.
Host (203.122.58.10) appears to be up.
Host (203.122.58.13) appears to be up.
Host (203.122.58.14) appears to be up.
caught SIGINT signal, cleaning up
[root@ns2 root]#

Icmpenum

This tool from Simple Nomad (http://www.nmrc.org/project/misc/icmpenum-1.1.1.tgz) .
Even if the border router or firewall blocks ICMP echo packets , the systems status of being alive can be determined by looking for a different ICMP type, like icmp time stamp request and icmp info requests.
[krishna]# icmpenum –i2 –c 192.168.1.0

In the above example, we enumerated the entire 192.168.1.0 class C network using an icmp time stamp request . Icmpenum can send spoofed packets to avoid detection. Use the s argument to send spoofed packets and passively listen for responses with the p switch.

Icmpquery

Icmpquery can be found at http://packetstormsecurity.com/UNIX/scanners/icmpquery.c
Ping sweeps makes use of icmp echo packets , but there are a lot more types of icmp packets which can be used to gather valuable information about the system. For example you can request the time ona system by sending an ICMP type 13 message (TIMESTAMP) and you can request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST).
To query a routers time, you can run the command:
[root@ns2 files]# ./icmpquery -t 213.206.75.252
213.206.75.252 : Sun Jun 8 16:46:30 2003
[root@ns2 files]#

and to query a routers netmask, use

[Krishna]# icmpquery –m 213.206.75.252

Windows tools:

To do ping sweeps in windows, try the freeware pinger from Rhino9 (http://nmrc.org/snt). Some other tools for windows are Ping Sweep from Solarwinds (http://www.solarwinds.net)
WS_Ping ProPack (http://www.ipswitch.com) NetScan Tools (http://www.nwpsw.com)

Port Scanning:

Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a listening state. Identifying listening ports is essential to determine the type of operating system and application in use on the system.

Types of port scanning:

1.) TCP connect scan: This type of scan connects to the target port and completes a full three way handshake (SYN, SYN/ACK and ACK).
2.) TCP SYN scan: This is also called half-open scanning because it does not complete the three-way handshake, rather a SYN packet is sent and upon receiving a SYN/ACK packet it is determined that the target machines port is in a listening state and if an RST/ACK packet is received , it indicates that the port is not listening.
3.) TCP FIN scan: This technique sends a FIN packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
4.) TCP Xmas Tree scan: This technique sends a FIN,URG and PUSH packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.
5.) TCP Null scan: This technique turns off all flags and based on RFC 793 , the target system should send back an RST for all closed ports.
6.) TCP ACK scan: This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections or a stateful firewall performing advance packet filtering.
7.) TCP Windows scan: This type of scan can detect both filtered and non-filtered ports on some systems due to anomaly in the way TCP windows size is reported.
8.) TCP RPC scan: This technique is specific to UNIX systems and is used to detect and identify Remote Procedure Call (RPC) ports and their associated program and version number.
9.) UDP scan: This technique sends a UDP packet to the target port. If the target ports responds with an “ICMP port unreachable” message, the port is closed, if not then the port is open. This is a slow process since UDP is a connectionless protocol, the accuracy of this technique is dependent on many factors related to utilization of network and system resources.

We will now discuss some of the more popular and time proven port scanners.
Strobe

Download it from ftp://ftp.rpmfind.net/linux/redhat/7.1/en/powertools/i386/RedHat/RPMS/strobe-1.04-8.i386.rpm

It is one of the fastest and most reliable TCP scanners, it can also grab the associated banner of a particular port. Strobe is a TCP scanner and does not provide UDP scanning capability, as such it can be easily detected by the target machine.

[root@ns2 files]# strobe 213.206.75.252
strobe 1.04 (c) 1995-1997 Julian Assange (proff@suburbia.net).
213.206.75.252 21 ftp File Transfer [Control] [96,JBP]
-> 220-FTP server ready.
-> 220 Only anonymous FTP is allowed here
213.206.75.252 80 http www www-http World Wide Web HTTP
www World Wide Web HTTP [TXL]
[root@ns2 files]#

For a UDP port scanner try udp_scan by SATAN(Security Administrator Tool for Analyzing Networks).

Netcat

This is known to be called the Swiss army knife in security toolkit. It provides both TCP and UDP scanning capabilities. The -v and -vv options provide verbose output, the -z option is used for port scanning, and the -w2 option provides a timeout value for each connection. By default nc uses TCP ports, the -u option is so used to specify UDP scanning.

[root@ns2 files]# nc -v -z -w2 203.122.61.154 1-140
ns2.spectra.com [203.122.61.154] 111 (sunrpc) open
ns2.spectra.com [203.122.61.154] 80 (http) open
ns2.spectra.com [203.122.61.154] 53 (domain) open
ns2.spectra.com [203.122.61.154] 23 (telnet) : No route to host
[root@ns2 files]#

[root@ns2 files]# nc -u -v -z -w2 203.122.61.154 1-140
ns2.spectranet.com [203.122.61.154] 132 (?) open
ns2.spectranet.com [203.122.61.154] 131 (?) open
ns2.spectranet.com [203.122.61.154] 130 (?) open
ns2.spectranet.com [203.122.61.154] 129 (?) open
ns2.spectranet.com [203.122.61.154] 128 (?) open
ns2.spectranet.com [203.122.61.154] 127 (?) open
ns2.spectranet.com [203.122.61.154] 126 (?) open
punt!
[root@ns2 files]#

Network Mapper (nmap)

Nmap from http://www.insecure.org/nmap is a all in one tool. To see a possible list of options use

[root@ns2 files]# nmap –h

[root@ns2 files]# nmap -sP 192.168.0.172

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host ns2.krishna.com (192.168.0.172) appears to be up.
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
[root@ns2 files]#

Nmap allows you to enter ranges in CIDR(Classless Inter-Domain Routing) block notation. The –oN will save the output to a human-readable format and use –oM to save it in a tab-delimited file.

[root@ns2 files]# nmap –sF 203.122.58.0/24 –oN outfile

Windows based port scanners

NetScanTools Pro 2000 http://www.nwpsw.com
SuperScan http://www.foundstone.com/rdlabs/termsofuse.php?filename=superscan.exe
WinScan: http://www.prosolve.com
IpEye http://www.ntsecurity.com
NetCat http://www.atstake.com/research/tools/nc11nt.zip
WUPS http://www.ntsecurity.nu
Fscan http://www.foundstone.com/rdlabs/termsofuse.php?filename=fscan.exe

Thanks Bro ...
Krishna
http://www.KrisinDigitalAge.com