Friday, 1 August 2008

Windows Port Scanning - Without a Scanner

As a side note to the Netcat posts (that are ongoing) I have a small addition, how to make a port scanner in Windows when you do not have one (or why deleting tools in windows rather than reporting them is a waste of time).

Well you can use the ftp client that is available from the command line. As an example, the following script checks
C:\> for /L %i in ([Start_Port],[increment],[End_Port]) do echo TCP Port Number %i: >> results.txt & echo open [IP_address] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>> c:\tmp\results.txt

Here [increment] is the number of ports we go up at a time (this is usually going to be 1).

For example to scan TCP ports 80 to 135 on host we would type:

for /L %i in (80,1,135) do echo TCP Port Number %i: >> port_tested.txt & echo open %i > ftp://ftp.txt/ & echo quit >> ftp://ftp.txt/ & ftp -s:ftp.txt 2>> port_tested.txt
The output in this script is stored in c:\tmp\results.txt, but this can be anywhere you like. This only does TCP and the start and end ports can be anything (as can the IP address).
It is not pretty, but it works.

In the output, whenever there is an entry such as "Connection closed by remote host." there is a port listening - which is listed on the preceeding line. When "> ftp: connect :Unknown error number" is recorded, the port is closed.
It is not perfect, it is just a simple script. At times it does get errors.
In this case, it has stopped at the input for NNTP (TCP 119). It is possible to script more errors, but there are many protocols.

And a little interaction in typing "bye" in this case gets it running again. In this case the output (below) shows a loging we could try to exploit as a part of the test process.

Connection closed by remote host.

TCP Port Number 119:

Login failed.

TCP Port Number 120:

> ftp: connect :Unknown error number

No comments: