SCANLINE
| | ||
Since nmap now supports Windows platforms via the WinPcap interface, Windows users have access to a robust port scanner. ScanLine has the distinction of being a pure Windows port scanner and does not rely on WinPcap. This is more of an advantage for penetration testing when you may encounter systems without WinPcap or you choose not to install it. Additionally, ScanLine does a decent job of identifying UDP ports. You may have to navigate some long license statements and marketing, but ScanLine is a free download available from http://www.foundstone.com/knowledge/free_tools.html.
Implementation
ScanLine doesn't have the stealth and reporting options available with IpEye or nmap; its big advantage is UDP accuracy. As with any UDP scanner, packet filters running on or in between the target host might keep your results from being accurate. Nevertheless, ScanLine will adjust based on whether it receives ICMP "port unreachable" messages, and it also uses UDP triggers to elicit responses from hardened services.
Use the U option to scan for a predefined list of UDP ports. If you wish to be more selective about the scan, use U followed by a port range, as seen here.
E:\>sl.exe -U 10.0.1.5 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Wed Jun 29 17:35:31 2005 ----------------------------------------------------- 10.0.1.5 Responded in 10 ms. 0 hops away Responds with ICMP unreachable: Yes UDP ports: 137 138 ----------------------------------------------------- Scan finished at Wed Jun 29 17:35:35 2005 1 IP and 89 ports scanned in 0 hours 0 mins 4.12 secs E:\>sl.exe -u 130-140 10.0.1.5 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Wed Jun 29 17:37:23 2005 ----------------------------------------------------- 10.0.1.5 Responded in 0 ms. 0 hops away Responds with ICMP unreachable: Yes UDP ports: 137 138 ----------------------------------------------------- Scan finished at Wed Jun 29 17:37:27 2005 1 IP and 11 ports scanned in 0 hours 0 mins 4.07 secs
| Tip | Most of the other features are similar to nmap, although users coming from a Unix environment will find that common flags like r , -n , -h , and others have unexpected meanings in ScanLine. |
Like amap and nmap, ScanLine retrieves services banners if the b option is enabled.
E:\>sl -b 10.0.1.5 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Wed Jun 29 17:39:56 2005 -------------------------------------------------------------------- 10.0.1.5 Responded in 0 ms. 0 hops away Responds with ICMP unreachable: Yes TCP ports: 22 80 139 515 3306 6000 UDP ports: 137 138 TCP 22: [SSH-1.99-OpenSSH_3.8.1p1] TCP 80: [HTTP/1.1 200 OK Date: Thu, 30 Jun 2005 00:34:17 GMT Server: Apache/1.3.33 (Darwin) Content-Location: index.html.en Vary: negotiate,accept-language,accept-cha] TCP 3306: [A j Host '10.0.1.2' is not allowed to connect to this MySQL server] TCP 6000: [Invalid MIT-MAGIC-COOKIE-1 key] -------------------------------------------------------------------- Scan finished at Wed Jun 29 17:40:07 2005 1 IP and 267 ports scanned in 0 hours 0 mins 10.46 secs
While it's possible to create text files to influence the default TCP and UDP ports that ScanLine targets (TCPports.txt and UDPports.txt), it's not possible to provide custom triggers for these services.
You can use -c , -d , and -q to control the scan timeouts. Targets are specified as IP address ranges in comma-separated lists, just like ports. Note that the -z option randomizes the target list; the readme refers to either -z or -r for this. ScanLine will write its results to a file, but you're limited to the screen format or a CSV. If you're managing large scans , then you'll probably want to use nmap's "greppable" or XML formats.
Aside from personal preference, there are some good reasons why command-line scanners have been the focus of this chapter. Command-line tools are easily scripted, which helps to manage large result sets. Such tools can also be scheduled to execute with utilities like cron. For example, an hourly scan can be quickly set up like this:
[mike@Corrino ~]$ crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.17367 installed on Wed Mar 16 15:59:29 2005) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) MAILTO="" 0 * * * * /usr/local/src/scripts/scan.sh >> $HOME/status.txt
Another advantage arises during penetration testing. Very often, you may gain access to a system (Unix or Windows) that is connected to another network or behind a firewall. In this case, gaining knowledge about the network and hosts around that system is important. Usually, the access you've gained to such a system is via a buffer overflow or some remote service and the access is limited to command-line interaction. Consequently, tools like nmap, amap, or the Windows port scanners are the best candidates for loading onto the system. You'll also want to have tools with a small footprintsomething that GUI scanners typically don't offer.
The SQL.Spider-B worm (also known as Digispid.B.Worm, Spida, MSSQL Worm, and SQLSnake) illustrates the advantage of command-line scanners, albeit from a malicious perspective rather than a useful one. This worm carried a collection of utilities including the FScan port scanner. ScanLine is the descendant of FScan, mentioned earlier in this chapter. FScan, renamed to services.exe in the worm's toolbox, was used to scan for TCP port 1433 in order to discover new Microsoft SQL Server victims. If you'd like to know more about this particular worm, check out the SANS analysis: http://www.sans.org/resources/idfaq/spider.php.
Vulnerabilities like the ones exploited by Nimda and Code Red also show the usefulness of command-line tools. Each of these vulnerabilities enabled an attacker to execute arbitrary commands by sending specially bcrafted URLs to an IIS server. In addition to creating custom ASP scripts and running Windows commands like ipconfig or the net tool, you could upload tools like ScanLine and work into the target network through the web server.
| | ||
EAN: 2147483647
Pages: 175