Saturday, February 15, 2014

Fast TCP port scanning


    One of the first tests that security professional may do on a target is to scan its open TCP ports (a.k.a. TCP listening ports).  From there, he/she may infer what applications/servers may be running on the target and move on to discover the vulnerabilities.  You can find out if a port is open by using the "telnet" command (there are other commands and tools that can do this too):

    If a port (say, 1000) is not open on target "10.3.0.3", here is what you may get:
 $ telnet 10.3.0.3 1000  
 Trying 10.3.0.3...  
 telnet: Unable to connect to remote host: Connection refused  

    For a port that's open (say, port 80),  here is what you get get:
 $ telnet 10.3.0.3 80  
 Trying 10.3.0.3...  
 Connected to 10.3.0.3.  
 Escape character is '^]'.  

    But if you try to find out all the open TCP ports on a target,  you don't want to do it manually since there are 65535 possible ports.  You can potentially script the above step but it may be slow too. In this blog, we show it's very easy to do port scanning on NetGend platform and do it fast!  Here is the little script for this:

 function userInit() {  
      var port = 1;  
 }  
 function VUSER() {  
      myport = port ++;  
      if (myport > 65535) {  exit(0);  }  
      connect("10.3.0.3", myport);  
      if (sock !== "") {  //connection got established
           println(myport);  
      }   
 }  

    I ran it at a rate of 10,000 new VUsers/second and in less than 7 seconds, it scanned through all the possible ports and gave me the following report:

22
80
111
443
902

   I knew what the TCP ports 22, 80, 111, 443 are used for, but was curious on what server/application uses the port 902, a quick google search showed that some Vmware software uses it.

    NetGend is a very scalable performance test platform,  the above example shows that it has the potential to do some fast security tests too.

No comments:

Post a Comment