NetScanTools consists of many independent network functions joined together in a single tabbed window. Most functions are designed to run in separate threads so several tabs can be used simultaneously. This program operates best on the newer Windows platforms.
NetScanTools Pro has a scanner tab - Port Prober, which will be discussed here. Port Probe (a port scanner) is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP Addresses and lists of ports to probe, specifying timeouts and the protocol to connect with. Additionally, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.
The types of port connections supported are:
TCP Full Connect. This mode makes a full connection to the target's TCP ports and can save any data or banners returned from the target. This mode is the most accurate for determining TCP services, but it is also easily recognized by Intrusion Detection Systems (IDS).
UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of that message indicates either the port is used, or the target does not return the ICMP message which can lead to false positives. It can save any data or banners returned from the target. This mode is also easily recognized by IDS.
TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one operation.
TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the SYN packet.
TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. Again, the attacker can have full control over TTL, Source Port, MTU, Sequence number, and Window parameters in the custom TCP packet. The Analyze feature helps with analyzing the response based on the flag settings chosen. Each operating system responds differently to these special combinations. The tool includes presets for XMAS, NULL, FIN and ACK flag settings.
The four types of probe patterns are:
Sequential Probe. This method scans a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings.
Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a single host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Range radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers shown in the Port List.
Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.
Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.
The tool also includes Ping before probe. This option allows the attacker to skip (automatically or by user response to a message) hosts that do not respond to pings. He can control the number of threads used to probe the host and the delay between launching each thread. He can also vary the amount of time to wait for a response to a probe of the port and the amount of time to wait after a connection for a banner to be sent.
0 comments:
Post a Comment