NetCat Tips - Quiet Exploration of Ports

Let's go...

We all know about netcat, so I won't do an introduction about it. Instead I will talk about the use of netcat in the quiet exploration of ports. As Netcat can talk with a range of ports, an obvious use for it will be to use it as ports' explorer. The first impulse is to connect Netcat to a complete range of ports on the target system.

[root@peruvian nc]# ./nc target 20 - 80

This will not work. Remember that Netcat is not a port scanner. In this situation, Netcat will start at port 80 and will try to carry out TCP connections to any ports that respond. As soon as it receives an answer on a port, Netcat will wait for a standard response before continuing. This Behavior is not the one that we are looking for.

The option -z is the answer. This option will tell Netcat to send a minimum amount of data to obtain an answer from an open port. When the -z switch is used netcat will not be able to send data to the remote port and as soon as the port is open it is immediately shutdown and closed. This allows us to avoid waiting for a response before continuing.

The verbose switch (option -v) provides details on the connections that Netcat is carrying out so will be able to use this to see the results of its analysis of the ports. Without this option,… well…, it will not be able to see anything. An example follows next:

[root@peruvian nc]# ./nc -z 192.168.1.100 20-80
[root@peruvian nc]# ./nc -v -z 192.168.1.100 20-80
peruvian [192.168.1.100] 80 (www) open
peruvian [192.168.1.100] 23 (telnet) open
peruvian [192.168.1.100] 22 (ssh) open
peruvian [192.168.1.100] 21 (ftp) open
[root@peruvian nc]#

When using the -v switch, we can see the status of the ports of some of the usual services running on the remote machine. What will our scan look like in the logs of the target system?

July 16 16:15:12 peruvian sshd[21690] : Did not receive ident string from 192.168.1.105
July 16 16:15:12 peruvian telnetd[21689] : ttloop: read: Broken pipe
July 16 16:15:12 peruvian ftpd[21691] : FTP session closed

We see that traces of our activity have been left on the target system. The system tracks the moment we scanned and the list of consecutive processes (21689 to 21691) we explored. If we had scanned a greater range of ports it would have left a really huge track in the logs of the target system. Also certain services, for example sshd, are so bad-mannered that they will save the IP address of the scanner.

Even if we scan a port on which nothing is running (and therefore the connection will not be logged), most networks count on intrusión detection systems that will immediately indicate this type of malicious behavior and they will call the attention of the administrator. Some Firewall applications will also block an IP address automatically if they receive too many connections on in a brief period of time.

Netcat allows the execution of a more sophisticated way to avoid this :D. We will be able to use option -i and to form a test interval. It will take a little more time to obtain the data, but the exploration with this allows more events to happen between each connection to help keep us off of the radar.

If we use the option -r so that Netcat explores of random form these ports, this process will look even less like an exploration of ports:

./nc -v -z -r -i 42 192.168.1.100 20-80

The previous instruction tells Netcat to choose a random range of ports between positions 20 and 80 in the 192.168.1.100 address and to try to connect to each one of them every 42 seconds. This method should bypass any automated defensive system, but the evidence of the exploration will continue to exist in the registries of the target system; they will only be more disordered.

You can also use netcat to carry out a quiet exploration of ports using UDP. All you need to do is add the -u option to instruct netcat to explore UDP instead of TCP ports.

*Note1:
Scanning with the UDP protocal has a problem. Netcat depends on the reception of an Internet Control Mensajes Protocol (ICMP) to determine if a UDP port is open or closed. If the ICMP is being blocked by a Firewall or a filter, Netcat will falsely report that these UDP ports are open.

Netcat is not a very sophisticated port scanner. One of its main features is that it is a very good general tool and does not emphasize any specialty. For this reason it is better to use a specifically developed port analyzer.


*Note2:
If you're getting errors when trying to port scan, try to limit netcat to a specific IP address and a specific port by using the -s and -p switches. Choose a port below 1024 or a port that isn't used by any service.

More questions:

----------------------
root3d
system666x@gmail.com
Perú [16/07/2006]
16:44
----------------------