postIt » scan https://lakm.us/postit Post-It sticky notes with PasteBin sense Thu, 02 Jan 2025 01:33:57 +0000 en-US hourly 1 http://wordpress.org/?v=4.0.18 Socket monitoring by watching receive an … https://lakm.us/postit/2011/08/socket-monitoring-by-watching-receive-an/ https://lakm.us/postit/2011/08/socket-monitoring-by-watching-receive-an/#comments Wed, 10 Aug 2011 08:03:50 +0000 http://xp-racy.lan/postit/?p=136 Socket monitoring by watching receive and send queue every 5 seconds

$ while true; do netstat -tn; sleep 5; clear; done

Result:

 
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 10.238.133.152:43941    98.136.48.103:5050      ESTABLISHED
tcp        1      0 10.238.133.152:42541    8.27.254.249:80         CLOSE_WAIT
tcp        1      0 10.238.133.152:34355    184.73.222.16:80        CLOSE_WAIT
tcp        0      0 10.238.133.152:43210    199.59.148.87:443       ESTABLISHED
tcp        0    229 10.238.133.152:43209    199.59.148.87:443       ESTABLISHED

This is to emulate combination of watch and ss in Solaris, more or less same result

$ watch -n 5 ss -t
State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
ESTAB      0      0          10.238.133.152:36045       74.125.224.250:https
ESTAB      0      0          10.238.133.152:36044       74.125.224.250:https
CLOSE-WAIT 1      0          10.238.133.152:59622      174.129.233.179:www
ESTAB      0      0          10.238.133.152:43941        98.136.48.103:mmcc
CLOSE-WAIT 38     0          10.238.133.152:49300        199.59.148.87:https
ESTAB      0      0          10.238.133.152:33626       74.125.224.191:https
CLOSE-WAIT 1      0          10.238.133.152:37621        208.46.163.81:www
]]> https://lakm.us/postit/2011/08/socket-monitoring-by-watching-receive-an/feed/ 0 Network map using nmap $ nmap -O -sS -p … https://lakm.us/postit/2010/03/network-map-using-nmap-nmap-o-ss-p/ https://lakm.us/postit/2010/03/network-map-using-nmap-nmap-o-ss-p/#comments Mon, 01 Mar 2010 08:56:29 +0000 http://xp-racy.lan/postit/?p=37 Network map using nmap

$ nmap -O -sS -p 20-23,3300,80,443
...
Interesting ports on localhost (127.0.0.1):
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  open   http
443/tcp closed https
3300/tcp  open   unknown
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.25
Network Distance: 0 hops
...

I configured sshd to listen on port 3300, but nmap can’t resolve the type of service in the above sample. (It is found to be open but unknown service)

]]> https://lakm.us/postit/2010/03/network-map-using-nmap-nmap-o-ss-p/feed/ 0 Angry IP Scan. Multi platform IP scanner … https://lakm.us/postit/2010/03/angry-ip-scan-multi-platform-ip-scanner/ https://lakm.us/postit/2010/03/angry-ip-scan-multi-platform-ip-scanner/#comments Mon, 01 Mar 2010 03:11:51 +0000 http://xp-racy.lan/postit/?p=21 Angry IP Scan. Multi platform IP scanner in Java, and binaries in deb and rpm package for Linux. Windows version also available.

Basic theory on scanning is also presented there. Where there exist two scan:

  1. port scanners
  2. IP scanner

How?

  1. whether the host is up (alive, responding) or down (dead, not responding)
  2. average roundtrip time (of IP packets to the destination address and back) – the same value as shown by the ping program
  3. TTL (time to live) field value from the IP packet header, which can be used to find out the rough distance to the destination address (in number of routers the packet has traveled)
  4. host and domain name (by using a DNS reverse lookup)
  5. versions of particular services running on the host (e.g., “Apache 2.0.32 (Linux 2.6.9)” in case of a web server)
  6. open (responding) and filtered TCP and UDP port numbers
    ]]>     https://lakm.us/postit/2010/03/angry-ip-scan-multi-platform-ip-scanner/feed/ 0     Port scanner class. https://lakm.us/postit/2010/03/port-scanner-class/ https://lakm.us/postit/2010/03/port-scanner-class/#comments Mon, 01 Mar 2010 02:39:00 +0000 http://xp-racy.lan/postit/?p=20 Port scanner class. An example of usage is as follow where my IP is 192.168.1.10. The upper range for scanning isn’t alive: 192.168.1.11. I hide warnings due to open socket failure which will happen because the IP isn’t alive.

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

    <?php
	ini_set( "display_errors", 0);
	require_once("scanner.class.php");
	$ip_address1 = "192.168.1.10";
	$ip_address2 = "192.168.1.11";
	$my_scanner = new PortScanner($ip_address1, $ip_address2);
 
	$my_scanner->set_ports("80");
 
	$results = $my_scanner->do_scan();
 
	foreach($results as $ip=>$ip_results) {
		echo gethostbyaddr($ip)."\n<blockquote>\n";
 
 
		foreach($ip_results as $port=>$port_results) {
			echo "\t".$port." : ".$port_results['pname']." : ";
			if ($port_results['status']==1){echo "open";}
			else {echo "closed";}echo "<br />\n";
		}
		echo "</blockquote>\n\n";
	  }
 
?>

    Results are as follow (it includes developerfusion.com port scan by default (?)):

    developerfusion.com

    15 : netstat : closed
    16 : N/A : closed
    17 : qotd : closed
    18 : msp : closed
    19 : chargen : closed
    20 : ftp-data : closed
    21 : ftp : closed
    22 : ssh : closed
    23 : telnet : closed
    24 : N/A : closed
    25 : smtp : open
    80 : www : open
    110 : pop3 : closed
    3306 : mysql : closed
    1337 : N/A : closed
    666 : N/A : closed

    xp-racy.local

    80 : www : open

    192.168.1.11

    80 : www : closed

    ]]>     https://lakm.us/postit/2010/03/port-scanner-class/feed/ 0