Netcat 101: Port Scanning in Netcat, Haktip 85
Netcat 101: Port Scanning in Netcat!
Welcome to HakTip -- the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I'm Shannon Morse and today i'm checking out Netcat for port scanning.
First off, let's back it up a bit. I got a question at tips@hak5.org that said, "What defines the banner?" so I wanted to clarify it a bit. Last week, we discussed Banner Grabbing with Netcat, which will give you a bit of information about any server or port. When talking about networking, this will glean info about a system on a network and services running on it's open ports. Admins can use this to take inventory of systems and services on their network. An intruder on the other hand, can use banner grabbing to find network hosts that are running systems with known exploits. Some service ports used for banner grabbing include those used by HTTP, FTP, and SMTP (Ports 80, 21, and 25). To prevent exploits, Network Admins should restrict access to servers and shut down unused or unnecessary services running on network hosts. A banner specifically is simply the text that is embedded with a message that is received from that host during a banner grab.
This week, we are checking out port scanning!
So what is a port? Ports are application specific or process specific software constructs serving as communication endpoints in a host's operating system. The port is associated with an IP address of the host, and the type or potocol used for communication. You can uniquely identify different applications or processes running on a single computer or server with a port, which will enable them to share a single physical connection to a packet-switched network like the Internet. There are port numbers between 0 - 65535 with 0 reserved, and typically anything under port 1024 requires root or admin privileges. So if you're running Apache on port 80, you have to have sudo to set it up. Many folks will use port 8080 to set up a server, as a quick and dirty way to get around that rule. The protocols that use ports are the Transport Layer protocols, including TCP and UDP (both of the Internet Protocol Suite).
Some widely used port numbers include, 20 & 21 for FTP, 22 for SSH, 80 for HTTP, and 25 for SMTP.
When you think of port scanning, what programs come to mind? Angry IP Scanner, Nmap? Do you think of Netcat? While not as advanced as some programs for port scanning, Netcat can perform basic capabilities and can even obfuscate the source of a port scan. Today we'll go over a basic port scan and explain the command.
As opposed to file transfers, doing a port scan requires only one computer, your client. Use this syntax: nc -v -w 10.73.31.9 -z 1-1000. nc opens Netcat, -v is verbose (in this case, it indicates the open ports that the scan uncovers). -w 1 tells netcat to wait one second between scans to find out if they are open or closed. The IP address is the target that you want to scan. The -z tells Netcat to operate in Zero I/O mode. Zero I/O mode, in this case, speeds up the process of executing the port scan by ignoring any latency baked in by the program to account for delays by the CPU. The last part 1-1000, tells Netcat to scan the range of ports from 1-1000. This is only going to target TCP ports, not UDP ports. But, if you want to include UDP as well, add the -u switch. You can also include -n, which will bypass the name resolution, and reduce your footprint in logs. Netcat uses DNS to look up the IP address of a host, but you can also use hostnames.
Now, try it yourself! Try adding the different options to your port scan, and attemp scans on several IP addresses to see what you come up with!
Do you use Netcat for port scanning? Send me a comment below or email us at tips@hak5.org. .. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
Closed Caption:
this episode of fact tip is brought to
you by go to assist welcome to hack tip
the show where we break down concepts
tools and techniques for hackers gurus
and IT ninjas
I'm Shannon Morse and today i'm checking
out netcat for port scanning but first
off let's back it up just a little bit i
got a question at tips at hak5 dot org
that said what defines a banner so I
wanted to go ahead and clarify that a
little bit last week we discussed banner
grabbing with netcat which will give you
a bit of information about any server or
port when talking about networking this
will basically glean info about a system
on a network and services running on its
open ports admins can use this to take
inventory of networks and services on
their network
alternatively an intruder on the other
hand can use banner grabbing to find
Network host that are running systems
with known exploits some service ports
used for banner grabbing clues include
those used by HTTP FTP and smtp and
those are ports 8021 in 25 respectively
now to prevent exploits network admins
should restrict access to servers and
shutdown unused or unnecessary services
running on network hosts a banner
specifically is simply the text that is
embedded with a message that has
received from host during a banner grab
that's what we showed you last week this
week we are going to check out poor
scanning and it kind of builds on top of
banner grabbing as well so first off
what is a port for its our application
specific or process specific software
constructs serving as communication
endpoints in a host operating system
the port is associated with an IP
address of the host and the type of
protocol used for communication you can
uniquely identify different applications
or processes running on a single
computer or server with the port which
will enable them to share a single
physical connection to a packet-switched
Network like the internets their port
numbers between 0 & 65535 with zero
reserved and typically anything under
poor 1025 requires root or admin
privileges
now I wanted to go ahead and take a look
at this website which lists
all the tcp and UDP port numbers so
let's say I want to play some doom doom
is unofficially on port 666 go figure
but usually if you're running apache on
port 80 or something like that you have
to have pseudo to go ahead and set it up
so you'll find out that many folks will
actually use port 8080 or something like
that to setup a server which is
basically a quick and dirty way to get
around that rule about reserved courts
now the protocols that use ports are
called transport layer protocols
including tcp and UDP such as the
website both of the Internet Protocol
suite some widely used port numbers
include 20 and 21 for ftp 22 for ssh and
80 for HTTP and 25 for smtp now let's go
ahead and take a quick break and do some
port scans right after an IT issues can
pop up at any moment unexpected user
problems network and server
complications viruses and staying on top
of it all is really challenging and it's
kind of stressful too that's why I'm
excited about go to assist by citrix all
the services that you need are
integrated into one simple cloud-based
tool set
so you can take control of your
unpredictable IT world so this is how it
works
go to assist monitoring helps you
quickly identify potential issues at
their source before they become big
problems it has built-in customizable
dashboards that display the performance
of all networks servers and desktops
it's proactive to it alerts you and
ensures that you are the first to know
about any issues before they can become
real problems now let's go to assist
remote support you can provide live or
unattended support to any pc mac or
mobile device from pretty much anywhere
and you can easily keep track of it all
from the go to assist service desk i
highly recommend go to assist with all
the traveling that I do i go to
conventions I'm visiting my family and
try to take vacations when I can I can't
always be in my office so using go to
assist lets me work from home and can
on the go so i don't have to deal with
log commutes going through San Francisco
traffic because that's no fun
so you can sign up for your special
30-day free trial today visit go to
assist com click on the try it free
button and use the promo code hack let's
go to assist calm and promo code h AK
and we're back now when you think of
port scanning what programs come to mind
angry ip scanner and map do you actually
think of net cut while it's not as
advanced as some programs for port
scanning that can perform basic
capabilities and can even obfuscate the
source of a port scan today we'll go
over basic port scan and explain the
command now as opposed to file transfers
doing a port scan requires only one
computer which is going to be your
client so you can use this syntax that
all type into my computer to actually do
a port scan with netcat so we'll type in
NC tak v tach w1 and then the port IP
address 10 . 7331 . 9 this is Wi-Fi
pineapple running in our office
takze and then one through 1000 those
are the port's I want to scan and press
ENTER takes a few seconds because port
scanning is a rather slow and once it's
done you can see which ports are open on
this Wi-Fi pineapple we have a pop3 and
imap port open 9-5 and 993 now let me go
ahead and run through the syntax real
quick and see actually opens in that cat
attack v's verbose and in this case it
indicates the open ports that the scan
and covers attack w one tells netcat to
wait one second between scans to find
out if they are actually open or closed
and then the IP address is the target
that you want to scan in this case it's
our Wi-Fi pineapple takze tells netcat
to operate in 0 io mode that zero input
output mode in this case speeds up the
process of executing the port scan by
ignoring any latency baked in by the
program to account for delays in the cpu
and then the last part 1 through 1000
tells netcat to scan the range of ports
from one through 1000
now I noticed that only two things it
stated are actually open on this i'm
going to try it again and I'm going to
change a couple of things so instead of
doing one through 1000 i'm going to
choose to scan ports 19 through 25 and
I'm going to give it two seconds to scan
those instead of just one
press ENTER again and you'll wait a few
seconds
ok so this time we see and adding a
couple of seconds helped me in this case
i see that i have smtp and ssh open on
25 and 22 respectively
now this is only going to target tcp
ports not UDP ports but if you want to
include UT p as well you can you can add
tak you switch to the actual syntax you
can also include tech n which will
bypass the name resolution it reduces
your footprint in the logs now that cat
uses dns to look up the IP address of a
host but you can also use host names as
well it's kinda interesting now I want
to see you guys try yourself
try adding different options to your
ports can attempt scans on several IP
addresses to see what you come up with
we actually found a few surprises when
we were doing some example scans earlier
in our office
it's pretty fun now do you use that cat
for port scanning send me a comment
below or email us tips at hak5 dot org
and be sure to check out our sister show
hak5 for more great stuff just like this
i'll be there reminding you to trust
your technologists and happy holidays
Chris ugly christmas best look you can
see through my christmas tree
happy holidays and the Spirit of God can
see through my head look at the
Christmas tree
Video Length: 08:29
Uploaded By: Hak5
View Count: 24,618