you are here: home > security > docs > scanning
Call trans opt: receveid. 9-18-99 14:32:31 REC:log>
WARNING: carrier anomaly
Trace program: running
> Welcome 38.103.63.16
07.07.2008 - 08:09 (06:09 GMT)
5orry, you have... NO MAIL.

Scanning Networks: The Complete Documentation

  • This category contains 23 Papers
  • The last paper was added on 2007-03-26 (YYYY-MM-DD)

Art of Port Scanning (The)

Published on 1997-09-01, by Fyodor, ©Phrack Magazine.

This paper details many of the techniques used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. Mapping their existence facilitates the exchange of information with the host, and thus it is quite useful for anyone wishing to explore their networked environment, including hackers. Despite what you have heard from the media, the Internet is NOT all about TCP port 80. Anyone who relies exclusively on the WWW for information gathering is likely to gain the same level of proficiency as your average AOLer, who does the same. This paper is also meant to serve as an introduction to and ancillary documentation for a coding project I have been working on. It is a full featured, robust port scanner which (I hope) solves some of the problems I have encountered when dealing with other scanners and when working to scan massive networks.

File infos:

Camouflaging Nmap Scans

Published on July 17, 2003, by Whistler, ©HackinTheBox.

I like to hide my tracks whenever I am in the mood for a little snooping, or at least make it a little less obvious so I don't have to go through the bother of reapplying for another ISP account. Not as though it has ever happened before in this part of the world! Some of us possess that little nagging fear every time we fire up a port scanner and some of us are numb to any sensation what so ever. To those of you who suffer from bouts of emotional distress, I will show you in this article how nmap can be used to help camouflage your scans.

File infos:

Coding a TCP Connect Port Scanner: Step by Step

Published on 2003, by modular, ©truncode security development.

This paper is the first in a series of simple tutorials that expand on developing basic security tools. The reader is assumed to have basic C programming skills and has TCP/IP familiarity.

File infos:

Coding a TCP Connect Port Scanner: Using Input Files

Published on 2003, by modular, ©truncode security development.

This paper assumes the reader has read truncode.org's paper, Coding a TCP Connect Port Scanner: Step by Step or already has basic TCP/IP socket programming skills. This paper is intended to build upon the paper, Coding a TCP Connect Port Scanner: Step by Step.

File infos:

Coding a TCP Connect Port Scanner: Using VLSM

Published on 2003, by modular, ©truncode security development.

This paper assumes the reader has read and understood the first two papers in this series or has basic C and BSD socket programming skills. Intermediate knowledge of IP addressing and subnetting is also assumed.

File infos:

Designing and Attacking Port Scan Detection Tools

Published on , by solar designer, ©Phrack Magazine.

The purpose of this article is to show potential problems with intrusion detection systems (IDS), concentrating on one simple attack: port scans. This lets me cover all components of such a simplified IDS. Also, unlike the great SNI paper (http://www.secnet.com/papers/IDS.PS), this article is not limited to network-based tools. In fact, the simple and hopefully reliable example port scan detection tool ("scanlogd") that you'll find at the end is host-based.

File infos:

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

Published on 2006, by SPI Labs, ©SPI Dynamics.

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

File infos:

Detection and Characterization of Port Scan Attacks

Published on , by Cynthia Bailey Lee, Chris Roedel, Elena Silenok, ©University of California.

Port scans represent a sizable portion of today s Internet traffic. However, there has been little research characterizing port scan activity. The goal of this project is to analyze sample network traces to discover and classify properties of port scans. We hope that this work will help to generate better network intrusion detection systems and increase general network security.

File infos:

Examining Port Scan Methods - Analysing Audible Techniques

Published on , by dety, .

I will attempt to enumerate a variety of ways to discover and map internal/external networks using signature-based packet replies and known protocol responses when scanning. Specifically, this document presents all known techniques used to determine open/closed ports on a host and ways an attacker may identify the network services running on arbitrary servers.

File infos:

  • L0T3K ID: docs-395
  • status: online
  • source:

Host Discovery with nmap

Published on 2002-11-01, by Mark Wolfgang, ©Mark Wolfgang.

As a Computer Security Engineer that regularly conducts external penetration tests, a recurring challenge seems to arise when assessing organizations with a large allocation of IP address space. What does one do when faced with multiple class B s, a few class C s, and a limited amount of time? Do you stick all of the address space in your favorite scanner and hit the Go button, wait till it s done and hope the results are accurate? How can you be sure that your scanner found all the hosts that are accessible? Do you even know the method your scanner uses to discover which hosts are alive?

File infos:

  • L0T3K ID: docs-888
  • status: online
  • source:

Idle Scanning and related IPID games

Published on 2001, by Fyodor, ©insecure.org.

Almost four years ago, security researcher Antirez posted an innovative new TCP port scanning technique. Idlescan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb "zombie" host. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits mapping out IP-based trust relationships between machines.

File infos:

Learning with nmap

Published on July 2001, by Danilo Lujambio, ©Danilo Lujambio.

Why are scanners so important for the security of networks? Basically because they are essential tools for those who want to attack a system.

File infos:

Malicious Scanning

Published on 2001-03-21, by Kathryn Kerr, ©SANS Institute.

Malicious scanning is a reconnaissance technique used to collect information about a target s machine or network to facilitate an attack against it. Scanning is used by attackers to discover what ports are open, what services are running and identify system software all to enable an attacker to more easily detect and exploit known vulnerabilities within a target machine. This article explains how scanning works, describes different scanning techniques and the extent to which scanning can be detected and stopped. Although this article focuses on malicious scanning, it is important to note that many probes occur quite legitimately as part of normal TCP/IP activity.

File infos:

Network Scanning Techniques

Published on 1999-11-01, by Ofir Arkin, ©Sys-Security.com.

Imagine the following scenario: A military target is to be attacked. What s the first step considered? Gathering Intelligence, naturally. To do so, a satellite will photo the target zone and a special recon unit will patrol the area with maximum caution to eliminate the possibility of detection. After enough information has been gathered, a wing of stealth bombers will bomb the target. Mission accomplished.

File infos:

Network Server Monitoring With Nmap

Published on 2005-07-18, by Pax Dickinson, ©Guardian Digital, Inc..

Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first.

File infos:

NMAP Grepable Output

Published on 2003-12-24, by MadHat, ©MadHat.

One of the often overlooked and underused output methods of nmap is the grepable or "machine" output. This output places all results for a single host on a single line, making it easier to use with other command line tools, like grep and awk. It also makes it easier to use when scripting.

File infos:

  • L0T3K ID: docs-530
  • status: online
  • source:

Nmap Version Detection Rocks

Published on October 06, 2003, by Brian Hatch, ©Brian Hatch.

The newest version of Nmap can fingerprint the protocol and software versions that it discovers, giving you a more accurate picture of your network.

File infos:

Nmap Version Scanning

Published on 2003-09-06, by Fyodor, ©Fyodor.

While Nmap does many things (remote OS detection via TCP/IP fingerprinting, ping sweeps, uptime calculation, protocol scans, etc.), its raison d'être has always been port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of more than 2,200 "well-known" services, Nmap would explain that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate # the vast majority of daemons listening on port 25 are, in fact, mail servers. But you shouldn't bet your security on this! People can and do run services on strange ports. Perhaps their main web server was already on port 80, so they picked a different port for a staging/test server. Maybe they think hiding a vulnerable service on some obscure port will prevent "evil hackers" from finding it. Even more common lately is that people are choosing ports based not on the service they want to run but based on what will get through the firewall. When ISPs blocked port 80 after major Microsoft IIS worms CodeRed and Nimda, hordes of users responded by moving their personal web servers to different ports. When companies block telnet access due to its horrific security risks, I have seen users simply run telnetd on the secure shell (SSH) port instead.

File infos:

  • L0T3K ID: docs-531
  • status: online
  • source:

NMAP: Decoy Analysis

Published on April 05, 1999, by Max Vision, ©Whitehats, Inc..

This page is for anyone who cares to see the details behind an NMAP scan with the -D decoy option set.

File infos:

Scanning and Defending Networks with Nmap

Published on June 27, 2002, by Rich Jankowski, ©Guardian Digital, Inc..

This week\’s article by Rich Jankowski discusses nmap, a very popular tool used to probe hosts to determine what services are available. This process may sometimes be used as a precursor to an attack on your systems.

File infos:

Scanning Networks

Published on June 08, 2003, by Krishna, ©eBCVG Network.

Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections.

File infos:

Using python and AOL IM to create nmap bot

Published on 2004-10-10, by abeusher, ©abeusher.

I recently came across some code (a software agent by some definitions) written by Duncan Gough that caught my attention. Duncan created an application named "GrokItBot" that synthesizes code from several Python modules to create a AOL Instant Messenger bot that can learn appropriate responses to conversation using some simple Bayesian algorithms. Why is this interesting? Read on...

File infos:

What is nmap and what can it do?

Published on 2003, by John Green, ©SANS Institute.

Nmap was the source of strange new scan patterns started being detected by the SHADOW ID Systems located throughout the Internet.

File infos:

Created: 2004-12-08 03:09 | Modified: 2007-03-26 00:16 | Size: 57801 octets

Search:

Search:



This page is also available in the following languages:
| English |

Copyleft L0T3K, The Look of Love Research Alliance - 2001-2008
Fédération Anarchiste Interplanétaire --[ Collectif l'Histrion -- Groupe Carl Einstein ]

Emergency Contact: webmistress [AT&belle] l0t3k [CYPHERPUNK] org | Version: Alpha 0.5 "Angelique"

A Solaar System site dedicaced to Ada Byron King, Countess of Lovelace ; Edith Clarke ; Rosa Peter ; Grace Murray Hopper ; Alexandra Illmer Forsythe ; Evelyn Boyd Granville ; Margaret R. Fox ; Erna Schneider Hoover ; Kay McNulty Mauchly Antonelli ; Alice Burks ; Adele Goldstine ; Joan Margaret Winters...

L0T3K: Le Premier Féminin High-tech à vocation interplanétaire