How to portscan a Class B effectively

From: RT (roelof@sensepost.com)
Date: Mon Jun 03 2002 - 16:35:32 EDT


Yeah...

It's no fun nmapping a class B network. Here is how I do it:

1) Lets assume you find your class B network from a whois query, and lets
assume the net is located on the Internet. It might be that only a few class C
networks within the large block are actually routed. I include a simple but
effective PERL script that is fed an IP number and responds if its routed, and
what block is routed - see at the end. Obviously you are only interested in
the routed blocks - makes no sense hitting your head against an unrouted
network. Please dont use this script for every IP in the block - do it once
only..(or once per class C)..:)

2a) If ICMP is allowed in you're in luck. Use nmap with -sP (ping only) and -PI
(only ICMP - else it will probe on port 80 as well and it takes time). If not:

2b) Superscan (windoze) does a very good job of quicky looking for open ports.
Limit your port list to common ports - e.g. 21,22,23,25,53,80,443,1080.
Superscan is nice and fast, but it does not give additional information such as
if the port is closed, open, or filtered. Nmap is the better scanner for more
detailed information, or when you want to use more advanced scanning
techniques - for now we just want open common ports.

4) Sometimes you will see that the admin screwed up and for instance port 53
is open to all machines (an old FW1 config error). If so, limit the ports only
to 53 (why scan the rest at this stage?) and see which responds as closed
(you'll need Nmap for this). Another config error regularly found in stateless
firewalls is source port 20 allowed to high ports. Use nmap with the -g and -sS
(SYN scan) option here; set the source port to 20 and hit a high (>1024) port.
You can easily test with hping for such errors (or use nc -n -p 20 -v target
2000).

5) Once you know which machines are alive you want to use a proper nmap scan
on these. Use the -iL option to import the list of IPs found alive in the
previous steps, and let rip.

'later,
Roelof.

Here's the PERL script:

------cut here------
#!/usr/bin/perl
# Usage : blah.pl <IP number>
# Typically:
#
# > routedornot 196.30.67.100
# Network is routed. Block is [196.30.0.0/16]
#
# > routedornot 10.0.0.1
# Network appears to be non-routed
#
# Roelof Temmingh (roelof@sensepost.com)
# SensePost (http://www.sensepost.com)
# 2001.09

use Socket;

start:
($range)=@ARGV[0];

$host = "nitrous.digex.net";
$port = 80;
$target = inet_aton($host);
$urlthingy="/cgi-bin/looking_glass.pl";
$poststring="GLASS_ID=1&query=bgp&addr=$range";
$plength=length($poststring);

$tosend=<<EOT
POST $urlthingy HTTP/1.0
Content-Length: $plength
Connection: Keep-Alive
User-Agent: SensePostData
Referer: http://nitrous.digex.net/mae/mae-lg.html
Content-Type: application/x-www-form-urlencoded

$poststring

EOT
;

$tosend=~s/\n/\r\n/g;
@results=sendraw($tosend);

$flag=0;
foreach $line (@results){
 if ($line =~ /BGP routing table entry for/){
  ($duh,$yeah)=split(/BGP routing table entry for/,$line);
  ($real,$poef)=split(/\,/,$yeah);
  $real=~s/ //g;
  print "Network is routed. Block is [$real]\n";
  $flag=1;
 }
 if ($line =~ /VTY/){print "Busy\n"; goto start;}

}
if ($flag==0) {print "Network appears to be non-routed\n";}

sub sendraw {
 my ($pstr)=@_;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
 if(connect(S,pack "SnA4x8",2,$port,$target)){
  my @in="";
  select(S); $|=1; print $pstr;
  while(<S>) {
   push @in,$_; last if ($line=~ /^[\r\n]+$/ );}
  select(STDOUT); return @in;
 } else { die("connect problems\n"); }
}

------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
http://www.sensepost.com http://www.hackrack.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT