Port Scan Analysis (1) Common Network Related Commands

Sender: Heway (Tao Tao), News District: Internet_Program Title: Port Scan Analysis (1) Common Network Related Command Send Station: Ethereal Water Cloud (Sun Mar 19 14:47:35 2000), transfer

Source / Author: Oliver is a port of a potential communication channel is a channel invasion. Port scans for target computers can get many useful information. There are many ways to scan, and can be manually scanned or in port scanning software. Be familiar with various commands when scanning is scanned manually. Analyze the output after the command is executed. Many scanner software have the function of analyzing data when scanning with scanning software. Through the port scan, many useful information can be obtained to discover security vulnerabilities in the system. Let's first introduce several common network commands to introduce port scanning principles, and then provide a simple scanner. Several common network related commands ping commands are often used to diagnose TCP / IP networks. Send a packet through the target computer, let it reverse this packet back, if the returned packet and the transmitted packet, that is, your ping command is successful. By this to analyze the returned data, it is possible to determine if the computer is driving, or how much time it takes from sending to returns from sending. One. Several common network related commands 1. The basic format of the command: ping hostname where Hostname is the address of the target computer. Ping has many advanced uses, below is an example.

C:> ping -f hostname This command sends a large amount of data to the target machine, so that the target computer is busy responding. On Windows 95's computer, use the following method: c: / windows / ping -l 65510 saddam_hussein's.computer.mil This is possible, or the target computer may hang up or start from new. Since the -L 65510 produces a huge packet. Since the same packet is required to return, the target computer does not react. On the Linux computer, a program can be written to implement the above method.

#include #include #include #include #include #include #include / ** if Your kernel doesn't Muck with raw packets, #define real_raw. * this is probably online @ this is probly online Fix (x) htons (x) # else # define fix (x) #ENDIFINTMAIN (int Argc, char ** argv) {int S; char buf [1500]; struct ip * ip = (struct IP *) BUF; struct ICMP * ICMP = (Struct ICMP *) (IP 1); struct hostent * hp; struct sockaddr_in dst; int offset; int = 1; Bzero (buf, sizeof buf); if ((s = socket) AF_INET, SOCK_RAW, IPPROTO_IP)) <0) {Perror ("socket"); exit (1);} if (setsockopt (s, ipproto_ip, ip_hdrincl, & on, sizeof (on)) <0) {PERROR ("ip_hdrincl" ); EXIT (1);} if (argc! = 2) {fprintf (stderr, "usage:% s hostname / n", argv [0]); exit (1);} if ((hp = gethostbyname (Argv [1])) == NULL) {IF ((ip-> ip_dst.s_addr = inet_addr (argv [1])) == -1) {FPRINTF (stderr, "% s: unknown host / n", argv [ 1]);}} else {bcopy (hp-> h_addr_list [0], & i P-> ip_dst.s_addr, hp-> h_length;} printf ("sending to% s / n", INET_NTOA (ip-> ip_dst)); IP-> ip_v = 4; ip-> ip_hl = sizeof * ip> > 2; ip-> ip_tos = 0; ip-> ip_len = fixed (sizeof buf); ip-> ip_id = HTONS (4321); IP-> ip_off = fixed (0); IP-> ip_ttl = 255; IP- > ip_p = 1; ip-> ip_sum = 0; / * kernel Fills in * / ip-> ip_src.s_addr = 0; / * kernel Fills in * / dst.sin_addr = ip-> ip_dst; dst.sin_family = af_Inet; ICMP-> ICMP_TYPE = ICMP_ECHO; ICMP-> ICMP_CODE = 0; ICMP-> ICMP_CKSUM = HTONS (~ (iCMP_echo << 8));

/ * The checksum of all 0's is easy to compute * / for (offset = 0; offset <65536; offset = (Sizeof BUF - SIZEOF * IP) {ip-> ip_off = fixed (Offset >> 3); if (Offset <65120) ip-> ip_off | = FIX (ip_mf); elseip-> ip_len = FIX (418); / * make Total 65538 * / if (SENDTO (S, BUF, SIZEOF BUF, 0, (Struct SockAddr * ) & DST, SIZEOF DST) <0) {fprintf (stderr, "offset% D:", OFFSET); PERROR ("Sendto");} if (Offset == 0) {ICMP-> ICMP_TYPE = 0; ICMP-> ICMP_CODE = 0; ICMP-> ICMP_CKSUM = 0;}}} 2.Tracert command is used to track the path walk from a computer to another computer, thanks, from your computer to Zhejiang information supermarket. Under the DOS window, the command is as follows: C: / windows> Tracert 202.96.102.4tracing route to 202.96.102.4 over a maximum of 30 hops1 84 ms 82 MS 95 MS 202.96.101.572 100 ms 100 ms 95 ms 0fa1.1-rtR1- A-HZ1.ZJ.CN.NET [202.96.101.33] 3 95 ms 90 ms 100 ms 202.101.165.14 90 ms 90 ms 90 ms 202.107.197.985 95 ms 90 ms 99 ms 202.96.102.46 90 ms 95 ms 100 ms 202.96. What does these outputs do 102.4trace completion? The number on the left is the number of computers passed by the route. "150 ms" is a round trip time to the computer sent message, and the unit is microseconds. Since each message is different, Tracert will display three times in turn. "*" Said that it is too long, and Tracert will "forget" this time. After the time information arrives, the name information of the computer is here. Starting is a format that is easy to read, followed by a digital format.

C: / Windows> Tracert 152.163.199.56tracing route to dns-aol.ans.net [198.83.210.28] Over a maximum of 30 hops: 1 124 ms 106 ms 105 ms 202.96.101.572 95 ms 95 ms 90 ms 0fa1.1 -rtr1-a-hz1.zj.cn.net [202.96.101.33] 3 100 ms 90 ms 100 ms 202.101.165.14 90 ms 95 ms 95 ms 202.97.18.2415 105 ms 105 ms 100 ms 202.97.18.936 100 ms 99 ms 100 MS 202.97.10.377 135 MS 98 MS 100 MS 202.97.9.788 760 MS 725 MS 768 MS GIP-FTWORTH-4-SERIAL8-3.GIP.NET [204.59.178.53] 9 730 MS 750 MS 715 MS GIP-FTWORTH-4- Serial8-3.gip.net [204.59.178.53] 10 750 MS 785 MS 772 MS 144.232.11.911 740 MS 800 MS 735 MS SL-BB11-PEN-2-0.SPrintlink.Net [144.232.8.158] 12 790 MS 800 MS 735 MS SL-NAP2-PEN-4-0.SPrintLink.Net [144.232.5.66] 13 770 MS 800 MS 800 MS P219.T3.NS.NET [192.157.69.13] 14 775 MS 820 MS 780 MS H14 -1.t60-6.Reston.t3.ns.net [140.223.17.18] 15 780 MS 800 MS 800 MS H11-1.T60-2.Reston.t3.ns.net [140.223.25.34] 16 790 MS 795 MS 800 MS H14-1.t104-0.atlanta.t3.ns.net [140.223.65.18] 17 * h14-1.t104-0.atlanta.t3.ns.net [140.2 23.65.18] Reports: Destination Host Unreachable.trace completion .3.2.RUsers and finger These two are unix commands. With these two commands, you can collect messages about users on the target computer. Using the rusers command, the result is as follows: Gajake Snark.wizard.com :ttyp1 Nov 13 15:42 7:30 (remote) root snark.wizard.com: TTYP2 NOV 13 14:57 7:21 (REMOTE) ROBO SNARK .wizard.com: TTYP3 NOV 15 01:04 01 (transote) Angel111 Snark.wizard.com: TTYP4 NOV14 23:09 (remote) Pippen Snark.wizard.com :ttyp6 Nov 14 15:05 (remote) root Snark.Wizard .com: TTYP5 NOV 13 16:03 7:52 (Remote) Gajake Snark.wizard.com: Ttyp7 Nov 14 20:20 2:59 (REMOTE) DAFR SNARK.WIZARD.com: TTYP15NOV 3 20:09 4:55 ( Remote) DAFR SNARK.WIZARD.COM: TTYP1 NOV 14 06:12 19:12 (remote) DAFR SNARK.WIZARD.COM: TTYP19NOV 14 06:12 19:02 (remote) The leftmost username is remotely logged in.

Also included, the last login time, the Shell type used, and the like. Using Finger can produce similar results: User S00 PPP PPP-122-PM1.Wiza THU NOV 14 21:29:30 - STILL Logged Inuser S15 PPP PPP-119-PM1.Wiza Thu Nov 14 22:16:35 - Still Logged Inuser S04 PPP PPP-121-PM1.Wiza Fri NOV 15 00:03:22 - STILL Logged Inuser S03 PPP PPP-112-PM1.Wiza THU NOV 14 22:20:23 - STILL Logged Inuser S26 PPP PPP-124- PM1.Wiza Fri Nov 15 01:26:49 - Still Logged Inuser S25 PPP PPP-102-PM1.Wiza Thu Nov 14 23:18:00 - STILL LOGGED InUser S17 PPP PPP-115-PM1.Wiza Thu NOV 14 07: 45:00 - Still Logged Inuser S-1 0.0.0.0 Sat Aug 10 15:50:03 - STILL Logged Inuser S23 PPP PPP-103-PM1.Wiza Fri Nov 15 00:13:53 - STILL Logged Inuser S12 PPP PPP- 111-PM1.Wiza WED NOV 13 16:58:12 - Still Logged in this command displays the status of the user. This command is based on the customer / service model. The user requests information to the server through the client software, then explains this information, and is provided to the user. A program called Fingerd is typically run on the server, and some information can be provided to the customer according to the configuration of the server. If you take into account these personal information, it is possible that many servers do not provide this service or only provide some unrelated information. 4.Host Command Host is a UNIX command, which is the same as the standard NSLookup query. The only difference is that the Host command is easier to understand. The hazard of the host command is quite large, and the following example will be used to demonstrate a host query for bu.edu. Host -l -v -t Any bu.edu's execution result of this command is more information, including many data for operating systems, machines, and networks. Look at the basic information: Found 1 addresses for BU.EDUFound 1 addresses for RS0.INTERNIC.NETFound 1 addresses for SOFTWARE.BU.EDUFound 5 addresses for RS.INTERNIC.NETFound 1 addresses for NSEGC.BU.EDUTrying 128.197.27.7bu. edu 86400 IN SOA bU.EDU HOSTMASTER.BU.EDU (961112121; serial (version) 900; refresh period900; retry refresh this often604800; expiration period86400; minimum TTL) bu.edu 86400 IN NS SOFTWARE.BU.EDUbu.edu 86400 IN Ns rs.internic.netbu.edu 86400 in nS NSEGC.BU.EDUBU.EDU 86400 in A 128.197.27.7 These itself is not dangerous, just some machines and their DNS servers. This information can be retrieved in WHOIS or in a registered domain name.

But look at the following line information: bu.edu 86400 in Hinfo Sun-SparcStation-10/41 Unixpp-77-25.bu.edu 86400 in A 128.197.7.237pp-77-25.bu.edu 86400 in Hinfo PPP- Host PPP-SWPPP-77-26.BU.EDU 86400 in A 128.197.7.238pp-77-26.bu.edu 86400 in Hinfo PPP-Host PPP-SWODIE.BU.EDU 86400 in A 128.197.10.52Odie.bu. EDU 86400 in MX 10 cs.bu.eduodie.bu.edu 86400 in Hinfo Dec-alpha-3000 / 300LX OSF1 From here, we immediately found an EDC Alpha running an OSF1 operating system. Taking a look: strauss.bu.edu 86400 in Hinfo Pc-Pentium Dos / WindowsBurullus.bu.edu 86400 in Hinfo Sun-3/50 Unix (OUCH) Georgetown.bu.edu 86400 in Hinfo Macintosh Mac-oscheezwiz.bu.edu 86400 in Hinfo Sgi-Indigo-2 Unixpollux.bu.edu 86400 in Hinfo Sun-4/20-SparcStation-SLC UNIXSFA109-PC201.BU.EDU 86400 in Hinfo PC MS-DOS / WINDUH-PC002-CT.BU.EDU 86400 In hinfo pc-clone ms-dossoftware.bu.edu 86400 in Hinfo Sun-SparcStation-10/30 Unixcabmac.bu.edu 86400 in Hinfo Macintosh Mac-osVidual.bu.edu 86400 in Hinfo SGI-IRIXKIOSK-GB.BU. EDU 86400 in Hinfo Gatorbox GatorwareClarinet.bu.edu 86400 in Hinfo Visual-X-19-Turbo XServerDuncan.bu.edu 86400 in Hinfo Dec-Alpha-3000/400 OSF1MILHOUSE.BU.EDU 86400 in Hinfo VaxStation-II / GPX Unixpsy81-pc150.bu.edu 86400 in Hinfo PC Windows-95buphyc.bu.edu 86400 in Hinfo VAX-4000/300 OpenVMS can be seen by typing a command in the command line, can be collected in a domain Important information for all computers. And only 3 seconds. We use the above useful network commands to collect many useful information, more than the address of the name server in one domain, user name on a computer, what services are running on a server, which software is provided by this service What operating system is running on a computer. If you know the operating system and service application running on the target computer, you can use their vulnerabilities that have been discovered to attack. If the network administrator of the target computer does not patch these vulnerabilities, intruders can easily break into the system, get administrator privileges, and leave the back door. If the intruder gets the username on the target computer, you can use the password crack software, and try to log in to the target computer multiple times. After trying, it is possible to enter the target computer. Get the username, it is equivalent to getting half of the entry permissions, and the remaining only uses software to attack. -

####################################### # 太 太,, ### ############# ※ ############ ※ source:. Ethereal Water Cloud Freecity.dhs.org. [From: heway]