Friday, November 7, 2008

Script To Blind Test Local Ports On Linux And Unix

Hey there,

It's been a while since we touched on network port-knocking, like we did back in December in our post on non-maliciously scanning for open network ports. And, in all that time, we've gotten sidetracked so many different ways we're just now getting around to addressing the complement to mass-querying network ports on other hosts in our network (hosts run by folks who, of course, don't mind if we query all of their machine's ports :) Today, we're going to take a look at simply and quickly getting as much dirty information about open ports on your own localhost as possible (By localhost, we mean, the server you're currently logged into and by dirty, we mean "not necessarily useful, but, probably, interesting and, maybe, useful" ;)

This intro-to-the-weekend script is pretty short and sweet. It doesn't require that you be able to do anything other than execute it (and run telnet) on your local system (from it, directly to it, which shouldn't be a security concern) and also doesn't accept any arguments (Technically, it will accept them. Then it will passively ignore them :) It can be run very simply from the command line as:

host # ./ <-- Or whatever you decide to rename it

We've elected to have our port scan start at 80 (The traditional http server port) and grab every other (higher) listening port on the localhost and query all of them, as if they were http servers, by sending a simple HTTP/1.0 GET request. As a blanket request to any number of known, and unknown, ports, it's not always the best way to interrogate, but it does get lots of useful information from any sort of web server and a few other sorts of servers as well. The only thing you have to settle down and be comfortable with is the fact that, a lot of the time, you can find out just as much about what's running on a particular port by reading the error message you receive from a bogus query as you can from reading the result of a successful one.

As a "for instance," here's one such error message we received on a trial run:

Testing on port 32848... HTTP/1.1 404 Not Found
server: BBC 05.20.050; com.hp.ov.ctrl.ovcd
Connection closed by foreign host.

Even though the HTTP/1.0 GET request failed, we got enough information from the service resident on that port to figure out that it is, in fact, HP OpenView!

Have fun with this one, but please quit using it if your boss, or a member of your security team, complains. It might be fun, but it's not that much fun ;)


Creative Commons License

This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

# - Test those ports. This is not a drill ;)
# 2008 - Mike Golvach -
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
netstat -an|awk '{ if ( $NF ~ /LISTEN/ ) print $4}'|awk -F":" '{ if ( NF == 2 ) print $1 " " $2}'|while read ip port
if [ $ip = "" ]
if [ $port -gt 79 ]
echo -n "Testing $ip on port $port... "
(echo "GET / HTTP/1.0";echo;sleep 3)|telnet $ip $port|egrep -i 'server|http'
echo "skipping port $port"

, Mike

Please note that this blog accepts comments via email only. See our Mission And Policy Statement for further details.