RE: Simple Scan

["Paris E. Stone" <pstone () alhurra com>]

ICMP operates at a higher level?

Your analogy is good, except that ICMP is a layer 3 protocol, TCP & UDP
are layer 4 protocols.



~~~~~
Paris E. Stone, "Linux Zealot"
CISSP, CCNP, CNE, MCSE
~~~~~
The only thing necessary for the triumph of evil,
is for good men to do nothing.
- Edmund Burke
 
-----Original Message-----
From: Burton Strauss [mailto:BStrauss3 () comcast net] 
Sent: Friday, February 18, 2005 8:11 AM
To: security-basics () securityfocus com
Subject: RE: Simple Scan

ping (icmp protocol) != information about a particular port.

The icmp protocol operates at a higher level than a specific tcp or udp
port.  Think of ICMP as a scooter, udp as a sports car and tcp as a SUV.
They all get information to/from places but payloads and overheads are
different.  Just because a scooter gets somewhere doesn't mean that
there is
a parking spot for an SUV.

To probe something that specific, you need to craft some code that
attempts
to connect - using the right protocol (tcp or udp) and the right parking
space (port).  Luckily there are many tools that already do this -
perhaps
the easiest to come by across a wide range of platforms is nmap
(http://www.insecure.org/nmap/)

Read the nmap man page - it has lots of choices, but these probably will
be
what you want:

       -PT [portlist]
              Use TCP "ping" to determine what hosts are up.  Instead of
sending ICMP echo request  packets  and  waiting  for  a
              response,  we  spew  out  TCP  ACK packets throughout the
target network (or to a single machine) and then wait for
              responses to trickle back.  Hosts that are up should
respond
with a RST.  This option preserves the  efficiency  of
              only  scanning  hosts that are up while still allowing you
to
scan networks/hosts that block ping packets.  For non
              root users, we use connect().  To set the destination
ports of
the probe packets use -PT<port1>[,port2][...].   The
              default  port is 80, since this port is often not filtered
out.  Note that this option now accepts multiple, comma-
              separated port numbers.

       -PS [portlist]
              This option uses SYN (connection request) packets instead
of
ACK packets for root users.  Hosts that are up  should
              respond with a RST (or, rarely, a SYN|ACK).  You can set
the
destination ports in the same manner as -PT above.

       -PU [portlist]
              This  option  sends UDP probes to the specified hosts,
expecting an ICMP port unreachable packet (or possibly a UDP
              response if the port is open) if the host is up.  Since
many
UDP services won't reply to an empty packet, your best
              bet might be to send this to expected-closed ports rather
than
open ones.


-----Burton

-----Original Message-----
From: Paul Selibas [mailto:gotiex () yahoo com] 
Sent: Wednesday, February 16, 2005 1:14 AM
To: security-basics () securityfocus com
Subject: Simple Scan

 Greetings all...
  
 I am looking for a way to check which hosts are up  and have port 3321
open
on my network. But i dont  want to ping, is there no way of just probing
port
 3321 and reporting back if it is open or not?
  
 Many Thanks
 



                
__________________________________
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250