Netcat 101: Port Scanning in Netcat!
Welcome to HakTip -- the show where we breakdown concepts, tools and techniques for hackers, gurus and IT ninjas. I'm Shannon Morse and today i'm checking out Netcat for port scanning.
First off, let's back it up a bit. I got a question at firstname.lastname@example.org that said, "What defines the banner?" so I wanted to clarify it a bit. Last week, we discussed Banner Grabbing with Netcat, which will give you a bit of information about any server or port. When talking about networking, this will glean info about a system on a network and services running on it's open ports. Admins can use this to take inventory of systems and services on their network. An intruder on the other hand, can use banner grabbing to find network hosts that are running systems with known exploits. Some service ports used for banner grabbing include those used by HTTP, FTP, and SMTP (Ports 80, 21, and 25). To prevent exploits, Network Admins should restrict access to servers and shut down unused or unnecessary services running on network hosts. A banner specifically is simply the text that is embedded with a message that is received from that host during a banner grab.
This week, we are checking out port scanning!
So what is a port? Ports are application specific or process specific software constructs serving as communication endpoints in a host's operating system. The port is associated with an IP address of the host, and the type or potocol used for communication. You can uniquely identify different applications or processes running on a single computer or server with a port, which will enable them to share a single physical connection to a packet-switched network like the Internet. There are port numbers between 0 - 65535 with 0 reserved, and typically anything under port 1024 requires root or admin privileges. So if you're running Apache on port 80, you have to have sudo to set it up. Many folks will use port 8080 to set up a server, as a quick and dirty way to get around that rule. The protocols that use ports are the Transport Layer protocols, including TCP and UDP (both of the Internet Protocol Suite).
Some widely used port numbers include, 20 & 21 for FTP, 22 for SSH, 80 for HTTP, and 25 for SMTP.
When you think of port scanning, what programs come to mind? Angry IP Scanner, Nmap? Do you think of Netcat? While not as advanced as some programs for port scanning, Netcat can perform basic capabilities and can even obfuscate the source of a port scan. Today we'll go over a basic port scan and explain the command.
As opposed to file transfers, doing a port scan requires only one computer, your client. Use this syntax: nc -v -w 10.73.31.9 -z 1-1000. nc opens Netcat, -v is verbose (in this case, it indicates the open ports that the scan uncovers). -w 1 tells netcat to wait one second between scans to find out if they are open or closed. The IP address is the target that you want to scan. The -z tells Netcat to operate in Zero I/O mode. Zero I/O mode, in this case, speeds up the process of executing the port scan by ignoring any latency baked in by the program to account for delays by the CPU. The last part 1-1000, tells Netcat to scan the range of ports from 1-1000. This is only going to target TCP ports, not UDP ports. But, if you want to include UDP as well, add the -u switch. You can also include -n, which will bypass the name resolution, and reduce your footprint in logs. Netcat uses DNS to look up the IP address of a host, but you can also use hostnames.
Now, try it yourself! Try adding the different options to your port scan, and attemp scans on several IP addresses to see what you come up with!
Do you use Netcat for port scanning? Send me a comment below or email us at email@example.com. .. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
Please watch: "Bash Bunny Primer - Hak5 2225"