So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint.

In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. In this case, I needed to perform a portscan of the backend database server and make sure that only required ports are visible (a customized mssql port in this case). For reasons that are irrelevant to this post, the customer could only give me restricted access (NOT root) to the web server via SSH.

I really didn’t want to download a tool such as nmap and then compile it. In theory, I wouldn’t be able to cause serious damage to the system since I was using a restricted user account. Even then, I always try to be as polite as possible with customers’ environments during security assessments, especially when it’s a production system.

Anyway, my solution to this problem was to write a simple TCP portscanner in bash which glues around the telnet command which is present on most Unix/Linux distributions. Literally, all I’m doing is looking for Connected to responses generated by telnet which tells us that a successful TCP connection was established (open port). Very vanilla and trivial stuff as you can see! Nevertheless, I accomplished what I wanted, which is to perform a portscan without having to download any tools and without requiring root privileges.

The following is the short version of our agile hacking TCP portscanner which you can literally copy and paste on your shell (just change the value of the HOST variable to the IP address of the system you want to scan):

HOST=127.0.0.1;for((port=1;port<=65535;++port));do echo -en "$port ";if echo -en "open $HOST $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null;then echo -en "\n\nport $port/tcp is open\n\n";fi;done

The following is a more elaborate version of our portscanner which supports scanning for either common or all ports. The list of common ports is read from the /etc/services file which is present on most Unix/Linux systems:

#!/bin/bash

# telnet-based TCP portscanner
# By Adrian 'pagvac' Pastor | www.gnucitizen.org

# delay in seconds
DELAY=0.001

if [[ $# -ne 2 ]]
then
	echo "usage: $0 <mode> <host>"
	echo -e "modes:\t1 - common TCP ports only"
	echo -e "\t2 - all TCP ports"
	exit
fi

if [[ $1 -eq 1 ]]
then
	echo "scanning for the following common TCP ports on $2 ..."
	for port in `grep '/tcp' /etc/services | cut -d '/' -f 1 | cut -d ' ' -f 2 | grep -v '#' | awk '{print $2}' | sort | uniq`
	do
		echo -en "$port "
		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
		then	
			echo -en "\n\nport $port/tcp is open\n\n"
		fi
		sleep $DELAY
	done
	echo -en "\n"
elif [[ $1 -eq 2 ]]
then
	echo "scanning for all TCP ports on $2 ..."
	for((port=1;port<=65535;++port))
	do
		echo -en "$port "
		if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
		then	
			echo -en "\n\nport $port/tcp is open\n\n"
		fi
		sleep $DELAY
	done
	echo -en "\n"
fi

Syntax follows:

gnucitizen $ ./telnetps.sh
usage: ./telnetps.sh  <mode> <host>
modes:
        1 - common TCP ports only
        2 - all TCP ports
Homegrown Telnet Portscanner

I realize this is not a very elegant tool, but I hope you can see how it can be useful in certain scenarios!