Comments on: Agile Hacking: A Homegrown Telnet-based Portscanner

By: Bob

Bob — Mon, 06 Feb 2012 16:17:12 +0000

Would this be a correct three-liner to test single port connectivity (say to test for an install prerequisite with same restrictions)?

echo -en "open $HOST $PORT\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
CONNECT_ERROR=$?
if[$CONNECT_ERROR]; then echo"no good"

By: Simon Stroh

Simon Stroh — Sat, 11 Jun 2011 21:39:00 +0000

Here's another one. This one is special, because it only uses bash builtins! No programs other than bash shells are called :-)

HOST=127.0.0.1;for p in {0..65535};do((bash -c "(>/dev/tcp/$HOST/$p)" 2> /dev/null && echo open: $p)&read -t0.1;kill $! 2>/dev/null)2>/dev/null;done

By: NOVA

NOVA — Sat, 26 Jul 2008 05:20:05 +0000

This is a script i wrote to demonstrate a sort of bounce technique i use :) its written in python which i am currently in love with :)

import socket
import getpass
import sys
import telnetlib

#Edit these
HOSTA = "78.32.236.185"
PasswordA = "Sch5636$\n"

HOSTB = "82.111.251.241"
PasswordB = "LLUcpe99\n"

HOSTC = "82.108.105.177"
PasswordC = "LLUcpe99\n"

PORT = "23"



#RAS Commands

jmp1 = "ip telnet "+HOSTB+" "+PORT+"\n"
jmp2 = "ip telnet "+HOSTC+" "+PORT+"\n" 

#Connect to 1st router.
tn = telnetlib.Telnet(HOSTA)
print tn.read_until("Password: ") 
tn.write(PasswordA)
print tn.read_until("ras>")
tn.write(jmp1)

#Connect to second router.
print tn.read_until("Password: ")
tn.write(PasswordB)
print tn.read_until("ras>")
tn.write(jmp2)

#Connect to target system.
print tn.read_until("Password: ")
tn.write(PasswordC)
print tn.read_until("ras>")
tn.write(jmp3)

print tn.read_until("Password: ")
tn.write(PasswordC)
print tn.read_until("ras>")

By: Broeisi

Broeisi — Wed, 09 Jul 2008 19:27:05 +0000

Simon Stroh… Your perl script isn’t working.

By: pdp

pdp — Tue, 01 Jul 2008 22:24:40 +0000

nice. this is quite neat actually.

By: Simon Stroh

Simon Stroh — Tue, 01 Jul 2008 18:44:45 +0000

Here's a perl solution I just threw together, thought the ones presented here might be a tad slow when scanning all the ports, so I made this one multithreaded: :-)

#!/usr/bin/perl
use IO::Socket;
@ARGV||die'usage: perl scanner.pl host [number of threads]';
($|,$h,$t)=(1,@ARGV,20);$p=65535/$t;
for$n(1..$t){
        pipe($r[$n],$w[$n]);next if fork;
        print IO::Socket::INET->new(PeerAddr=>$h,PeerPort=>$_)?"Port $_ open\n":''for($p*($n-1)...$p*$n-1);
        print{$w[$n]}'x';exit;
}
read($r[$_],$x,1)for(1..$t);

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 20 May 2008 00:25:18 +0000

It’s awesome to see so many solutions and implementations for on-the-fly portscanning. This is great guys, keep it coming!

By: maeh

maeh — Mon, 19 May 2008 06:17:49 +0000

Here's a one for windows using netsh that just prints out any open ports it finds.

@ECHO OFF & ECHO start & (FOR /L %p IN (1,1,65535) DO (FOR /F "tokens=*" %a IN ('netsh diag connect iphost 127.0.0.1 %p ^| find /C /I "[NONE]"') DO ( IF %a == 0 echo %p))) & ECHO stop & @ECHO ON

It's rather slow since netsh seems to take quite a while to load, so you might want to narrow down the port range a bit ;>. What I found interesting is the message the "netsh diag connect iphost" command outputs: "Server appears to be running on port(s) [NONE]" which seems to suggest you could enter more than one port to connect to, but I could'nt find out how to do so.

By: macubergeek

macubergeek — Fri, 16 May 2008 18:49:33 +0000

Venom23: nicely done! I particularly like the banner grabbing ;-)

By: Venom23

Venom23 — Fri, 16 May 2008 10:37:52 +0000

Or let's use the wget command to perform the scan ;)

HOST=192.168.178.88;for((port=1;port<=65535;++port));do echo -en "$port ";if wget -F -S -t 1 -T 1 -v -O banner.txt $HOST:$port 2>&1 | grep connected;then echo -en "\n\nport $port/tcp is open\n\n";cat banner.txt;fi;done

wget should also be available on most of the systems. And - the coolest - it does a "banner grabbing" as well. Nice, isn't it?

By: macubergeek

macubergeek — Thu, 15 May 2008 22:48:13 +0000

This is cool. I believe Ed Skoudis has done something similar to this on Windows.... Here is an alternative, though not as polished, using curl... Open ports return this response to our stimulous sorry if line is wrapped:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5242  100  5242    0     0  15489      0 --:--:-- --:--:-- --:--:--     0

close ports look like this:

scanning port 122...

curl: (7) couldn't connect to host

----------script-----------

## portscanner implimented with curl
#!/bin/bash

if [ $# -ne 1 ]; then
    echo 1>&2 "usage: $0  "
    echo 1>&2 "mode 1 = well known ports 1-1024"
    echo 1>&2 "mode 2 = all ports"
    exit 127
fi

case "$1" in
1)
LIMIT=1024
for ((a=1; a  /dev/null > out
  cat out | grep -v "curl: (7) couldn't connect to host"
done;                           
;;
2)
LIMIT=65535
for ((a=1; a  /dev/null > out
  cat out | grep -v "curl: (7) couldn't connect to host"
done;              
;;
esac

By: Shoaib Yousuf

Shoaib Yousuf — Wed, 14 May 2008 11:15:38 +0000

Adrian,

I totally agree. Another great piece of work from you guys. Keep it up!

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Wed, 14 May 2008 08:31:29 +0000

@Venom23: I’m on a Debian-based system now (Ubuntu) which does not support /dev/tcp. However, it looks like your script should work on any systems that support /dev/tcp. Thanks for your solution to this problem!

Any other ideas guys? Any default clients with TCP capabilities (i.e. ftp) is a good candidate for a homegrown port-scanner which doesn’t require root privileges to be run. Also, as Sandro mentioned, using any commonly-supported scripting environments such as Perl is another good candidate.

By: Wikipeando » Port Scanner con Perl

Wikipeando » Port Scanner con Perl — Tue, 13 May 2008 01:16:43 +0000

[...] el sitio http://www.gnucitizen.org/blog.....ortscanner me encontre con un script realizado en perl el cual tiene objetivo mediante el uso del modulo [...]

By: Venom23

Venom23 — Mon, 12 May 2008 22:55:07 +0000

Ok, again. Try this code. Does the same without telnet. It is still buggy but works.

HOST=127.0.0.1;for((port=1;port<=65535;++port));do echo -en "$port ";if exec 5<>/dev/tcp/$HOST/$port 2>/dev/null;then echo -en "\n\nport $port/tcp is open\n\n";fi;done

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 12 May 2008 20:52:13 +0000

I’ll repeat it again in case it wasn’t clear: my proposed homegrown port-scanner relies on the ‘telnet’ *CLIENT* (NOT server), which again is present on most Unix/Linux systems.

@Shoaib: I’ve never seen this specific implementation (telnet parser) of a portscanner in the public, but of course I’m not so naive to think this hasn’t been done before! ;) All in all, this is just another trick of the trade which fits the Agile Hacking book project quite nicely IMHO.

By: Information Security Bits for May 12th, 2008 « Infosec Ramblings

Information Security Bits for May 12th, 2008 « Infosec Ramblings — Mon, 12 May 2008 18:13:59 +0000

[...] great post by GNUCITIZEN on using plain old telnet and bash to perform portscans. Cool [...]

By: Shoaib Yousuf

Shoaib Yousuf — Mon, 12 May 2008 04:08:45 +0000

Its more then 5 years old….Good to see refresh version of it by Adrian.

This is really worth using it if you are performing audit in restrictive mode and you see telnet option is available…Bingo!!

By: Johann

Johann — Sun, 11 May 2008 22:16:40 +0000

@mindcorrosive: Yes, telnet as a service, but this is using the telnet client. Not all sysadmins remove the telnet client.

By: Sandro Gauci

Sandro Gauci — Sun, 11 May 2008 11:55:36 +0000

@pagvac: the more tricks the merrier :) re the book – that sounds great. looking forward to that

@mindcorrosive: the post refers to telnet the client rather than the daemon/server/service