Portscanning Fun

Portscanning Fun
(A HowDoI*-document)

*I prefer HowDoI instead of Tutorial, because it isn’t a tutorial 😛

When I’m totaly bored (which is often) I go take a walk in the park….

but in this case the park is the internet 🙂
Tired of google or sql injecting/xss sites, etc etc.
I go searching for fun stuff on the not-crawled/indexed ip’s.
A lot to see, test, exploit, browse or just irritate people.

So, what do I use

– Linux (or cygwin – linux-in-windows, great program, a must for windows users)
– GeoIPGen (http://code.google.com/p/geoipgen/) from
Download geolite database (wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz)
unpack it in same directory as GeoIPGen
– AngryIP Scanner (wget http://sourceforge.net/projects/ipscan/files/ipscan3-binary/3.0-beta6/ipscan_3.0-beta6_i386.deb)
(or windows/other version at http://www.angryip.org/w/Download)
– any scan/pentest program you need.

ok then, let’s go hunting..
I want to find ip adresses only from the netherlands..
can be any country you want (database is nog 100% correct,
Lite version.. but good enough!)

Let’s get a list of ip adresses (-n num of ips)
$ ./geoipgen -n 10000 NL > iplist_10000_NL.lst

(it will keep track of already found IP adresses in ~/.geoipgen/ so when you search again
it won’t show the same ones again).

now start AngryIP Scanner;
$ sudo java -jar ipscan-linux-3.0-git.jar

I change the options a little bit, to save some time scanning.
Delay 0
Max num threads 200
Pinging Method ICMP Echo (that why I use sudo – ICMP uses RAW tcp/ip, you can also add CAP’s to the jarfile
sudo setcap cap_new_raw,cap_net_admin=eip ipscan-linux-3.0-git.jar)
Scan dead hosts Checked
Skip likely broadcast IP unchecked

Adapt timeout 100
Port selection: 21,23,80,8080
*can choose more or others, but these are the most often open ports.
because the size of my scans I limited to these 4,
adding 110,137,139,443,3306,etc can give more valuable info
but takes much much more time.
Yesterday I scanned 100.000 ip adresses within a few hours.

Host with open ports only
then “Select fetchers” option I use only Ports,Web detect,Filtered Ports (in this order)

Now I import the IP list
Press Start… and wait wait wait ;P
after scan export all..

and see a nice fun list to explore:
example (a actual list from my scans, don’t misuse :P) 80 23 Boa/0.93.15 (with Intersil Extensions) 23,80 21,8080 Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0 21,80 23,8080 Apache/2.2.21 (Win32) PHP/5.3.6 80 [n a] Apache/1.3.33 (Unix) PHP/4.0.6 mod_ssl/2.8.24 OpenSSL/0.9.7g 21,80 [n a] thttpd 80 [n a] Oracle-Application-Server-10g/ Oracle-HTTP-Server 80 [n a] Virata-EmWeb/R6_2_1 21 [n a] [n a] 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Apache/2.2.16 (Unix) PHP/5.3.3 21,80 [n a] Apache/2.2.20 (Ubuntu) 80 [n a] Virata-EmWeb/R6_2_1 80 21,23,8080 Microsoft-IIS/6.0 23,80 [n a] [n a] 80 21,23,8080 Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1 80 21,23,8080 Apache/2.0.46 (CentOS) 80 [n a] Apache/2.0.63 (NETWARE) mod_jk/1.2.23 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Citrix Web PN Server 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Apache/2.2.14 (Ubuntu) 80 21,23,8080 Microsoft-IIS/7.5 80 21,23,8080 Microsoft-IIS/6.0 21,80 [n a] Apache/2 21 23,80 nginx 21,80 23,8080 Apache 80 21,23,8080 Lotus-Domino 21,80 23,8080 Microsoft-IIS/6.0 80 21,23,8080 Microsoft-IIS/5.0 80 21,23,8080 IBM_HTTP_Server 80 21,23,8080 Apache/2.0.55 (Unix) DAV/2 mod_jk/1.2.6 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 [n a] 21 23,80,8080 [n a] 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Roxen 80 21,23,8080 [n a] 80 21,23,8080 [n a] 80 21,23,8080 [n a] 80 [n a] [n a] 23,80 [n a] ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0 23,80 [n a] ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0 21 8080 [n a] 80 23,8080 ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0

so you see, a lot of neat things to explore
routers,printers,old http servers,naz’s,etc.
today I even found a climate control system webbased without password. grinnn..
routers are mostly unsecured, standard passwords, simple exploits by bypassing security,
or resetting to standard-factory-defaults, etc. (I’m actualy busy at the moment to
make a router tool which has all the vulns,advisories,poc’s,exploits listed per router
and some scanning and exploit abilities)
explore the ftp for anonymous logins with metasploit or other scanners,
irritate people by nuking there printers (sending pages, DoS them or whatever)
Watch there security camera’s, or try to root them..
Unlimited possibilties..

for a closer look at the systems use nmap or metasploit, nessus, nexpose or windows
users eEye Retina, N-stalker or Acunetix (Acunetix is handy for exploring routers etc.)

Leave a Reply

Your email address will not be published. Required fields are marked *