[Fareway]

Hi guys,

i was just thinking about a opportunity to scan from inside a firewalled host for ports which are allowed to connect from the ouside but are not occupied by a daemon. Sometimes firewalls are bad configed so that some ports are still allowed in both directions but the programm which should use them is deinstalled or not activ.

Mostly i used nmap to scan the host from ouside but i can only find those ports which are used by programms.

[TRi]

I know this problem, always wondered if there is something comfortable to this but I was always lazy to find something.

From the inside i'm not really sure how to do, but from the outside:
Did you ever try to connect with any kind of client (browser, ftp, etc) to a specific port? Usually when the port gives you a timeout it's filtered by a firewall, if it gets your refused means either its an open port or you have to handle with a badly configured (or badly portstealthing) firewall.

Hope that helps you a bit..

[Fareway]

TRi you're absolutly right, i always search for easy methods because that's what saves a lot of time. However i heared of a tool which does the trick from inside. I was wondering if anybody knows a bit more about such a method.

[brOmstar]

Is it possible to bind a range of x ports in a little cmdline-program?

Because when this is possible we can create a proggie which binds every unused port and when a connection is made it simple logs the connection. After a portscan we should have any open port on the box.

Is somebody interested to create something like this or give me some info how this can be done i tried something but i need the info how i can open more then one port at one time.

[Terminal]

Yeah man this is a prob . I am not able to ping even any website . My isp is blocking them so i cant scan outer ranges :( . In between for some days i was gettin reply when i ping websites but now again blocked :(

[Fareway]

brOmstar that would be worth a try but the problem is to synconize the client and the server side. The server side binds for example 100 ports and the client side try's to connect to each port. If a connections is made there is a mark in a log file.

[brOmstar]

i will try to find some info's about and code something like this..

[ehsan_sfd]

if u cant get the right informatins by scanning a host,almost there are 2 possibilities: ICMP in the router ACL's is blocked,either from where u get service or on the host u r scanning it
in this case Retina's Force Scan capability can really help u , it gathers more useful information . look if icmp is blocked u cant ping or trace the host,so scanner shows u that the host cant be found. using retina surely helps u, if u r interested i can give an article about the scanning structures,it will help u to have a wide aspect of the process.

[Terminal]

ehsan_sfd, on Aug 18 2004, 01:26 PM, said:

if u cant get the right informatins by scanning a host,almost there are 2 possibilities: ICMP in the router ACL's is blocked,either from where u get service or on the host u r scanning it
in this case Retina's Force Scan capability can really help u , it gathers more useful information . look if icmp is blocked u cant ping or trace the host,so scanner shows u that the host cant be found. using retina surely helps u, if u r interested i can give an article about the scanning structures,it will help u to have a wide aspect of the process.

oh good tip their will try retina :)