Network Scanner - Port Scanner is a tool to scan large networks or a single host. This tool uses raw IP packets to determine available hosts, what ports they are offering , what operating systems they are running and other important characteristics.
You can specify the scan mode by selecting the appropriate mode.
Here are the supported scan mode types :
Connect – this is the basic mode of scanning. The connect() system call is used to open a connection to every listening port on the host . If the port is not listening the call of connect() will fail.
This scan type is easily detectable because of target host logs .
SYN Scan – this scan type doesn’t open a full TCP connection. Instead of opening a real connection you can send a SYN packet and wait for a response. An indicative of listening port is SYN/ACK and RST is an indicative of non-listener. In case of receiving SYN/ACK, RST is send to close the connection. Not all privileges you have allow you to build this packet. Note that fewer sites will log this scanning mode.
FIN Scan – in some cases SYN scan isn’t stealthy enough because some programs can detect this scans. The FIN scan uses an RST packet for the closed ports to reply to your probe( for the probe is used a FIN packet. ). This scan type doesn’t work against systems running Windows95/NT.
Ping Sweep – ping is used to know which hosts on the network are accessible. One of the ways to check the host availability is sending ICMP echo request packet to every specified IP address. Hosts that respond are available. This method will work only for sites that haven’t blocked the echo requests. In such cases TCP ACK packet is used.
UDP Scan – UDP scan is used to determine the opened UDP ports.To each port is sent a zero byte UDP packet . For the closed ports ICMP port unreachable message is received. Otherwise the port is marked as an open. Note that sometimes UDP scanning is slow, because the ICMP error message rate is limited. .
Null Scan – this type of scanning turns off all flags.
Xmas Tree – this scan type turns on only FIN, URG and PUSH flags. This types of packets can be used for a probe while the closed ports should reply with en RST.
IP Protocol Scan - this scan type is used to determine which IP protocols are supported on a specific host. To each specified protocol on the target host is send an IP packet. If the protocol is not in use the ICMP protocol unreachable message will be send as a reply. Note that some hosts may not send protocol unreachable message. So all the protocols will be assumed as “open”.
ACK Scan – this scan type sends an ACK packet to specified ports. The port is assumed as “unfiltered ” if an RST message is returned. If there is no reply than the port is assumed as “filtered”.
Here are the supported scan level types :
Aggressive Scan – aggressive mode adds a five minute timeout for each host and for each probe response waits not more than 1.25 seconds.
Normal Scan - this is the default scan type. It tries to run quickly without overloading the network and scanning all hosts.
Polite Scan – this scan type reduces the chances of crashing machine. It waits at least 0.4 seconds between the probes.
You can click on the browse button and select the Port Range in the scan options part.
Clicking on the Local Interface button the Available Network Interfaces dialog.
Clicking on the Target Host button opens the Host Range and Credentals Selection dialog.
You can set Port Scan Delay, Response Timeout, Port Scan Attempts, Parallel Scan Ports manually.The values of these fields depend on scan level . The scan results will be shown depending on the enabled/disabled state of each option ( Show Firewalled Ports , Show Closed Ports, Show Port Banners ).
If the option Ping Before Scan is enabled appropriate packets ( see Ping Sweep )will be sent before scanning .
Operating System Detection/ Fingerprinting part contains:
TCP Options ( prefix:length: description ):
W:3:Window Scale Option,
M:4:Maximum Segment Size,
O:2:Selective ACK Permitted,
S:10:Selective ACK Option,
C:6:Tcp Echo Option,
A:6:Tcp Echo ACK Option,
K:2:POC Permitted Option,
P:3:POC Service Option,
X:6:TCP CC Options,
Y:6:TCP CC New Options,
Z:6:TCP CC Echo Options,
U:3:TCP Alternate CheckSum.
You can select the options you want .The default option that is used by the program is WNMTE.
Detect Operating Systems - enabling this option allows to create a fingerprint and to compare it with its own database of known OS fingerprints and thus to decide what type of system you are scanning.The fingerprint is created automatically.
Enable TTL Fingerprint - To add a TTL field in the fingerprint you should enable the TTL fingerprint. In this case it uses TTL during OS detection.
Note that if the scanner can not find the appropriate OS fingerprint in the XML database ( the program will create new XML OS fingerprint entry in XML database and will set the system name , OS family and IP address. For the example bellow “Windows 192.168.0.2” will be set in case of operating system Windows or “Unknown 192.168.0.2” in case of uknown OS family ).
User can find the OS fingerprint in the XML Database and can set the valid OS name.
Later during scanning similar operating systems the tool can find the OS family using the fingerprint ( if for ex. the OS that is scanning is “WindowsXP” and in XML database there isn’t such name ,then the name “Windows 192.168.0.2” will be used instead of “WindowsXP”. This means that the OS of scanning host is similar to OS of the host 192.168.0.2 ).
Right-clicking on the reslts window brings up a menu with the following commands:
Save As – saves the data to the text file.
Copy All - copies all rows.
Close - closes the selected connection.
The most important privileges of Nsauditor are:
Automatic creation of OS fingerprint.
The XML based format of OS fingerprint.
The user interface that allows TCP options creation.