Tools hakin9 1/2007

 

Scanrand (part of Paketto Keiretsu)

Operating System: *NIX

License: BSD

Purpose: Network scanner

Homepage: http://www.doxpara.com/read.php/code/paketto.html

The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks.

 

Quick start. Let’s say you want to make quick network scan, check hosts available as well as services run on them. You can say: Hey, I’ve got nmap!. Nmap surely is the most popular tool for that. But where time is crucial, try out Scanrand. It is a very efficient network scanner.

Scanrand is a part of Paketto Keiretsu, which contains four other tools:

  • Minewt – user space NAT/MAT gateway,

  • Linkcat – provides direct access to the network level 2,

  • Paratrace – traceroute-like tool using existing TCP connections,

  • Phentropy - plots a large data source onto a 3D matrix.

Useful features.What we can do is perform a standard scan of a small network from range 192.168.1.0/24

# scanrand -c –b100k –t 3000 –e 192.168.1.1-254

c – verify that ICMP responses are not spoofed

b100k – limit bandwidth to 100 kbytes

t – time to wait until any response

e – take all results even if host is down

Estimated results will be like this:

UP: 192.168.1.1:80 [02] 0.009s

UP: 192.168.1.6:80 [01] 0.017s

UP: 192.168.1.20:80 [01] 0.105s

UP: 192.168.1.27:80 [01] 0.162s

UP: 192.168.1.30:80 [01] 0.183s

DOWN: 192.168.1.155:80 [01] 0.544s

DOWN: 192.168.1.229:80 [01] 0.744s


In the first column is the status of the scanned host. It can be UP – specified port is listening, DOWN – when ACK/RST packet is received, UnXX – ICMP unreachable packet received (XX – type of ICMP message), X = - ICMP time exceeded message. The second column is the IP number of the host. The third column represents the number of hops to the target machine (its count is thanks to the TTL of the IP packet). The next column shows time between the start of scanning and host response.

So what is the difference between scanrand and nmap? Scanrand performs stateless TCP scanning. It sounds a bit weird with a state protocol such as TCP. Usually scanners send SYN packets and then either wait for a response, or store connections before moving to the next host.



Scanrand make its fast scanning like this. There are two separate processes: one for sending SYN packets, other for receiving replies.

The first process only sends packets with a prepared sequence number (which is a hash function from source and destination addresses and ports). That way it doesn’t have to wait for replies. The other process makes a hash function of the same values of every packet received and if they match with the ACK sequence number (subtracted by one) then we know its response for scanning (not some other packet).

Thanks to this algorithm scanrand can make very fast scans of large networks.

Disadvantages. It has not got as many options as nmap (like different methods of scanning, operating system recognition). It can’t be treated as a replacement for this tool, but as some completion and alternatives in some cases (scanning large netowrks).

The problem is that Paketto Keiretsu does not compile well with gcc4 (on Fedora 4&5 invalid lvalue in assignment errors).

Additional materials on hakin9.live CD1, catalouge art.

Damian Szewczyk