Tuesday, April 26, 2016

My next scan

So starting next week, running for a week, I plan on scanning for ports 0-65535 (TCP). Each probe will be completely random selection of IP+port. The purpose is to answer the question about the most common open ports.

This would take a couple years to scan for all ports, so I'm not going to do that. But, scanning for a week should give me a good statistical sampling of 1% of the total possible combinations.

Specifically, the scan will open a connection and wait a few seconds for a banner. Protocols like FTP, SSH, and VNC reply first with data, before you send requests. Doing this should find such things lurking at odd ports. We know that port 22 is the most common for SSH, but what is the second most common?

Then, if I get no banner in response, I'll send an SSL "Hello" message. We know that port 443 is the most common SSL port, but what is the second most common?

In other words, by waiting for SSH, then sending SSL, I'll find SSH even it's on the (wrong) port of 443, and I'll find SSL even if it's on port 22. And all other ports, too.

Anyway, I point this out because people will start to see a lot of strange things in their logs. Also, I'm hoping that people will have suggestions before I start the scan for additional things to do during the scan.

Update: I'll be scanning from addresses between 209.126.230.70 and 209.126.230.78.



BTW, yes '0' is a valid port.

BTW, numbers larger than 65535 or smaller than 0 (negative numbers) aren't valid -- but they'll work in most applications because they simply use the lower 16-bits of any numbers that are given. Thus, port number -1 is just 65535, and port number 65536 is the same as 0.


3 comments:

Anonymous said...

Please remind us the IP addresses from which you will be scanning.

Jonathan Bennett said...

I expect you'll find forgotten and legacy equipment, phone systems, and who knows what else. I'm also very interested in the second most common ssh port.

I've pretty much moved away from the non-standard ssh port, instead using fwknop to avoid the open port. I'm gonna guess 2222 will be the winner for non-standard ssh port.

onlineearningcenteringazipur said...

like your post hope you give us a lot more
i am also make this type blog hope you visit my blog
http://flag3force.com/
like your post hope you give us a lot more