Weird ip or just me?

[TheScottyTurner]

Alright, so I was "experimenting", to be honest, I was kinda bored so I decided to scan (Intensive Scan) a random ip address, it was 465.238.7.3, when I did though, Nmap said that it was illegal and it auto-quit the scan. I actually just downloaded Nmap today and did a few scans of ip addresses from my email (They were just random people from craigslist, I just used 'Full Headers' on Yahoo and it gave me an ip), but it worked fine on scanning the the first couple I tried, but when I tried the ip above, it did all that. So I decided to take a closer look at the ip address and did a WhoIs search on it and it said the results couldn't be found. If there were no results then what did I do that was illegal? Also, I don't know if it makes a difference, but the first time I used Nmap today, I was up at the community college I go to and worked fine, and all this took place at my home. I did search and I couldn't finding anything really like what happened, so I decided you ask you knowledgeable bunch I'm sure it was just me doing something, but it picked my curiosity

[eppik]

TCP/IP only goes from 0 to 255 so thats out of bounds I think so the max IPV4 IP is 255.255.255.255

(correct me if I'm wrong anyone)

The IP you might have wanted would be 65.xxx.xxx.xxx instead of 465.xxx.....

[TheScottyTurner]

Ahh, I understand. I just went too high with the number, makes sense. So when it said tht it was illegal, was it just saying that the ip was illegal (or invalid) or was it saying that I was doing something "wrong"?

[lilrofl]

We see IPv4 addresses in dotted decimal format, but the decimal is a representation of 4 binary octets. So your range in IP addressing is 00000000.00000000.00000000.00000000 to 11111111.11111111.11111111.11111111 or
0.0.0.0 to 255.255.255.255 in decimal

So any address above that is not valid, or an illegal address... illegal in this case means is not possible, rather then the cops will see you now

To complicate things further, there are classes of addresses that are not used outside of internal networks, so they cannot exist in the wild, these are 192.168.0.0, 10.0.0.0 and 127.0.0.0... I think that's all of them. These class addresses are not routable, and dropped by ISPs

There's a lot more to addressing, but this is a good start. Feel free to ask anything specific though

[lilrofl]

After a nights sleep I thought I'd add that intensive scans cause heavy traffic that all points to you... so you should think about scanning yourself first and learning in a little more of a controlled environment. If you have a home network and multiple computers, use one to scan the other, and if you are working with just one machine, scan 127.0.0.1 because it is a loopback address that always points back at you.

Final note, it's been written before but I couldn't find it, never scan Suck-O... it's not the fastest way to get banned, but it's on the top 10 list

[DNR]

I would certainly hope you are not scanning 0 - 65535, thats just newbie.

Identify the OS and expected ports, only target known ports and do it quietly.
Its very rare that one needs to scan for every possible port number assigned or not, and its certainly weak to scan for ports not used on that OS or machine type.

Understand network topology - understand that networks need servers, routers, printers, and clients. Then there are servers that provide various services - mail, RAS, DB, IDS, and Web. Knowing for example that servers, routers, and printers can be assigned near the ends of the IP range - ie 0/1 or 255/254 and that clients are grouped on segments to control traffic on the LAN, you'll find that you can perform 'targeted scans' that give you all the info you need, without being a dick on someone's network - raising flags with massive port scans. (Your ISP can be contacted by a private network admin and you could lose your ISP account due to a violation of your ISP's TOS)

DNR

[TheScottyTurner]

Wow, yeah I kinda understand now. I guess that was pretty n00b to just scan some random ip, not even knowing what I'm doing.... I do have a home network with 3 computers on it, mine included, so I think that's what I'll do from now on. The two other computers I have are my stepmom's, her desktop and her personal laptop. Would it be safe to scan these without her knowing, because seeing as I'm experimenting I don't want to mess anything up or even let her know that I'm doing it, she would freak out if I was doing something that she doesn't understand. Anyway, thank you guys, for the info

[maboroshi]

illegal in this case means is not possible, rather then the cops will see you now

There is something I would also like to bring up regarding this.

Most "Hacker" apps are designed with a minor or major flaw depending on how you look at it. Most applications will interpret for you. IMO it shouldn't be up to the machine to interpret output, it should be up to the person behind the computer

To get a really good understanding of networks I recommend Scapy, you willl also learn some coding

[lilrofl]

Scapy!! that's the one I was trying to remember... I put sully down in it's place even though that's a driver fuzzer and has nothing to do with packets lol.

Scanning your own network is always a good way to learn because you can see both sides of the action, rather then just a single side. Also DNR makes a good point in saying that a blanket scan of all ports is not very efficient, and is very 'loud'. NMAP is powerful, and capable of all kinds of scans that are direct and quiet. I think there is a basic nmap tutorial around here, but too much can be overwhelming I think

When you are penetration testing a system, the first step is research. Find out what system you are attacking, whether through social engineering or perhaps passive OS fingerprinting (not as useful as it used to be, but not without merit) then learn what ports that OS uses by default, and for what services. Try a banner grab to attempt to discern a service version number. At that point you are in the enumeration phase off a penetration test. If you get useful information, it's back to research. What does that service do, is it exploitable by a known method, do you know the techniques needed to exploit it... if not... more research.

[DNR]

*punches lilrofl for accelerating the thread into a deep convo. Was hoping for a cheap, quick morning here..

Ok short tips for neos that want to sniff and scan-

Short How To:

Start 'attacking' at target from the outside in - the outside ring is the least intrusive, harder to detect, and uses information on other networks - you really haven't touched the target network yet.
1. gather information about your target from the internet - news, forums, other corporate sites - look for emails, documents, links - that point to machines in the target network. See http://www.robtex.com , more specifically, see http://www.robtex.com/dns/ncsc.mil.html#shared as an example.
Learn to visualize networks in your head - many times you don't need to scan to know the machines are there. You also do the WHOIS to determine the size and location of the network. I call this technique "Footprinting" - this is where you determine the general 'footprint' of your target - it is a profile of your target you create without touching the target - ie - looking at trails left behind in the public domain.

2. Next step is the "Fingerprint" of the target. This requires contact with the network, the actual physical location even. A fingerprint is more detailed, and more specific to a target - no fingerprint is alike. A fingerprint has all the details like the actual IP/machine name gathered, OS type and version/build, third party gear, CIS/IT assessment (their skill level), and of course - scanning for ports open, IDS checking, and some intrusion attempts. This is where you have to be discreet, and even cover your tracks depending on what your endgame plan is. If you are just snooping and practicing creating a profile on a network, I don't hide very much. I do remain very professional - like not doing the 'blanket scans' like we mentioned above. A skilled admin can appreciate the skill of a good intruder - as long as they are not messy and do not cross a certain line. Here you will scan for specific ports - after you determine the OS by a simple HTTP request - as misdirected request can happen, and can be overlooked in logs. You can also use telnet and attempt to connect, and observe the port response. Like Mabo said - don't learn hacking or scanning from a tool - they are frequently wrong in their assessment of a port.
Example :
220 ProFTPD 1.3.1 Server (serverX.rustytub.com) [85.25.150.xxx]
This is a simple grab using telnet to access a port, in this case 21 FTP. If you disconnect after grabbing the banner, it may not be logged or if it is, buried in the logs as a simple misdirected packet or comm that was dropped.
The port banner reveals the OS, builds, and a machine name.

Again - hide in the regular traffic - view source on their public webpages -
You can find links to other servers in their network, determine skill level of the admins, determine OS, builds and third party gear.

script src="/scripts/jquery.biglinks.js
src="/assets/images/btn-search.png
/departments/admissions/international.cfm
/assets-public/cache/assets-public/images/home_slideshow/jan_2011/1-Jan2011-Centennial-514x252.jpg
https://carina.baker.edu/appdlv
--
little side note:
Webbug detected

<!--Adtegrity Baker OnCampus Retargeting Pixel -->
src="http://ad.adtegrity.net/pixel?id=990585&t=1" type="text/javascript"
<img height="1" width="1"

**1x1 pixel is a webbug they are invisible - like a clear .jpg image or 1x1 like this > .

---

Obviously you want to have the basic understanding of HTML and scripting used in webpages so you can read them for the useful information.
Certain OS use certain framework for their web software, and with practise you'll quickly know what OS you are dealing with. Of course, just because they use IIs 5.5 for their web portal, it can still be other OS inside the network. Links to emails - are links to the email servers, links to images and documents can be servers inside the network.

Again, view source of their webpages is not detectable.

---

Next you look at the OS and build versions to determine if it is patched with the latest or if it has exploits or vulns. Just because a port gives you a banner, with a OS and build number - it could be fake. Banners can be modified by an admin or even left blank. A smart admin would create a fake banner so exploits for the real server are harder to find.
Once you know the OS and build, you search the internet for forums, blogs, and tech support for exploits related to that OS and build. Find a simple one, - you are just testing the patch - directory traversal, revealing error messages or improper reveals of important data or directories, access escalation, or bugs activated - those tell you again, the OS, build,patch, and skill level of the admins.
Since many patches are almost automated, free of charge, etc - its not like the old days where you could find many servers with outdated software and unpatched. More hardware and software are compatible and COTS - so patches and rollouts dont have to have intensive testing on a test server before being used.
You look for 0day exploits, you look for small to medium networks that might not have skilled admins or current OS licences. Overseas.

Always have a plan, you should hack with a goal - in the case of scanning IPs and Networks - you are learning network topology - or its layout. You are trying to build a skill set to quickly map out networks, footprinting, down to fingerprinting.

-
EOF OOT

DNR

[TheScottyTurner]

Alright, looks like I bite off a little more than I can handle right now. lol, but seriously I think I need to do some more reading, and maybe search for that Nmap tut lilrofl mentioned. Oh and I did try scanning myself using 127.0.0.1 , so I could get in some practice, and all I got was this

Code: Select all

Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-21 17:44 Central Standard Time

Skipping SYN Stealth Scan against localhost.localdomain (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way.

Skipping OS Scan against localhost.localdomain (127.0.0.1) because it doesn't work against your own machine (localhost)

Nmap scan report for localhost.localdomain (127.0.0.1)

Host is up.

PORT      STATE   SERVICE          VERSION

7/tcp     unknown echo

9/tcp     unknown discard

13/tcp    unknown daytime

21/tcp    unknown ftp

22/tcp    unknown ssh

23/tcp    unknown telnet

25/tcp    unknown smtp

26/tcp    unknown rsftp

37/tcp    unknown time

53/tcp    unknown domain

79/tcp    unknown finger

80/tcp    unknown http

81/tcp    unknown hosts2-ns

88/tcp    unknown kerberos-sec

106/tcp   unknown pop3pw

110/tcp   unknown pop3

111/tcp   unknown rpcbind

113/tcp   unknown auth

119/tcp   unknown nntp

135/tcp   unknown msrpc

139/tcp   unknown netbios-ssn

143/tcp   unknown imap

144/tcp   unknown news

179/tcp   unknown bgp

199/tcp   unknown smux

389/tcp   unknown ldap

427/tcp   unknown svrloc

443/tcp   unknown https

444/tcp   unknown snpp

445/tcp   unknown microsoft-ds

465/tcp   unknown smtps

513/tcp   unknown login

514/tcp   unknown shell

515/tcp   unknown printer

543/tcp   unknown klogin

544/tcp   unknown kshell

548/tcp   unknown afp

554/tcp   unknown rtsp

587/tcp   unknown submission

631/tcp   unknown ipp

646/tcp   unknown ldp

873/tcp   unknown rsync

990/tcp   unknown ftps

993/tcp   unknown imaps

995/tcp   unknown pop3s

1025/tcp  unknown NFS-or-IIS

1026/tcp  unknown LSA-or-nterm

1027/tcp  unknown IIS

1028/tcp  unknown unknown

1029/tcp  unknown ms-lsa

1110/tcp  unknown nfsd-status

1433/tcp  unknown ms-sql-s

1720/tcp  unknown H.323/Q.931

1723/tcp  unknown pptp

1755/tcp  unknown wms

1900/tcp  unknown upnp

2000/tcp  unknown cisco-sccp

2001/tcp  unknown dc

2049/tcp  unknown nfs

2121/tcp  unknown ccproxy-ftp

2717/tcp  unknown unknown

3000/tcp  unknown ppp

3128/tcp  unknown squid-http

3306/tcp  unknown mysql

3389/tcp  unknown ms-term-serv

3986/tcp  unknown mapper-ws_ethd

4899/tcp  unknown radmin

5000/tcp  unknown upnp

5009/tcp  unknown airport-admin

5051/tcp  unknown ida-agent

5060/tcp  unknown sip

5101/tcp  unknown admdog

5190/tcp  unknown aol

5357/tcp  unknown unknown

5432/tcp  unknown postgresql

5631/tcp  unknown pcanywheredata

5666/tcp  unknown nrpe

5800/tcp  unknown vnc-http

5900/tcp  unknown vnc

6000/tcp  unknown X11

6001/tcp  unknown X11:1

6646/tcp  unknown unknown

7070/tcp  unknown realserver

8000/tcp  unknown http-alt

8008/tcp  unknown http

8009/tcp  unknown ajp13

8080/tcp  unknown http-proxy

8081/tcp  unknown blackice-icecap

8443/tcp  unknown https-alt

8888/tcp  unknown sun-answerbook

9100/tcp  unknown jetdirect

9999/tcp  unknown abyss

10000/tcp unknown snet-sensor-mgmt

32768/tcp unknown unknown

49152/tcp unknown unknown

49153/tcp unknown unknown

49154/tcp unknown unknown

49155/tcp unknown unknown

49156/tcp unknown unknown

49157/tcp unknown unknown



OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

That was a quick scan plus.

And I have no idea what to do with it....

I really am trying to learn all this, but it's quite overwhelming. I hope you guys can bear with me. I'm going to try to do some reading over the next couple of days and see what I can come up with, along with some html tutorials from W3 (heard that html was a good place to start ). Oh and is that weird that I'm doing more learning and researching about computers here and on my free time, than I am in class lol
And one last thing, the computer I use is an Acer Aspire One netbook with windoze 7 starter, idk if that matters, but I just thought I'd mention it.

[DNR]

your scan is garbage.

find the nmap tutorial, find angry scanner, find wireshark.

Don't worry, your next scan will be better.

DNR

[lilrofl]

Check out the pending submissions, there are a few in there. In addition there is a book on NMAP that I believe is still available digitally for free from insecure.org... if not lemme know I'll see if i can't dig a copy up for you

[maboroshi]

Yes it does matter what OS your using and your results from your Nmap scan show it. On windows you can not scan a local IP by this I mean 127.0.0.1. I am unsure if network addresses you can scan, I don't remember off hand. But I think so... addresses using 192.168.1.1 etc or addresses connected to a router is what I am referring to.

Anyway good to see your learning

[TheScottyTurner]

I ran a scan on 192.168.1.1. just to see what would happen and this is what I got:

Code: Select all

Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-22 11:43 Central Standard Time

NSE: Loaded 36 scripts for scanning.

Initiating Ping Scan at 11:43

Scanning 192.168.1.1 [8 ports]

Completed Ping Scan at 11:43, 1.00s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 11:43

Completed Parallel DNS resolution of 1 host. at 11:43, 0.71s elapsed

Initiating SYN Stealth Scan at 11:43

Scanning 192.168.1.1 [1000 ports]

Discovered open port 80/tcp on 192.168.1.1

Completed SYN Stealth Scan at 11:44, 31.56s elapsed (1000 total ports)

Initiating Service scan at 11:44

Scanning 1 service on 192.168.1.1

Completed Service scan at 11:46, 116.29s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against 192.168.1.1

Initiating Traceroute at 11:46

Completed Traceroute at 11:46, 0.03s elapsed

Initiating Parallel DNS resolution of 2 hosts. at 11:46

Completed Parallel DNS resolution of 2 hosts. at 11:46, 0.56s elapsed

NSE: Script scanning 192.168.1.1.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 11:46

NSE Timing: About 50.00% done; ETC: 11:47 (0:00:31 remaining)

Completed NSE at 11:46, 32.30s elapsed

NSE: Script Scanning completed.

Nmap scan report for 192.168.1.1

Host is up (0.0080s latency).

Not shown: 999 filtered ports

PORT   STATE SERVICE VERSION

80/tcp open  http?

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: bridge|switch|WAP|broadband router|firewall

Running: Airaya embedded, Enterasys embedded, Netgear embedded, OneAccess embedded, SonicWALL SonicOS 3.X

OS details: Airaya AI108-4958-O-300 wireless Ethernet bridge, Enterasys Matrix E1 switch, Netgear WGR614v7 WAP, OneAccess ONE20 ADSL router, SonicWALL TZ 180 Standard firewall (SonicOS 3.8)

Network Distance: 2 hops



TRACEROUTE (using port 80/tcp)

HOP RTT     ADDRESS

1   2.00 ms router.belkin (192.168.2.1)

2   6.00 ms 192.168.1.1



Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 196.20 seconds

           Raw packets sent: 3077 (137.876KB) | Rcvd: 261 (11.048KB)

I'm assuming this is my isp... because all of the os details are not what I have.

@lilrofl, Are you referring to the reference manual at insecure.org? I'm reading over that as we speak. I did see a book by the name of Nmap Network Scanning written by Gordon "Fyodor" Lyon, but it's not free. And I'll check the Pending Submissions, I've already found a couple on here