Countermeasures: Uninstall/disable fix unnecessary services, Intrusion
Detection Systems (IDS) Log and Event Log review
Description: The netcat application has many uses; one is the ability to
scan a target for open ports and services. Another utility, cryptcat, is
almost identical except that it operates with encryption.
Procedure: From a DOS prompt, type the following with the syntax of:
nc <options > <Hostname or IP Address> <Port Range>
_ The –v option instructs netcat to run in verbose mode, allowing you
to see the progress of the scan.
_ The –r option instructs netcat to randomize local and remote ports in
an attempt to elude any intrusion detection systems.
_ The –w2 option instructs netcat to wait 2 seconds between each port
scanned to help elude any intrusion detection systems.
_ The –z option instructs netcat to operate in a zero-I/O (Input/Output)
mode. It is best to use the –z when scanning with netcat.
_ The 1-1024 instructs netcat to scan port 1-1024.
In this example, the target has the following ports open:
_ 80 (Web)
_ 7 (Echo)
_ 13 (daytime)
_ 21 (FTP)
_ 17 (Quote of the Day)
_ 445 (Windows Share)
_ 9 (discard)
_ 139 (Windows Share)
_ 19 (Character Generator)
_ 135 (epmap)
_ 443 (HTTPS)
_ 25 (Simple Mail Transfer Protocol [SMTP])
Note: From the results of this example the “low hanging fruit” ports are:
_ 7, 13, 17, 9, and 19 as these ports can easily be used to create a Denial of Service (DoS). These ports should not be open to the Internet.