1. NODE FINDING AND PORT SCANNING UTILITY
FOR ANDROID
VA RUN VA R SHNEY 9910103491
PRABHAT GOYAL 9910103582
Node Finder
2. Contents
1. Problem Statement
2. Introduction : What is NodeFinder
3. Node Finding Steps
4. ICMP ECHO Diagram
5. ARP Operation Diagram
6. Port Scanning Steps
7. TCP Connect()
8. Port Open
9. Port Closed
10. Implementation Screenshots
11. Future Work
3. Problem Statement
One of the very first steps in any network reconnaissance mission is to reduce a
(sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning
every port of every single IP address is slow and usually unnecessary. Of course what
makes a host interesting depends greatly on the scan purposes.
Network administrators may only be interested in hosts running a certain service, while
security auditors may care about every single device with an IP address. An
administrator may be comfortable using just an ICMP ping to locate hosts on his
internal network, while an external penetration tester may use a diverse set of dozens of
probes in an attempt to evade firewall restrictions.
4. Introduction : What is Node Finder ?
Node Finder automatically detects the type of network and uses the most appropriate
technique to find about your devices. All devices are identified, with network
addresses, name and manufacturer. You may customize them with your own labels, and
have a complete picture in no time.
Node Finder also provides a feature of Port Scanning which can be used administrators
and home users to verify security policies of their networks and by attackers to identify
the running services on a host with the view to compromise it.
Node Finder also gives the user the option to save and export the current results in an
XML file on the device’s file system which can be used by other applications for
further analysis.
Other options like updating Network Interface Card Manufacturer list, Vibrate on scan
Complete, and controlling rate of finding nodes is also provided to the user.
5. Node Finding Steps
The method that is being used, does not need to have root privileges.
Here is how it works:
1. Calculate the sub network range
2. Iterate throughout IP and query them
3. First it sends an ICMP ping or Echo on TCP/7 (with InetAddress.isReachable())
4. If it does not work, it tries to connect () on well-known open TCP ports such as: 135,
139, 22, 111, 80 5. If none of the above is successful, the host is not discovered
8. Port Scanning Steps
Port scan is event driven, using Java's Selector and Socket Channel.
There is a fake time out by registering the time in milliseconds at socket's creation and
checking this value regularly.
The port scan method, as discovery, uses full TCP connection check.
A maximum of 127 Sockets are opened at a time, so this is not always accurate, but
quite fast.
A port is considered open when TCP connect() is fully successful, closed when no
service is listening on the other end, or filtered when the time out is reached.
9. TCP Connect()
TCP connect( ) port scanning is the most simple type of probe to launch. There is no
stealth whatsoever involved in this form of scanning because a full TCP/IP connection
is established with TCP port one of the target host, then incrementally through ports
two, three, four, and so on.
TCP/IP's reliability as a protocol, vanilla port scanning is a very accurate way to
determine which TCP services are accessible on a given target host. Various TCP
packets and their flags, as they are sent and received by the attacker and the host he is
scanning.
10. Port Open
• The attacker first sends a SYN probe packet to the port he wishes to test. Upon
receiving a packet from the port with the SYN and ACK flags set, he knows that the
port is open. The attacker completes the three-way handshake by sending an ACK
packet back.
11. Port Closed
If, however, the target port is closed, the attacker receives an RST/ACK packet directly
back
As before, the attacker sends a SYN probe packet, but the target server responds with
an RST/ACK. Standard connect( ) scanning in this way is a reliable way to identify
accessible TCP network services. The downside is that the scanning type is extremely
simple and hence easily identified and logged.
15. Future Work
There is a broad scope of improvement and work which could be done in direction make it
better. Few of them are as stated below:
Save all scans in a database, open previous scans, export previous scans, etc.
Settings: prevent phone from sleeping
NMAP build script
Add new information such as Hops
Support of other protocols: UDP, SCTP
Send custom packets (shell codes, exploits)
Nat Traversal
Proxy (auto) support