JP Vossen on 29 Jun 2009 21:25:15 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Find Open Ports

 > Date: Mon, 29 Jun 2009 21:07:17 -0400
 > From: Casey Bralla <>
 > My employer is very aggressive in closing off ports.  This makes it
 > hard for me to access my home network from work.  Luckily, port 23 is
 > open so I can ssh in, and of course, port 80 is left alone.

As others have pointed out, SSH is 22, not 23.  But it doesn't really 
matter if you have your SSHd listen on 23 or your firewall foes port 
address translation (PAT) for 23 --> 22.

 > However, I've got several special web pages that run on computers
 > behind my firewall.  I access them through port forwarding to
 > non-standard ports (such as 81 & 82).

What does the port-forwarding, your firewall?  How do you access these 
when you are *inside* your home LAN?  (See why I'm asking at bottom.)

 > So....  if I knew which ports were NOT blocked, I could use those.
 > BUT...  How do I check to see if what ports are available?
 > So far, I've been able to come up with 2 ideas:  1) scan every port,
 > and 2) try ports manually one at a time.
 > I could run a portscan on my portable, but that would undoubtedly
 > raise all kinds of alarms.  Also, I'd have to be sure I was connecting
 > to something that had those ports active.

Now that's an interesting point that people often forget.  A TCP 3-way 
handshake won't complete if there is nothing on the other side.  There 
is a great little tool called "Tiny Honeypot" that will "listen" on any 
ports not already in use and provide configurable "answers."  (How cool 
is that?)
	"[...] thp appears to listen on all ports otherwise not in legitimate 
use, providing a series of phony responses to attacker commands. [...] 
thp allows nearly every connection attempt to complete[...]"

The first problem with it is that it's old and says it only works with 
2.4 kernels.  I haven't looked into it, but I bet you could do the same 
sort of thing with the newer tools.  'iptables' does have the "REDIRECT" 
command thp talks about, so...

The second problem with this is that I only mention this because it's so 
cool, but you don't actually want to do it.  Keep reading.

 > Does anybody have any suggestions on how to test to see if a series of
 > ports is not filtered, or have a suggestion of ports that I could test
 > manually through trial and error?

As other folks have pointed out, a) this is what 'nmap' lives for and b) 
using nmap in this context is a Very Bad Idea, at least without written 
authorization.  And if you could get that, you could just ask, and 
wouldn't be in this situation to begin with.

Fortunately, there is a MUCH better and easier way to do what you want. 
  Since you said you can ssh, just use that.  SSH has this really cool 
ability to create tunnels.  See my preso on the topic, which has 
examples for exactly what you want!

My examples are for IMAP, but it's the same thing for your web servers. 
  Let's assume that you have 3 web servers at home, like so:
	INSIDE			OUTSIDE, from work		<< FW PAT 81		<< FW PAT 82		<< FW PAT 83

So at work, use PuTTY, SecureCRT (on Win) or OpenSSH (on anything else) 
and set up your port forwards.  See my PDF, but it would be something 
like this for OpenSSH, just use the GUI on the other clients:

	Host home
		Port 23
		User root
		Compression yes
		ServerAliveInterval = 100
		LocalForward localhost:81
		LocalForward localhost:82
		LocalForward localhost:83

Now, on your local machine at work, browse to http://localhost:81, or 
whatever.  All done.

Good luck,
JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --