Saturday, November 19, 2011

Solaris: simple port scanning


It may be useful to know which ports are open and running services on a target machine. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. For example:

$ nc -z 20-30
Connection to 22 port [tcp/ssh] succeeded!
Connection to 25 port [tcp/smtp] succeeded!

The port range was specified to limit the search to ports 20 - 30.

Alternatively, it might be useful to know which server software is running, and which versions. This information is often contained within the greeting banners. In order to retrieve these, it is necessary to first make a connection, and then break the connection when the banner has been retrieved. This can be accomplished by specifying a small timeout with the -w flag, or perhaps by issuing a "QUIT" command to the server:

$ echo "QUIT" | nc 20-30
Protocol mismatch.
220 IMS SMTP Receiver Version 0.84 Ready