tool to discover some non-firewalled TCP ports?

I'm trying to make an application work across several sites; the
application must listen on ports accessible to the internet. As an
input to the application, I will need to specify the ports each site
should listen on, to be contacted by the outside. Since I do not want
to bug the administrators at every site, asking for their firewall
policy, are there any existing tools that can take a set of hosts as
input (these are all hosts I can ssh into), and discover at least one
listen TCP port on each host that is reachable from the others? I do
not need to know all non-firewalled ports at every site; just knowing
a few ports that work per site is sufficient.

I was thinking of rolling something together on my own, using e.g. ssh
and netcat and some random probes, but perhaps something exists
already?

Thanks,
--
Benjamin Rutt

On 2005-06-07, Benjamin Rutt <(E-Mail Removed)> wrote:
<zap>
> should listen on, to be contacted by the outside. Since I do not want
> to bug the administrators at every site, asking for their firewall
> policy, are there any existing tools that can take a set of hosts as
<zap>

The administrators will be way more bugged by a random portscan than
they would be if you ask them politely. Moreover, they could just
complaint with your ISP and you could find yourself cutted off.

Davide

--
Buy a Pentium III so you can reboot faster.

Benjamin Rutt wrote:
> I'm trying to make an application work across several sites; the
> application must listen on ports accessible to the internet. As an
> input to the application, I will need to specify the ports each site
> should listen on, to be contacted by the outside. Since I do not want
> to bug the administrators at every site, asking for their firewall
> policy, are there any existing tools that can take a set of hosts as
> input (these are all hosts I can ssh into), and discover at least one
> listen TCP port on each host that is reachable from the others? I do
> not need to know all non-firewalled ports at every site; just knowing
> a few ports that work per site is sufficient.

Ask the respective network administrators.
Seriously.
Unless you want to see your access revoked on these sites, of course.

> I was thinking of rolling something together on my own, using e.g. ssh
> and netcat and some random probes, but perhaps something exists
> already?

Yes, something exists already.


--
J

www.gentoo.org - not just for geeks anymore.

Jeroen Geilman <(E-Mail Removed)> writes:

> Ask the respective network administrators.
> Seriously.
> Unless you want to see your access revoked on these sites, of course.

I'm a Big Kid now, I'll take the risk. Besides, I might want to run
such a tool on my own network as a sanity check. I'm not talking
about a comprehensive port scan, something more like "try out 500
candidate ports over an hour or so".

>> I was thinking of rolling something together on my own, using e.g. ssh
>> and netcat and some random probes, but perhaps something exists
>> already?
>
> Yes, something exists already.

What?
--
Benjamin Rutt

>> Ask the respective network administrators.
>> Seriously.
>> Unless you want to see your access revoked on these sites, of course.
>
> I'm a Big Kid now, I'll take the risk.

In that case, nmap will almost certainly do what you want.

--
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Andrew Schulman <(E-Mail Removed)> writes:

>>> Ask the respective network administrators.
>>> Seriously.
>>> Unless you want to see your access revoked on these sites, of course.
>>
>> I'm a Big Kid now, I'll take the risk.
>
> In that case, nmap will almost certainly do what you want.

I would love to be proven wrong, but I don't think it will. AFAIK,
nmap is good for scanning for already running services, but that is
not what I'm looking for. I'm looking for which ports *could* be used
by my application. What I am getting at is, a tool that take as input
hosts [A,B,C], would log in to host A, listen on 500 or so random
ports spread evenly throughout the 16-bit port range (>1024), hoping
to find that it can receive traffic from the outside on one or more of
those ports from B or C. And then repeat, with B listening for A and
B, and then C listening for A and B. The idea is, if there are large
port ranges open (e.g. >=1000 ports in a row), than this tool would
find them.

The number 500 above could be tunable. If it is <= 500, probably no
admins will notice or care, particularly if I did it slowly, running
overnight, etc.
--
Benjamin Rutt

> Andrew Schulman <(E-Mail Removed)> writes:
>
>>>> Ask the respective network administrators.
>>>> Seriously.
>>>> Unless you want to see your access revoked on these sites, of course.
>>>
>>> I'm a Big Kid now, I'll take the risk.
>>
>> In that case, nmap will almost certainly do what you want.
>
> I would love to be proven wrong, but I don't think it will. AFAIK,
> nmap is good for scanning for already running services, but that is
> not what I'm looking for. I'm looking for which ports *could* be used
> by my application. What I am getting at is, a tool that take as input
> hosts [A,B,C], would log in to host A, listen on 500 or so random
> ports spread evenly throughout the 16-bit port range (>1024), hoping
> to find that it can receive traffic from the outside on one or more of
> those ports from B or C. And then repeat, with B listening for A and
> B, and then C listening for A and B. The idea is, if there are large
> port ranges open (e.g. >=1000 ports in a row), than this tool would
> find them.

Okay. I don't know anything that will do this OOTB, but it seems easy
enough to do with the tools you already have. On A you could run e.g.

nc -l -p 1024-2047 localhost

then use nmap on B to look for open ports in the 1024-2047 range on A.
Lather, rinse, repeat, with a little scripting to hit all the ports on
all the hosts. I wouldn't want to do it with 100 hosts, but for just 3
it doesn't sound bad.

--
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Benjamin Rutt wrote:

> I'm trying to make an application work across several sites; the
> application must listen on ports accessible to the internet. As an
> input to the application, I will need to specify the ports each site
> should listen on, to be contacted by the outside. Since I do not want
> to bug the administrators at every site, asking for their firewall
> policy, are there any existing tools that can take a set of hosts as
> input (these are all hosts I can ssh into), and discover at least one
> listen TCP port on each host that is reachable from the others? I do
> not need to know all non-firewalled ports at every site; just knowing
> a few ports that work per site is sufficient.
>
> I was thinking of rolling something together on my own, using e.g. ssh
> and netcat and some random probes, but perhaps something exists
> already?

Your ISP's EUA may prohibit such activity, as without permission, it may be
considered hostile.

On Tue, 07 Jun 2005 19:45:37 -0400, James Knott <(E-Mail Removed)> wrote:
> >
> > I was thinking of rolling something together on my own, using e.g. ssh
> > and netcat and some random probes, but perhaps something exists
> > already?
>
> Your ISP's EUA may prohibit such activity, as without permission, it may be
> considered hostile.

And yes, some sys-admins out there will see to it OP is blacklisted
for such activity, it _looks_ hostile, and will likely be treated
as such. By sys-admin of OP's site or upstream, as well as targeted
sites.

--Grant.

"Benjamin Rutt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> > Ask the respective network administrators.
> > Seriously.
> > Unless you want to see your access revoked on these sites, of course.
>
> I'm a Big Kid now, I'll take the risk.

NNTP-Posting-Host: akron.bmi.ohio-state.edu

"Big Kid" but still in school, though?