N O D E F I N D I N G A N D P O RT S C A N N I N G U T I L I T Y F O R A N D R O I D

VA R U N VA R S H N E Y 9 9 1 0 1 0 3 4 9 1

P R A B H AT G O YA L 9 9 1 0 1 0 3 5 8 2

Node Finder

Contents

1. Problem Statement

2. Introduction : What is NodeFinder

3. Node Finding Steps

4. ICMP ECHO Diagram

5. ARP Operation Diagram

6. Port Scanning Steps

7. TCP Connect()

8. Port Open

9. Port Closed

10. Implementation Screenshots

11. Future Work

Problem Statement

One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes.

Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions.

Introduction : What is Node Finder ?

Node Finder automatically detects the type of network and uses the most appropriate technique to find about your devices. All devices are identified, with network addresses, name and manufacturer. You may customize them with your own labels, and have a complete picture in no time.

Node Finder also provides a feature of Port Scanning which can be used administrators and home users to verify security policies of their networks and by attackers to identify the running services on a host with the view to compromise it.

Node Finder also gives the user the option to save and export the current results in an XML file on the device’s file system which can be used by other applications for further analysis.

Other options like updating Network Interface Card Manufacturer list, Vibrate on scan Complete, and controlling rate of finding nodes is also provided to the user.

Node Finding Steps

The method that is being used, does not need to have root privileges.

Here is how it works:

1. Calculate the sub network range

2. Iterate throughout IP and query them

3. First it sends an ICMP ping or Echo on TCP/7 (with InetAddress.isReachable())

4. If it does not work, it tries to connect () on well-known open TCP ports such as: 135, 139, 22, 111, 80 5. If none of the above is successful, the host is not discovered

ICMP ECHO

Address Resolution Protocol Operation

Port Scanning Steps

Port scan is event driven, using Java's Selector and Socket Channel.

There is a fake time out by registering the time in milliseconds at socket's creation and checking this value regularly.

The port scan method, as discovery, uses full TCP connection check.

A maximum of 127 Sockets are opened at a time, so this is not always accurate, but quite fast.

A port is considered open when TCP connect() is fully successful, closed when no service is listening on the other end, or filtered when the time out is reached.

TCP Connect()

TCP connect( ) port scanning is the most simple type of probe to launch. There is no stealth whatsoever involved in this form of scanning because a full TCP/IP connection is established with TCP port one of the target host, then incrementally through ports two, three, four, and so on.

TCP/IP's reliability as a protocol, vanilla port scanning is a very accurate way to determine which TCP services are accessible on a given target host. Various TCP packets and their flags, as they are sent and received by the attacker and the host he is scanning.

Port Open

• The attacker first sends a SYN probe packet to the port he wishes to test. Upon receiving a packet from the port with the SYN and ACK flags set, he knows that the port is open. The attacker completes the three-way handshake by sending an ACK packet back.

Port Closed

If, however, the target port is closed, the attacker receives an RST/ACK packet directly back

As before, the attacker sends a SYN probe packet, but the target server responds with an RST/ACK. Standard connect( ) scanning in this way is a reliable way to identify accessible TCP network services. The downside is that the scanning type is extremely simple and hence easily identified and logged.

Implementation Screenshots

Future Work

There is a broad scope of improvement and work which could be done in direction make it better. Few of them are as stated below:

Save all scans in a database, open previous scans, export previous scans, etc. Settings: prevent phone from sleeping NMAP build script Add new information such as Hops Support of other protocols: UDP, SCTP Send custom packets (shell codes, exploits) Nat Traversal Proxy (auto) support

THANK YOU