NetScanTools consist of many network function. Most of functions are designed to run in separate thread so several tabs can be used simultaneously. The communication is primarily based on TCP/IP protocol at the Winsock level. NetScanTools does not rely on remote agents to gather information. Instead, it use active probing and passive listening for gathering information.
Active probing means that NetScanTools initiate packet of information called datagram and listens for response to those packets. The response are normally formatted into specific response which are on a level above that of the transport level, such as a TCP or UDP. An excample would be a name server response containing the IP address of a host.
NetScanTools Pro has a scanner tab called Port Prober. Port Prober is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP addresses and list of ports to probe, specifying timeout and the protocol to connect with. Besides, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.
The type of port connection supported are:
- TCP Full Connection. This mode take full connection to the target, it is the most accurate way to determine TCP services, but it is also easily detected by IDS.
- UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of the message imply either the port is used or the target does not return the ICMP message which can lead to false postive. This mode is easily recognized by IDS.
- TCP Full/UDP ICMP Combined. This mode combine the previous two modes into one operation.
- TCP SYN Half Open. For Windows XP/2000 only. This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with SYN|ACK and closed ports respond ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number and Window parameters in the SYN packet.
- TCP Other. Windows XP/2000 only. This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. The attacker can have full control over TTL, Source Port, MTU, Sequence number and Window parameters in the custom TCP packet. Each operating system response differently to these special combination. The tool includes presets for XMAS, NULL, FIN and ACK flag setting.
Type of probe patterns are:
- Sequential Probe. This method scan a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings
- Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a signle host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Rage radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers show in the Port List.
- Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.
- Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.