08 September 2011

Network device discovery and profiling with Angry IP Scanner

Finding active machines on your network is an essential part of network security.  No security administrator wants any unauthorized machines connected to their network spreading malware, doing packet sniffing etc.

There are a number of ways to do this,  This is probably the simplest and quickest way to go about it.

You will need Angry IP Scanner http://www.angryip.org/w/Download  This great little utility allows you to do loads of discovery and profiling.

In this tutorial I will cover scanning for windows machines only and enabling a easy RDP connection opener.

You will need to know which IP ranges you want to scan.  Scanning large number of subnets will result in very long scan times and bulky results.

Launch your angry ip scanner and follow these steps.

Setting Preferences
From the file menu select Tools -Preferences
Set your scanning preferences as follows:

On the scanning tab

  • Delay between starting threads: 20ms
  • Maximum number of threads: 50
  • Ping method: Windows ICMP
  • Number of ping probes: 1
  • Ping timeout: 2000
  • Check - Scan dead hosts, which don't reply to pings
  • Check - Skip likely broadcast IP addresses

The reason for scanning dead hosts is to also scan machines that might be dropping ICMP ping requests because on having a firewall enable and configured to do so.  Enabling this setting will also do the port scan on those hosts.

On the Ports tab
By being specific about what we scan for we can expect certain machines to return certain results.

  • Default port connection timeout: 2000
  • Ports 135,3389
  • Check  - For each host, add requested specific ports

Port 135 is the RPC port and is virtually guaranteed to be open on a windows machine.
Port 3389 is for RDP and this is a further indicate and it lets you know if you cold RDP to that host.

This process is what is referred to as profiling.  Include other ports if you are looking for other servies.  As an example: Scanning for port 80 and getting the result without 135, probably indicates a Linux based web server.  Take this a step further and you have OS fingerprinting.

On the display tab

  • Select Hosts with open ports only
  • Uncheck - Ask for confirmation before starting new scan
  • Uncheck - Show Info dialog after each scan

These setting will streamline your result and only show the windows hosts you are looking for.

Define Custom Opener
I include this because in my environment most machines are managed with remote desktop and this simplifies connection to them.

  • From the File Menu select Commands - Open - Edit Openers
  • Click Add
  • Opener Name:  Remote Desktop
  • Execution string: mstsc.exe /v:${fetcher.ip}
  • Working directory: c:\windows\system32


  • Specify the IP Range start address and to address
  • Click the => Start button

As the result come up we can see and use the setting specified earlier.

You should only see Windows hosts that are alive.
You should also see which machines you can Remote Desktop to (3389 shows up)
You can then use your custom opener to easily connect to the machine

There are many different was of doing this.  This is a relatively simple way to go about it as the tool is easy to use and understand.  the result are easily exported to a CSV file from where it can be further manipulated,

For more info check out the full Angry IP Scanner site.

For more advanced network probing look at something like NMAP - http://nmap.org/

No comments:

Post a Comment