Checking which ports are open

[imported_Deathray]

Today I found out by a coincidence that my gateway firewall (not in my control) is not as strict as I thought it was.
I tried hosting a game of DoTa and weirdly enough, people could connect. So I got my friend to do a port scan on my external IP - and sure enough it said that port 6112 was open. I was chocked because I thought everything was closed. Now I can SSH my computer from school Yay

Now I haven't realized that you actually have to have a daemon listening before you are able to find out if the firewall will open that port.

What is the method of testing a NAT gateway firewall for configured port forwarding?
I could imagine some script that runs netcat on every single port and then
perform a port scan on the external ip. Are there any other methods? What do you do?

[compaq]

Today I found out by a coincidence that my gateway firewall (not in my control) is not as strict as I thought it was.
I tried hosting a game of DoTa and weirdly enough, people could connect. So I got my friend to do a port scan on my external IP - and sure enough it said that port 6112 was open. I was chocked because I thought everything was closed. Now I can SSH my computer from school Yay

Now I haven't realized that you actually have to have a daemon listening before you are able to find out if the firewall will open that port.

What is the method of testing a NAT gateway firewall for configured port forwarding?
I could imagine some script that runs netcat on every single port and then
perform a port scan on the external ip. Are there any other methods? What do you do?

If the firewall are set to drop at the gateway, but the firewall on the host behind it uses reject, you should get a rst packet if that port is forwarded

[imported_Deathray]

I don't quite understand what you mean.

Lets say you put your laptop on a network which is behind a NAT router.
You have absolutely no control of the router.
Now, you know that you can configure a router to forward 192.168.1.10's port 8000 to the internet? Also known as "Port Forwarding".
This will also mean any computer on the network which has the ip 192.168.1.10 and has a daemon listening on port 8000, that that daemon will be available on the internet.
If you don't make that configuration, people trying to connect to port 8000 on the external IP will not be able to. Only people in the same network, behind the router.
So a person with administration, would configure the router to forward port 8000 of 192.168.1.10's internal IP.

But what if you don't know which IP the router is configured to port forward? Or what port?
Or don't even know if any port forwarding configurations have even been made.
Is there some sort of script that will start by listening on all ports locally at 192.168.1.2 and then do an nmap on the external IP.
After that move up to 192.168.1.3, listen on all ports and then perform an external ip port scan. And continue all the way up to 192.168.1.254 like this. Or maybe there is another way?

[purehate]

Thats not exactly true. you can open dynamic ports on a machine and create listeners which bypass firewalls. When you start a game dameon its most likely configured to open a a port on the net for return traffic. This is the same behavior as torrent clients use.

[PeppersGhost]

This is what nmap does if memory serves me well. If you scan a port on the wall and get a RST packet, then you may or may not conclude that something behind the wall is using that port but the wall drops inbound traffic. Its a guess, and a step in you're overall method.

[compaq]

Just reading hackexposed5 and they use "firewalk".
If the firewall portforwards it, it will have to add a extra hop to tcp(ttl), no mater what it answers like rst/fin etc if it has another hop to get to the host, it must get through.

internet-------firewall------host
0---------------1----------2

Packet send with ttl of 2
-----------------1 drop, icmp don't read
----------------------------2 it has got throught read port info from wireshark

[imported_Deathray]

Offtopic:
pureh@te, I read your signature but had no idea what "Jenkem" was.
After a bit of googling.., YUCK :P . That is disgusting to think that my faeces may be used by some sick person out there to get high.. haha.

Ontopic:
PepperGhost, I don't quite believe that is what nMap does. Because if I perform a scan on the external ip I get all ports closed except port 6112 which I am listening on internally with the ip of 192.168.1.44. If I stop listening on that port than a scan on the external ip shows "port 6112 closed" just like any of the other ports.
ICMP is blocked and filtered by the router, so I can't even ping google.dk. Although I can ping the default gateway. I say this because I believe a tool like Firewalk which is based on ICMP would achieve my goal.
How would I proceed to find out which ports I can listen on which will be forwarded to the external IP?

[radioraiders]

I'm not an expert on ports, but I did write/modify a PHP script that checks for open portson all 65,000 ports of anyone who goes to my "System Check" link:

http://radioraiders.com/system-check.php

Can you go to that link on the computer you found the open port on, and see if it recognizes the port as open? I'm also asking because I'm interested to see if my script works or not (it takes 10-20 seconds to do the pings and traceroute)...it's always sown all ports closed from everywhere I tried it, and I'm assuming most routers keep all their ports closed..

I'll post the script below, if anyone can see a better way to do it, or give any other feedback, please let me know (I'm just teaching myself PHP and HTML)

<p>
<?php
error_reporting(0);
$address = $_SERVER[‘REMOTE_ADDR’];

$port = $_SERVER['REMOTE_PORT'];

$checkport = fsockopen($address, $port, $errnum, $errstr, 2);

if($checkport) {
echo "Connected on port: " . $port . " (Port Open) " . $address . "\n";
fclose($fp);
} else {
echo "Connected on port: " . $port . " (Port Closed) " . $address . "\n";
fclose($fp);
}
?>
</p>


<p>
<?php
$fw="Firewall not active";
$openport="(No Open Ports)";
$host = $_SERVER[‘REMOTE_ADDR’];
echo $_SERVER['REMOTE_ADDR'] ;
echo " has open ports on: ";
for($i=0;$i<65535;$i++) {
$fp = fsockopen($host,$i,$errno,$errstr,1);
if($fp)
{
echo " " . $i . " , \n"; $openport="";
fclose($fp);
}
else
{
echo "";
}
flush();
} //end for
echo $openport;
?>
<?php if (strpos($openport, 'Open') !== FALSE) {$fw= '-> User behind firewall';} ?>
<?echo $fw ?>

[purehate]

I tried the check. It seems to work. Its easily fooled by the user agent switcher though.

[compaq]

ICMP is blocked and filtered by the router, so I can't even ping google.dk. Although I can ping the default gateway. I say this because I believe a tool like Firewalk which is based on ICMP would achieve my goal.

I think tcp has a ttl field, and a sniffer that reports different ttls on return to you, might help.

Edit
If it is 20 hops to the router/firewall, put in 30.