Scanning FTPs
From Wiki
Note: It is recommended to read Downloading With FTP First.
Contents |
Introduction
Don't even know what scanning is? Well without scanners all these ftp's loaded with goodies would never exist. Scanning is simply using a special program to ping tons of ftp's all at once and to try and find active ftp's with anonymous access and upload/download permissions. This tutorial is designed for people who have never scanned before and want to see what it is all about. This tutorial doesn't go into how to read the results or what to do with them after a scan. This tutorial will simply give you the basic setup and knowledge to perform a public ftp scan that generates some results. What to do with the results when your done will be disused in other tutorials.
Necessary Tools
Installation & Setup
Ok, if you have not downloaded the required program yet, do it now. I suggest making a special folder wherever you download stuff called "Scanning" or something similar to easily locate all the tools you may collect. Anyway installing Ping is pretty simple, extract the zip somewhere and run the installer and let it do it's business. When it's done you will have some brand new icons to play with in your start menu.
Start up Ping, you'll see the little splash screen and then it will load the program up. This program can be used to scan for pubs or to scan ports, I don't know how to use the port scanning functions so I will only be talking about pub scanning. First thing to do it open up the options by going to Options -> Preferences or simply pressing F8. The first tab (Ping) you can leave alone because those settings are kind of advanced, I don't even touch them. The second tab (List View) is just visual preferences, I suggest just leaving them alone but you can mess with them if you want.
The Pub Find Tab
Here is where the main setting are for scanning for pubs. On the general tab in this section you can have have Threads set to 130 and the timeout at 10. Although It is recommend using something like 52 threads for starters. Why 52 you ask? Well the more threads the faster a scan gets completed, but before you go entering 500 it also requires more bandwidth and more CPU power. The threads variable is actually how many pubs it checks at one time so you can see how the default of 5 does not work very quickly when your scanning thousands of ips. The reason for 52 specifically was that if it's set at 50 there ends up being 4 left over and it just it much faster to use 52. If you have a decent computer and a normal connection 52 is recommended setting for starting off, using something like 130 would probably work also and get it done in about half the time. The timeout is best left at 10 unless you know your response time if really awful for ftps in which case you should set it a little higher, the higher the value the longer a scan will take.
The Logging Tab
This tab which has a bunch of options so here is a screenshot and explanation of them all. For the top two check boxes you can either log only anonymous ftps that ping comes across, all ftps that it scans (would make a huge log file), or not log any ftps. This is just a basic log, the actual results of the scan get put into a different file. The next box you want checked, this will log all Wingate Engines that it comes across while looking for ftps, they are useful to help FXP files which is not a topic for here. These settings will create a log of JUST Wingates which may be useful later. The next option is where these results are kept... you can make this any location you would like but it is suggested just leaving it alone and it will store in in the main Ping directory. The last two options should be left unchecked... first one is self explanatory, the second is recommended to be left alone.
The General Tab
These are mainly personal preferences. You can have it auto save your queue in case you quit Ping on accident or something. Also if you've been disconnected it will try and figure out when you get reconnected and start scanning again. Just set all these to your liking or just leave them alone to get on with the scanning.
The Permissions Tab
Here you will find all the options for logging the found pubs with good permissions. On the General Tab you want to have the box checked and there should already be some directories entered here, but they are fine the way they are defaulted. If you would like to add some more directories to check the easiest way is to edit the ping.ini file manually.
The Logging Tab
You can again change the location of the file but I suggest leaving it where it is. The rest of the options should be set up as in the picture above. This will generate the most useful perms.log. The first 4 boxes should be checked and the last 2 unchecked.
OK that's it for setting up Grim's Ping... all ready to find some ranges to scan. But don't quit Grim's because we will need it again soon.
Picking an IP Range
OK... there are many ways to go about doing this... This tutorial will cover a few. The worst thing you can do is just punch in random ip's, this will in general give you no results. I suggest reading through the first method before reading any others because it has some basic skills that may be needed elsewhere. Also in the other methods you may be referred back to the first method for things that are already explained.
First Method
The first method involves searching for web hosts and then scanning their ranges, usually this gets results but sometimes they are all being use already. First go to HostSpot which is a web host search engine. Now click the "View all hosts" which is next to the navigation bar on the main page. From here go to random pages until you find a web host that looks nice and big and fast. Really there is no way to tell, but usually look for hosts offering unlimited bandwidth and lots of space. Once you find one click on it's name and you will go to a page with more info about them. Then right click on the link right under the hosts name and select "Copy Shortcut" which puts their webpage on the clipboard. Now switch over to Ping and select Tools -> Single Host Lookup (or simply press F9). Paste the URL in here by either pressing CTRL-V or right clicking and selecting paste, then press lookup. A Dialog box will popup which shows the IP and the Hostname. When you click on OK your pasted URL is replaced by the IP it found. Select this and Copy it by pressing CTRL-C or right clicking and hitting copy. Now press close and go to the next section to scan the IP you found.
Second Method
The second method is along the lines of random ip's but more controlled. When you get good at it this is a great method for finding unclaimed pubs. First go to the IP Address Index and just check out the main page for a minute. Most Pubs are going to be found in the Class C Range (Click Class C), specifically in 204, 205, 206, 207, 208, 209, 216. These are listed as various US/Canadian Networks and if you click on the link it gives you more details about each range. Pubs are also commonly found in The Class A Range (go to Class A), mostly in 63-66 which is InterNIC Registration. OK go back to the Class C section and click on one of the ranges that were just talked about above. Here you can just scroll and look for a company that looks like it might have a lot of FTP's and that's it. Just copy their start range to the clipboard and move onto the next section.
Third Method
My third method is just a combination of methods one and two. First you find an IP using method one then go to the IP Address Index and find it. From there you can see who owns that range and who owns everything around it. If it looks good you can scan that ip and all it's surroundings. Once you find something suitable copy the IP to the clipboard and move to the next section.
Scan Away
First we have to get our IP into the queue so hit the "Paste IP" button on the top toolbar. Paste your new found IP in here and hit OK. To do a good scan you usually want to scan the whole range so edit the third box and make it a "0" like in the picture above. you can also use wildcards to paste an IP, so you can replace the third box with a * and skip the "Add Multiple Ranges" step. Now make sure that "PubFind" is selected and then press "Add to Queue" which will add that small IP range to the queue. Now press "Add Multiple Ranges" and enter in 255 and press OK. This will take a minute to complete and it will add that full range to the queue. OK this should be enough to work with for now so close that box, get ready, and hit the Go button on the toolbar (Stoplight Picture). Watch Ping scan away, it shows various information on the bottom like how many servers found and everything like that. You can view you perms.log and results.log while scanning, the options to do so are located in the File Menu. Here you can also minimize Ping to the system tray and then come back a few hours later to find it done.
Continue to Tagging FTPs
