Tuesday, April 18, 2006


Simple port scanning using Monad

working from the C# example id William Stacey in the Newsgroup, (Monitoring Ports on Remote System ), I made this very simple MSH example.

I did remove the Threading (so if you have a lot of ports, Yes it's slow) but I did add some basic Banner Grabbing.

The script looks like this :

# Scan-Ports.msh  

# Scans computer for a list of ports and tries to get Banners on open ports
# /\/\o\/\/ 2006  
# http://mow001.blogspot.com 

# check needed aliases

if (!(get-command -ea SilentlyContinue new)) {set-alias new New-Object}

# Load Function

Function Scan-Ports {
  param ($server = "localhost",[int[]]$ports)
    trap{"Server $Server not Found";continue}
    $ping = new Net.NetworkInformation.Ping
    $script:result = $null
    $script:result = $ping.send($server)
  if ($result) {
    foreach ($port in $ports) {
      Trap {"$port Not Open";continue}
      "Checking $server $port :"
      $client = new net.sockets.tcpclient
      if ($client.connected) {
        "$port is Open, Trying to get banner"
        $stream = $client.GetStream()
        $chars = @()
        sleep -m 1000 # Give server some time to react 
        while ($stream.DataAvailable) {$chars += [char]$stream.readByte()}

You can Use the script like this :

# Usage :

MSH>Scan-Ports mail 110

Checking mail 110 :
110 is Open, Trying to get banner
+OK InterMail POP3 server ready.

# or for more flexibility :

$server = "mail"
$ports = 21,25,23,80,110,8080,4444 + 130..140
#$ports = @(110)

Scan-Ports $server $ports
<snap> ... <snap>
Checking mail 80 :
80 Not Open
Checking mail 110 :
110 is Open, Trying to get banner
+OK InterMail POP3 server ready.

Checking mail 8080 :
8080 Not Open
Checking mail 8080 :
8080 Not Open
Checking mail 4444 :
4444 Not Open
Checking mail 130 :
130 Not Open
Checking mail 131 :
131 Not Open

<snap> ... <snap>

# or make flexible ranges like this :

scan-ports 'mail' @(21,25,23,80,110,8080,4444 + 130..140)

# I had some problems with the MS telnet server :

MSH>Scan-Ports localhost 23
Checking localhost 23 :
23 is Open, Trying to get banner
ÿû☺ÿû♥ÿy'ÿy▼ÿy ÿû

# should be UTF8 I think but all this did not work :


Note, that I first ping the Computer and only if I get a reply I do a portscan, to speed it up a bit, if ICMP is disabled you should remove this.
Also you can get some speed using Karl Prosser's (very Cool ) start backgroundpipeline snapin : http://www.karlprosser.com/coder/?p=39

and as you can see in last example the MS telnet banner is unreadable.


Greetings /\/\o\/\/

Anonymous Anonymous
Hey MoW,

Telnet is not quite like any other port, since there are many different terminal types that may connect (vt220, vt100, 3270 etc) so the first phase of the connection involves something called telnet "option negotiation." as described in RFC 854. A good overview is at http://www.freesoft.org/CIE/Topics/110.htm

So, to summarise, you ain't doing anything wrong!

- Oisin
