Don't get me wrong, I think this is some great coding, but I'm just wondering... what might be a legal/ethical use this? I'm thinking that most companies own at most a couple thousand machines, so something more traditional like nmap might do just fine.
Vulnerable devices are vulnerable. It doesn't matter if this tool exists they are eventually going to found out. Just look at shodan.io to get an idea.
What this does is allow security researchers to better assess the vulnerability of the Internet as a whole. We need a better understanding of what's going on.
You could be a white knight and patch vulnerable devices using that very same security hole. In fact I would really enjoy having our governments offering this as a service instead of spending so much energy on attacking the others (or at least notify the owner).
I agree with you, although many years ago I got an official warning from the head of IT security at the university I was attending (and working at the computer labs) for allowing a friend of mine to run a port scanning script across a large portion of the allocated IPv4 address space. Apparently they'd had complaints... They saw the ethics of port scanning as a grey area, tending towards black.
I don't really see that. An open port is a door on your house. I'm free to walk down the street and look at your door as I please. I may also knock on it as long as I'm not banging on it for 10 minutes or something. However if I then try to pick the lock and enter your house, well then...
EDIT: It's not a perfect analogy but if you have a system that can be publicly accessed, just seeing that it's publicly available isn't a grey area to me that's all.
To be fair, if you come to my house, and turn my door knob to see if it's open or locked, and then start checking all my windows to see if they open or are locked, then we're going to have trouble...
Why the need every time this comes up to compare it to looking at doors from the sidewalk while walking our dogs? We're geeks, we understand what portscanning is well enough to form our own conclusions as to whether it is more right than wrong.
Conversely, we don't need a pedestrian ethicist to conceptualize looking at doors by asking us to think about walking around and observing houses innocently as being somehow congruent to portscanning. Analogies offer similarities, not equations.
The ports = doors analogy fails: For doors you are supposed to enter, like shops, there are signs to let you know that it’s OK to enter them. There are no such things for ports. There were, once upon a time, such a thing; an enumerated list, in a DNS “WKS” record, of ports you were expected to use. As part of the deprecation of the WKS record, RFC 1123 states “To confirm that a service is present, simply attempt to use it.”.
I feel close is a better word. Not only is it far more concise. The port still may have a listener that can be accessed over a VPN or internal network you might just prevent access at the edge firewall for example.
I think (hope) attitudes are changing on this. 15 to 20 years ago it was assumed in management circles that scanning for open ports was nefarious. These were the people who believed in security by obscurity.
These days I hope people realize that the equivalent of "lock the front door, but leave the back door open" isn't viable.
Also, the door analogy is (as other commenters have pointed out) flawed. Should an open port be translated as a door you can knock at or ring the bell, a door you can open, or just a door you can see. I personally agree that "An open port is a door on your house" but others see it as one you've just knocked on, and others see it as one you've willfully tried to break into.
The informedness of the port owner will define how they interpret the port scan.
How about an art gallery analogy? Consider the internet a giant art gallery, where open ports are doorways that one may walk through. Closed ports are closed doors, perhaps only open to certain patrons. Still others are closed to everyone.
If knowing that a certain port is open at a certian ip address compromises your security, you have already lost in my opinion. Anything that deofuscates secuity though obscurity is a good thing.
The last time I was involved in anything like this I used zmap to scan for open rsync shares. Without wanting to be click-baity the results shocked me!
I don't understand why anyone bothers to send abuse emails for port scans. Just block the scanning source and move on, they are far too frequent to be concerned about.
Although I think it's practically infeasible to scan the entire IPv6 range, it is possible to see who's on v6 through other methods, like when Shodan added a bunch of its servers to the NTP pool to find v6 users.
Since IPv6 addresses are allocated in large blocks, and organizations tend to assign IP addresses sequentially, you could probably scan a decent portion of the IPv6 space by doing a binary search on the addresses within each block of a certain size to identify the max active address in each block.
On its face I believe not but, now I'm not positive on the specifics but I believe there are ip4 to ip6 bridges that index ip6 addresses and allow you to only scan active addresses.
It is great. My mobile career exposed a huge /8 network and we could even scan it to find some lonely IoT devices with default root passwords with masscan in minutes.
It's probably been submitted again now on the heels of DefCon and Blackhat, where Robert Graham usually gives cool talks and presentations about his security research and work, e.g. MASSCAN.
