HooBieNet Logo

News & Announcements

2nd May 2002 - On hold at the moment, as I'm busy with Brutus (again.) I made some big changes to Mingsweeper and one of them screwed up, I'd rather fix the problems than back out the changes. I blew my mind trying to fix it so I'll wait a few months before attempting to pick it up again.

16th August 2001 - Doubled the number of OS fingerprints in tcpfp.txt and added some new applications too. These files are available from the download section below and may be copied into your MingSweeper directory or imported if you have custom fingerprints/applications that you wish to retain.

14th August 2001 - A mailing-list is up if you want to keep updated about MingSweeper developments, send an email to mingmailer@hoobie.net with the word 'subscribe' in the mail subject and you will be added to the list.

13th August 2001 - MingSweeper 1.0 alpha release 5 is available for testing.

10th August 2001 - MingSweeper 1.0 alpha release 5 will be available on sunday night. This includes many bug-fixes (thanks to all those who submitted bugs) and some additional functionality which is now enabled. Again, thanks to those who have offered feedback - I appreciate the effort.

4th August 2001 - I have added a small guide introducing the MingSweeper tool and the interface. Take a look at that right here.

Status

MingSweeper is nearly ready for beta. Feedback on any issues encountered or suggestions are appreciated. The current alpha build may be downloaded right here : MingSweeper 1.00 alpha 5 (build 130) [518 kb]

Introduction

MingSweeper is a network reconnaissance tool designed to facilitate large address space,high speed node discovery and identification. MingSweeper is capable of performing Ping sweeps, Reverse DNS sweeps, TCP & UDP port scans, OS identification and application identification.

Features

Reverse DNS Sweeps
Ping Sweeps (currently ICMP only)
TCP Port Scan (full connect)
TCP Port Scan (SYN scan)
TCP Port Scan (NULL scan)
TCP Port Scan (FIN scan)
TCP Port Scan (XMAS scan)
TCP Port Filter Scan (ACK scan)
UDP Port Scan
Operating System Identification (utilises IP stack fingerprinting)
Application Identification (utilises banner grabbing)
Lazy DNS resolution
Comprehensive results presentation views with filtering/searching
Loading & Saving of scan results
Flexible target range specification

Some Technical Details

Non-connect TCP port scans and OS identification utilise Winsock 2.x raw sockets, these are only available on Windows 2000 and Windows XP. Windows NT 4.0 and Windows 9x/ME support raw sockets but ONLY for ICMP.

OS Identification currently utilises two IP stack fingerprinting techniques. Firstly an NMAP (by Fyodor) style fingerprint is 'taken', this involves the standard NMAP TSeq, T1-T7 and PU tests. This is followed by an ICMP fingerprinting technique based on the whitepaper produced by Ofir Arkin detailing ICMP usage in scanning. The ICMP tests include target TTL measurement, 4 ICMP query types (Echo,Timestamp,Information Request and Address Mask) each of which is sent 4 times with different IP/ICMP flags set (plain, DF bit echoing, non-0 ICMP code echoing and non-standard TOS value echoing.) At some point I will include information gathered from the application identification results but not just yet.

MingSweeper will perform OS identifcation in the following sequence :
1 - If Open TCP ports are present on the target then perform NMAP tests Tseq, T1, T2, T3 and T4.
2 - If Closed TCP ports are present on the target then perform NMAP tests T5, T6 and T7.
3 - Always perform the NMAP PU test with a UDP packet to an assumed closed UDP port.
4 - Always perform the MingSweeper IClass, I1, I2, I3 and I4 ICMP tests.

The results from all of these tests are used to create an OS fingerprint that can be used to match against the fingerprint database.

Requirements

Windows NT, Windows 2000, Windows XP
(Windows 2000 and Windows XP required for OS Identification and non-connect TCP port scans)
(Windows 95,98 and ME are currently not supported although they will be shortly for the masochists who continue to use them.)

Download

MingSweeper 1.00 alpha 5 - UK Site
MingSweeper 1.00 alpha 5 - US Site (www.securityfocus.com)

The latest application & OS identification files are also available:
applications.txt - 16/8/2001
tcpfp.txt - 16/8/2001

Installation

Simply extract the contents of the MingSweeper zip archive to the desired installation directory and Bob's your uncle. Windows 2000 and Windows XP users should install the supplied registry file 'enable-user-TOS.reg' by simply double-clicking the file. This registry change permits user applications (namely MingSweeper) to modify the TOS value in the IP header of sent datagrams, essential for accurate IP stack fingerprinting.

New OS fingerprints and application descriptions can be imported using the import commands under the file menu. New entries will be merged into the respective working databases. MingSweeper can currently read and use NMAP fingerprints with no problem.

Screenshots

Mingsweeper Log Display

 

Credits

Francois Piette - creator of ICS for Delphi
Andrey Sorokin - creator of TRegExpr for Delphi
Mike Lischke - creator of Virtual Treeview for Delphi
Fyodor - creator of NMAP and all-round TCP stack fingerprinting ninja
Ofir Arkin - author of ICMP usage in scanning
Doug E Fresh - the original human beatbox - nuff said

 
Send mail to ming@hoobie.net with questions or comments etc.
Copyright 1997,1998,1999,2000,2001 HooBie Inc.
Last modified: 16th August, 2001
You are visitor