Please add basic portScan tool ( port scanner scan )

jo2jo · Sun Mar 18, 2018 5:57 pm

Hi, I’ve been using routerOS since v 2.x (and LOVE IT), and have hundreds of mt s deployed, a feature I’m constantly in need of is even a bare-bones/basic built in port scanner:
/tool portscan (or /tool portScanner)

It doesn’t have to be powerful or advanced like nmap, nor fast, just a tool that can help admins identify/recall private IPs or other internal network uses ( ie, which ip is running the Web server on this office network? Or which ip is running the SQL Server on this network?) - this could be very helpful versus having to keep a Linux VM attached to a VPN, strictly for port scanning my internal networks when I can’t remember the private IP of a customers VNC server , and when I need to remote-in support their PC) - or which private subnet, DHCP-server provided ip (192.168..) is running XYZ service, so I can quickly set up this Dst-nat rule for them)

I’m not sure how tools like a built-in SMB server (or built in tftp/ftp server) made it into routerOS before a useful, network-centric tool like portscan ( but I’m happy to have both/all three).

Please strongly consider adding a basic (even if only TCP only, 1 port per second limit, if needed) port scan tool toROS 7ROS 6.X.

Thanks

honzam · Sun Mar 18, 2018 7:42 pm

+ 1

MayestroPW · Mon Mar 19, 2018 3:56 am

+ 1

emikrotik · Mon Mar 26, 2018 3:59 am

+ 1

Steveocee · Wed Mar 28, 2018 12:47 pm

+1 to this as well.

soulflyhigh · Wed Mar 28, 2018 1:13 pm

Yes, please.
+1

jspool · Wed Mar 28, 2018 7:19 pm

+1 Please

boxpik · Wed Mar 28, 2018 10:36 pm

+1 for such a useful tool

poizzon · Sun Apr 01, 2018 5:22 pm

Will TheDude not save the situation?

jo2jo · Mon Apr 02, 2018 1:24 am

Will TheDude not save the situation?

Not sure how theDude is relevant to this ( or thedude is just as relevant/irrelevant as manually running nmap outside ros ) , we are looking for a port scan utility to be added to routerOS, this way it is accessible directly from/on our various routerboards/rOSdevices directly.
Tks

vipe · Tue May 01, 2018 6:51 pm

+1 xpon

Cal5582 · Tue May 01, 2018 7:44 pm

+1 on this

thobias · Wed May 02, 2018 10:05 am

Yes, this would be great to be able to identify what is a printer or a web server in a network.
Combined with a MAC-address vendor list (in winbox) to show the manufacturer of all devices.

jo2jo · Fri Jul 06, 2018 5:01 pm

while i know it is wrong to " bump" your own thread, but on a weekly basis ( weekly is a bare minimum, sometimes daily basis) i need a portscan tool on ros. Its ridiculous having to look up mac-address OIDs and/or use /sys telnet port=x as a rough port scan tool to ID devices.
Often when i come into a new , existing network to begin managing (or clean up / improve) there will be a managed switch somewhere on the network (but the prior admin either has not ID'd / noted it or it has grabbed a dhcp IP like the 100s of other random client devices , wo a readable dhcp client id. Ofcourse a ros built-in portscan tool would help in this scenario tremendously ( even slowed/restricted ps tool). But incase it helps others, here is a rough work around i use. ( you will need to change the mac addresses to which ever vendor's device you are trying to locate, i usually grab the OIDs from a website like "Wireshark · OUI Lookup Tool" (google search) and type into that site the vendor (netgear / ruckus in this case). then use linux cli tools, or an app like notepad +++ (w regex find/replace) to modify this command to paste in the list of macs.

(也请注意,您可能需要搜索/ ip arp如果你are not using ros bridges, or this may not work at all depending upon your network layout):

(ex. to find IP of a netgear managed switch)

/主机打印mac地址~”00:09:5B int桥" || mac-address~"00:0F:B5" || mac-address~"00:14:6C" || mac-address~"00:18:4D" || mac-address~"00:1B:2F" || mac-address~"00:1E:2A" || mac-address~"00:1F:33" || mac-address~"00:22:3F" || mac-address~"00:24:B2" || mac-address~"00:26:F2" || mac-address~"00:8E:F2" || mac-address~"04:A1:51" || mac-address~"08:02:8E" || mac-address~"08:BD:43" || mac-address~"10:0D:7F" || mac-address~"10:DA:43" || mac-address~"20:0C:C8" || mac-address~"20:4E:7F" || mac-address~"20:E5:2A" || mac-address~"28:C6:8E" || mac-address~"2C:30:33" || mac-address~"2C:B0:5D" || mac-address~"30:46:9A" || mac-address~"40:5D:82" || mac-address~"44:94:FC" || mac-address~"4C:60:DE" || mac-address~"50:4A:6E" || mac-address~"50:6A:03" || mac-address~"6C:B0:CE" || mac-address~"74:44:01" || mac-address~"78:D2:94" || mac-address~"80:37:73" || mac-address~"84:1B:5E" || mac-address~"8C:3B:AD" || mac-address~"9C:3D:CF" || mac-address~"9C:D3:6D" || mac-address~"A0:04:60" || mac-address~"A0:21:B7" || mac-address~"A0:40:A0" || mac-address~"A0:63:91" || mac-address~"A4:2B:8C" || mac-address~"B0:39:56" || mac-address~"B0:7F:B9" || mac-address~"B0:B9:8A" || mac-address~"C0:3F:0E" || mac-address~"C0:FF:D4" || mac-address~"C4:04:15" || mac-address~"C4:3D:C7" || mac-address~"CC:40:D0" || mac-address~"DC:EF:09" || mac-address~"E0:46:9A" || mac-address~"E0:91:F5" || mac-address~"E4:F4:C6" || mac-address~"E8:FC:AF" || mac-address~"F8:73:94"

(find IPs of ruckus APs - i use /ip arp here just to show 2nd command option, /int bridge host print where , may work better depending upon your network layout ) :

/ip arp print where mac-address~"00:13:92" || mac-address~"00:1D:2E" || mac-address~"00:1F:41" || mac-address~"00:22:7F" || mac-address~"00:24:82" || mac-address~"00:25:C4" || mac-address~"04:4F:AA" || mac-address~"0C:F4:D5" || mac-address~"1C:B9:C4" || mac-address~"24:79:2A" || mac-address~"24:C9:A1" || mac-address~"2C:5D:93" || mac-address~"2C:C5:D3" || mac-address~"2C:E6:CC" || mac-address~"30:87:D9" || mac-address~"34:8F:27" || mac-address~"34:FA:9F" || mac-address~"38:FF:36" || mac-address~"44:1E:98" || mac-address~"50:A7:33" || mac-address~"54:3D:37" || mac-address~"58:93:96" || mac-address~"58:B6:33" || mac-address~"60:D0:2C" || mac-address~"68:92:34" || mac-address~"6C:AA:B3" || mac-address~"74:3E:2B" || mac-address~"74:91:1A" || mac-address~"84:18:3A" || mac-address~"8C:0C:90" || mac-address~"90:3A:72" || mac-address~"94:F6:65" || mac-address~"AC:67:06" || mac-address~"C0:8A:DE" || mac-address~"C0:C5:20" || mac-address~"C4:01:7C" || mac-address~"C4:10:8A" || mac-address~"D4:68:4D" || mac-address~"D4:C1:9E" || mac-address~"D8:38:FC" || mac-address~"E0:10:7F" || mac-address~"E8:1D:A8" || mac-address~"EC:58:EA" || mac-address~"EC:8C:A2" || mac-address~"F0:3E:90" || mac-address~"F0:B0:52" || mac-address~"F8:E7:1E"

(also it may help to run an /tool ip-scan of your entire subnet, before running these commands, if device you are trying to find has not pushed any traffic for awhile, and thus is not in the arp/hosts tables)

DotTest37 · Thu Sep 06, 2018 3:52 am

+1 from me

dagelf · Thu Nov 01, 2018 10:19 pm

Until then, here you go: (This conforms to your "it doesn't have to be advanced" request

:for p from=1 to=65535 do={put $p;/sys telnet 192.168.1.1 port=$p}

vecernik87 · Thu Nov 01, 2018 10:39 pm

@dagelf
Originally I thought you just came with miracle, but it does not really work. Firstly, it would take huge amount of time as it does not work in parallel and you have to interrupt each connection which gets established, secondly, it actually crashed my winbox and produced autosupout.rif ... Not really sure what happened in there and i was unable to replicate it.

mitzone · Mon Nov 26, 2018 12:47 pm

+1 .

kc7aad · Tue Feb 12, 2019 5:03 pm

+1 +1 +1 +1 +1 +1!!

vitich · Sun Feb 17, 2019 9:09 pm

+1 pls!

Kamaz · Mon Feb 18, 2019 9:36 am

+++1

jo2jo · Sat Mar 02, 2019 3:35 am

@dagelf
Originally I thought you just came with miracle, but it does not really work. Firstly, it would take huge amount of time as it does not work in parallel and you have to interrupt each connection which gets established, secondly, it actually crashed my winbox and produced autosupout.rif ... Not really sure what happened in there and i was unable to replicate it.

(note; quote above is refering to a reply above, where a cleaver user suggests a script with a loop across all ports using /telnet port=i )

I could see this causing problems, as telnet in winbox def. was not made to work like this. (however we often use telnet on the cli as a rough, poor mans tool for a single port, port scan).

i would say the script/loop using telnet across all ports should not be used, as i have often seen some issues with telnet in winbox. (ie i often see a RB will show 100% cpu usage, only to find that profile shows either mgmt or telnet as the 100% reason. The cause/fix is that a disconnected telnet window was left open in winbox, once you close that telnet window, the cpu immediately goes back down). (i have seen this on RBs of all types and cpu power). not a big deal, but possibly the source of your RB crash/supout when running that 1 to 65555 telnet loop.

+1 - please add port scan to ros / winbox! thanks!

vili11 · Thu Mar 28, 2019 7:42 pm

+1000

excession · Tue Apr 16, 2019 5:02 pm

yep + another 1

jo2jo · Fri May 10, 2019 1:13 am

+1 (for own post), 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each time).

MT- we REALLY need even a single port at a time, port scanner. pls! (i say single port at a time, as there was a menton of abuse of a portscan tool, while i disagree with this concern, even a single port at a time would address that concern, and still be very useful)

thanks!

EvgeniyV · Sun May 19, 2019 10:52 pm

+1 it would be very useful

vecernik87 · Mon May 20, 2019 6:36 am

... 2x times this week different customers needed us to find a cctv DVR on their system (which is behind our mikrotik). would have been so quick via port scan x/24 for port 80 via a ROS ps tool . but instead had to setup a MT + a VPN setup on both sides and a laptop with nmap (about 20-30min, each time). ...

You could just make scan in TheDude and have results in no time. If you do this more than once per year, it is definitely worth it.

jo2jo · Tue May 21, 2019 7:32 am

You could just make scan in TheDude and have results in no time. If you do this more than once per year, it is definitely worth it.

That is interesting idea, but when we often need to do this, its on random customers/routers , so using dude as a "port scan" tool, would take a fair amount of setup (and a router reboot/downtime - ie install dude pkg + configure it) just to do a portscan, one time.

tks

gotsprings · Thu Jul 11, 2019 1:46 pm

Bump.

This sounds like what I am trying to do.

I want to know if a device service is still running. Like checking a printer if 9100 is responding.

In my case I have a device that responds to pings.
Webserver works.
But a service on 51510 stops responding as confirmed by Digital Loggers autoping against a TCP Port or Domotz Eyes.

ziegenberg · Thu Jul 11, 2019 10:01 pm

Hi!

I want to know if a device service is still running. Like checking a printer if 9100 is responding.

In my case I have a device that responds to pings.
Webserver works.
But a service on 51510 stops responding as confirmed by Digital Loggers autoping against a TCP Port or Domotz Eyes.

If you know the port, use

/system telnet host port

.

ziegenberg · Thu Jul 11, 2019 10:10 pm

Hi!

while i know it is wrong to " bump" your own thread, but on a weekly basis (weekly is a bare minimum, sometimes daily basis) i need a portscan tool on ROs. It's ridiculous having to look up mac-address OIDs and/or use /sys telnet port=x as a rough port scan tool to ID devices.
...

For mac vendor look-up have a look at the scripts of eworm. He has a function called GetMacVendor in his global-functions file. I guess, you need to go through the setup of his scripts for it to work, but the are really great anyway:https://gitlab.com/eworm-de/routeros-scripts
Maybe you can come up with some new scripts for your port and network scanning. Use his repository of scripts as a source of inspiration.

JAza · Sun Jul 21, 2019 9:32 pm

+100

Basic need for networks we don't have a VPN into but need to troubleshoot/scan if a particular service is up or identify services running on the network.

It doesn't have to be nmap. Just some basic port open/closed/filtered logic in a loop.

PLEASE.

zeek01 · Sun Nov 10, 2019 4:50 pm

+1

It would be a useful tool for remote network testing

RackKing · Thu Dec 05, 2019 7:33 pm

+1

It would be a useful tool for remote network testing

agree - my +1

kapi2454 · Fri Jan 10, 2020 9:10 pm

+1 please

r00t · Fri Jan 10, 2020 9:26 pm

This should have been implemented long time ago, before adding stuff like Kid Control...

amouses · Sat Jan 11, 2020 12:43 am

+1 please. I can't believe this is not there! Oh the shame of it all

sudmal · Sat Feb 01, 2020 3:06 pm

+99999

inteq · Sat Feb 01, 2020 6:07 pm

(2+0)/2

jo2jo · Mon Feb 17, 2020 7:17 pm

哇,我还不断为即使是最需要的basic portscan tools nearly on a daily basis of managing 300+ mikrotiks.

( i constantly need to scan a private /24 or /23 for one or two ports to find IP of a service)

PLS mt! pls! add this tool. even a very muted version of nmap or a portscan tool (muted so that abuse can not be done if that is yall concern/hold up).

thanks!!

vortex · Mon Feb 17, 2020 7:26 pm

I don't know how to identify the hosts in my network.

anv · Fri Mar 06, 2020 10:07 am

+1 (please)

pe1chl · Sat Mar 07, 2020 11:25 am

There already is "/tool ip-scan" which scans using ping, arp, snmp and netbios and does IP lookup in DNS.
Maybe you can specify what other features you would want it to have?
(like other services it should scan for, or to have a list of ports)

d3m0 · Fri Apr 10, 2020 2:11 pm

+1 plz

k6ccc · Sat Apr 11, 2020 1:51 am

There already is "/tool ip-scan" which scans using ping, arp, snmp and netbios and does IP lookup in DNS.
Maybe you can specify what other features you would want it to have?
(like other services it should scan for, or to have a list of ports)

There have been a bunch of various posts, but the original poster was asking for a port scanner. /tool ip-scan gives a list of IPs in use, but not the ports that each will respond to - I just tried it it to make sure.

pe1chl · Sat Apr 11, 2020 9:54 am

People are asking for a tool to identify hosts on their network and to troubleshoot a VPN, and /tool ip-scan can be used for that.
Of course there is always one more thing that one can request, but I think the debugging tools available on MikroTik already are way better than industry standard.
As I mentioned several times before, I think MikroTik should create some way to run user binaries in a very restricted setting (non-privileged user, chrooted to a user-created directory, etc) so niche requests like this can be catered for by independent developers and the programmers at MikroTik would not have to be bothered by all those whining +1 posters in several topics.

vortex · 2020年坐4月11日,4:44 pm

How does ip-scan identify devices if it does not do a portscan?

pe1chl · 2020年坐4月11日,4:49 pm

It DOES do a portscan. But it is a bit limited, it tries SNMP and SMBv1 ports only (after it has received a PING reply).
It also does a reverse-lookup in DNS.

yoklmn · Fri Jun 12, 2020 10:39 am

+1
for VPN troubleshooting we need scan udp ports, for example

AlfaGulf · Mon Jun 15, 2020 9:14 am

YES +1

vili11 · Mon Sep 28, 2020 8:20 pm

+1 especially for UDP

Kamaz · Tue Sep 29, 2020 1:30 am

+1 for TCP/UDP scanner

neutronlaser · Tue Sep 29, 2020 1:31 am

+1 for this

santyx32 · Tue Sep 29, 2020 3:32 am

+1 :D

jstump · Fri Oct 09, 2020 5:57 pm

+11111111111111111111111111111111111

prghix · Mon Nov 30, 2020 10:42 am

+11111

ShayanPAL · Thu Dec 03, 2020 12:17 pm

+111

PraiM · Wed Jan 20, 2021 2:12 pm

Until then, here you go: (This conforms to your "it doesn't have to be advanced" request :-)
Code:Select all
:for p from=1 to=65535 do={put $p;/sys telnet 192.168.1.1 port=$p}

It will be more stable if you put a delay defore every iteration, the cycle will not use all available CPU. For example:

:for p from=1 to=65535 do={:delay 0.25;put $p;/sys telnet 192.168.1.1 port=$p}

this will add a 0.25 sec. delay

kehrlein · Sun Aug 01, 2021 12:29 pm

+1
Thx!

pe1chl · Sun Aug 01, 2021 1:36 pm

+1
Thx!

Do you now think you have added any value to this topic?

YourWordIsTruth · Thu Nov 11, 2021 11:39 pm

+1 - this is a diagnostic tool that can be very useful when verify firewall and general host probing on local LAN.

boredwitless · Mon Nov 15, 2021 3:38 pm

+1, Bump in the hopes this is a popular enough feature request to warrant attention from Mikrotik devs.

JJT211 · Mon Dec 27, 2021 8:40 pm

Bump +1

dbelliveau · Sat Jan 08, 2022 9:36 am

++1

nichky · Sat Jan 08, 2022 11:36 am

++1

eddieb · Sat Jan 08, 2022 11:55 am

--1
please DON'T add all kind of stuff into ROS that should be run from a seperate machine.

pe1chl · Sat Jan 08, 2022 12:44 pm

--1
please DON'T add all kind of stuff into ROS that should be run from a seperate machine.

In general I can agree with that. Stuff like SMB Server or Web Proxy has nothing to do in a router and should be removed, or certainly to a different package.
Tools like IP scanning, Port scanning, etc could have some utility in niche situations but probably are also best moved into a separate package, if only to reduce the attack surface of networks and routers.

But unfortunately the policy appears to be to get rid of optional packages...

Chupaka · Sat Jan 08, 2022 4:59 pm

The optional package that should allow running all this stuff is called "container"

pe1chl · Sat Jan 08, 2022 5:12 pm

The optional package that should allow running all this stuff is called "container"

Yes, it would be useful when a repository was made with some container-ready packages for RouterOS, and then things like Web Proxy and SMB Server can be removed from the main package (always nice to make some room in tiny devices).

aon · Mon May 02, 2022 2:16 pm

++1

dlynes · Sun Sep 11, 2022 10:12 am

--1
please DON'T add all kind of stuff into ROS that should be run from a seperate machine.

I agree. If it's a one off thing for a new customer, just get access to one of their local machines and run nmap.

If it's on an existing customer's network, you can run nmap from an existing machine on the network, or from a VPN connected device. If you're just running an nmap -sP, it's not likely to work so well because you don't have layer 2 access, but everyone seems to be indicating they want more than a device scanner.

psztoch · Fri Mar 17, 2023 1:28 pm

+10

The need for inventory of devices in the network is very high. /tool ip-scan is great, but it doesn't give very important information about running services.

A scan performed directly from the router is much better, because the remote nmap can be cut down along the way for various reasons (e.g. firewall).

It would be great if ip-scan would show related information from LLDP (/ip/neighbor/print) in separated column.

berisz · Fri May 05, 2023 6:49 pm

+ 1

YaroslavFadeev · Fri May 05, 2023 7:40 pm

+1!!

PackElend · Sun Jun 18, 2023 6:53 pm

look here
viewtopic.php?t=163642
https://rickfreyconsulting.com/rfc-port ... ion-chain/

anav · Sun Jun 18, 2023 6:57 pm

The optional package that should allow running all this stuff is called "container"

You must hate my tile device LOL.

rextended · Sun Jun 18, 2023 7:00 pm

look here
viewtopic.php?t=163642
https://rickfreyconsulting.com/rfc-port ... ion-chain/

I use another approach...
I have honeypot IPs scattered among my clients' real IPs.
As one is scanned, automatically all of that address's BGP range ends up on a permanent ban list.
So far, since 2007, the only error is during the pandemic: Microsoft Teams scan internal networks (for what reason???) and Teams end up on the ban list...

anav · Sun Jun 18, 2023 10:11 pm

How did you rectify the MS teams issue??

rextended · Sun Jun 18, 2023 10:20 pm

How did you rectify the MS teams issue??

Whitelist the pool...

pe1chl · Mon Jun 19, 2023 10:46 am

Well, I have seen that with public DNS server IPs. It likely is not the service itself but spoofed addresses.
E.g. I have seen a lot of TCP SYN -> port 23 from addresses like 8.8.8.8 and 1.1.1.1 to our external addresses.

rextended · Mon Jun 19, 2023 12:31 pm

Well, I have seen that with public DNS server IPs. It likely is not the service itself but spoofed addresses.
E.g. I have seen a lot of TCP SYN -> port 23 from addresses like 8.8.8.8 and 1.1.1.1 to our external addresses.

True, is why i do not accept any packet not required from 1.1.1.1, 8.8.8.8 & Co. and already are on whitelist.

Etc.

Who is online