Hardscan - A brute-force local netstat replacement
Hardscan is a local netstat replacement that scans for open ports the hard way: by binding to each of them and attempting to handshake with itself. It is meant to be useful in a situation where you may have been rooted, rendering the output of netstat and other security tools untrustworthy.
If the program is unable to handshake with itself, for whatever reason (perhaps something intercepted the handshake, perhaps something was already running on that port, etc) it is an indicator that tcp or udp port being checked is already in use. Although this could be a virus, trojan or hacker connection, it is also quite possible that it is a legitimate connection. As the "Ephemeral" high-numbered ports are scanned as well, there is a chance that any outgoing activity (for instance browsing the web while the scan is running) will be picked up.
Of particular note in this program is "--fast" mode. In this state, the scanner does not attempt to handshake with itself, and thusly is not detecting as rigorously. In theory the OS could be lying to the scanner and simply saying that the socket was opened succesfully, but in practice most trojans are not going to be that sophisticated. Fast mode trades off this verification in order to run much, much, much faster.
Usage: hardscan [OPTION] Scan the local machine for any open ports without trusting the accuracy of 'netstat' or similar tools. -f, --fast Don't do the full validation, just try to open a listening socket on each port. (default is Off) -h, --help Display this documentation. -i, --interval Display a progress update every specified interval. (default is 100) Example Usage: -i 500 -l, --length Specify the length of key to exchange during validation. (default is 4) Example Usage: -l 5 -m, --max-threads Specify the max number of client/server pairs to use. Note that the real number of threads the program uses will be something along the lines of (max-threads*3)+1 due to the subthreading involved. Example Usage: --max-threads 10 -m 10 -p, --port Specify the ports to check. Example Usage: --port=40,50,60 --port 1-1024 -p 1-500,400,500,1000-2000 -s, --sockettype Specify "tcp" or "udp" Example Usage: --sockettype tcp -s udp -t, --timeout Specify how long server threads should wait for their connection. (default is 5 seconds) Example Usage: --timeout 10 -v, --verbose Show verbose output. This will show, for instance, every port discovered as it happens. (default is Off) -w, --very-verbose Show very verbose output. You almost certainly don't want to use this option. (default is Off) Hardscan operates on the premise that your system has been compromised, and netstat and any other kernel reporting tools can not be trusted. Rather than trusting what the OS reports, it manually attempts to open every port that you specify (by default every tcp port on the system) and pass data to itself. If this communication succeeds, it is assumed that the port was not in use. This differs from 'netstat', which only reports what the OS thinks is happening. It also differs from 'nmap', in that it is capable of servers or outgoing connections even if they are configured to lurk in stealth mode. As outgoing TCP connections use ephemeral ports, it is quite likely that you are going to get false positives based on whatever it is the machine is doing. These can be verified against netstat or the like to determine if they are legitimate. This has the side benefit of identifying outgoing connections even if they are not in a 'listening' mode.