Does this site look plain?

This site uses advanced css techniques

This program scans a remote network for open pcAnywhere clients. We query the pca "status" port on 5632/udp and do the best we can to parse the responses and identify what's open. An open pcAnywhere client might suggest an insecurity to be exploited by other tools.

pcAnywhere can perform these queries on its own as well if given a class C broadcast address as the target IP (X.X.X.255), but this requires Windows for the platform. It's not scriptable as far as we know, and it's not possible to run on networks other than class C.

When the program runs, it sends out pcAnywhere status queries, and it reports them in some detail when received. These are mainly for developer use to identify new responses, but in any case, when the full scan has finished, a summary of all remote hosts is displayed.

$ pcascan www.target-victim.com/24
 --> Name Response: 192.168.1.135 = MXXXXXXX                 [AHM]
 --> Name Response: 192.168.1.201 = TXXXXXXX                 [AHM]
 --> Name Response: 192.168.1.207 = JXXXXXXX                 [AHM]
 --> Name Response: 192.168.1.203 = KXXXXXXX                 [AHM]
 --> Name Response: 192.168.1.231 = LXXXXXXX                 [AHM]
 --> Name Response: 192.168.1.238 = KXXXXXXX                 [AHM]
 --> Status: 192.168.1.135 0 1 Available
 --> Status: 192.168.1.201 0 1 Available
 --> Status: 192.168.1.207 0 1 Busy
 --> Status: 192.168.1.203 0 1 Available
 --> Status: 192.168.1.231 0 1 Available
 --> Status: 192.168.1.238 0 1 Available
timeout......
192.168.1.135: MXXXXXXX                  [AHM]  Available
192.168.1.201: TXXXXXXX                  [AHM]  Available
192.168.1.203: KXXXXXXX                  [AHM]  Available
192.168.1.207: JXXXXXXX                  [AHM]  Busy
192.168.1.231: LXXXXXXX                  [AHM]  Available
192.168.1.238: KXXXXXXX                  [AHM]  Available

This shows size stations responding to pcAnywhere status queries, though one of them is currently "in session" and won't accept another.

This scanner test does not show whether the station is also listening on the pcAnywhere session port (it might be blocked by a firewall) or if any kind of password protection is applied to the Host. That's for another tool.

Target Ranges

pcascan can take a single IP or DNS name, or it can take a range of remote targets that include the /nbits notation for providing a netmask. The /nbits notation is by far the most common way to use this tool because it can scan up to an entire class B at once.

To scan a full class C, simply mention -- either by IP address or name -- one of the IP addresses within that range and append the /nbits notation. To scan a simple class C range:

$ pcascan   192.168.1.4/24

A DNS name can be used instead:

$ pcascan   mail.target-victim.com/24

and the IP address will be looked up via DNS.

Unlike the /nbits notation often used in routers and networking equipment, the "base" address need not be at the start of range being scanned. Instead, we apply the netmask to determine the proper starting and ending addresses, which makes it much easier when using a DNS name as the target.

The /nbits notation excludes the first and last IP addresses generated by the range expansion because these are typically broadcast addresses. So the scan of 10.1.1.0/24 scans 10.1.1.1 to 10.1.1.253. When the target netmask is not known and just a subset should be scanned, simply double the slashes. Hence, 10.1.1.0//24 scans the full 256 addresses. This is most useful when scanning small DSL blocks of unknown size.

Background on the Protocol

We'll first note that everything we know about this protocol was gained by use of a sniffer: we have not seen this documented anywhere else. A more detailed description of this is found in the source code.

A pcAnywhere session is carried out over the TCP 5631 port, but a client listens on UDP 5632 for status queries. We have observed two possible status query values: NQ (name query) and ST (status query}.

The NQ name query returns the remote station's name -- we presume from NETBIOS -- plus some capability letters that indicate what the remote is capable of. So far we've not decoded this much other than to know whether the machine is a "gateway" or not.

The ST status query returns a five-byte packet that indicates whether the pcAnywhere Host is busy or not. We suspect there is more information in the status response but have not decoded it yet.

Download

The program is written in perl, so should be portable to nearly any system with a modern perl environment. It's been tested under perl 5.005 on Linux, and under the outstanding ActivePerl from ActiveState. ActivePerl is a fantastic perl implementation. I expect it will work most anywhere.

Note that on our development system, we actually have multiple files that make up pcascan: the main scanner program itself, plus a few perl modules for standard utilities such as /nbits address expansion. But to make the program self contained, we run it through a processor that joins all the modules into a single file for easy porting elsewhere.

The Perl code can be found here ase pcascan.txt (as a text file so it won't self-execute upon download).

To do

We understand that older versions of pcAnywhere listen on 22/ucp for status instead of 5632/udp, but we don't know if the protocol is the same. We ought to find this out and build support into the program.

We'd love to have a session setup tester as well: it would connec to the pcAnywhere session port (5631/tcp) and make a brief query: it would show what kind of encryption is and whether a password is required or not. It's on the list.