ftpscaner.c

LINUX平台下扫描开了匿名FTP服务的主机主机.

/*****************************************************/
/**创建者：杨希        日期：2005/04/04             **/
/**文件名：config.h    版本：1.0.2                  **/
/**描  述：FTP匿名服务扫描器的具体实现。其扫描特定  **/
/**        IP段内那些主机开了匿名服务               **/
/**编译参数：gcc -o ftpscaner ftpscaner.c -lpthread **/
/*****************************************************/

#include"config.h"

#include<stdio.h>
#include<pthread.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<time.h>

/* 全局数据及函数声明 */
int done = 0; /* 是否完成的标志 */
long start_ip, end_ip, current_ip; /* 存放临时IP */
pthread_t thread[THREAD_NUM];
FILE* fp;
pthread_mutex_t mut_ip   = PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t mut_done = PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t mut_fp   = PTHREAD_MUTEX_INITIALIZER;

/* 扫描FTP主机的具体程序 */
void scanFtpHost();

/* 显示信息头 */
void printHead(FILE* fp1);

/******************************/
int main()
{
	int i;
	
	/* 初始化起始起始IP */
	current_ip = start_ip = ntohl(inet_addr(START_IP));
	end_ip = ntohl(inet_addr(END_IP));
	if(start_ip > end_ip)
		current_ip = end_ip;
	
	/* 确保输出文件为空 */
	fp = fopen(OUTPUT_FILE, "w+");
	if(fp == NULL){
		fprintf(stderr, "open output file error!\n");
		exit(1);
	}else{
		printHead(fp);
		fclose(fp);
	}
	
	/* 开始创建线程搜索开了FTP服务的主机 */
	for(i = 0; i <THREAD_NUM; i++){
		pthread_create(&thread[i], NULL, scanFtpHost, NULL);
	}
	
	while(1){
		pthread_mutex_lock(&mut_done);
		if(done){
			pthread_mutex_lock(&mut_fp);
			fprintf(fp, "scanning FTP host done!\n");
			fclose(fp);
			pthread_mutex_lock(&mut_fp);
			return 0;
		}
		pthread_mutex_unlock(&mut_done);
		sleep(2);
	}
}

#define BUFF_SIZE 80
/* 扫描FTP主机的具体程序 */
void scanFtpHost()
{
	struct sockaddr_in addr;
	int sockfd, i;
	char buffer[BUFF_SIZE];
	
	bzero(&addr, sizeof(addr));
	addr.sin_family = AF_INET; 
	addr.sin_port = htons(FTP_PORT); 
	
	/* 获得此次要扫描的主机IP，如果已经到
	   了结尾IP，则置结束标志 */
	while(1){
		pthread_mutex_lock(&mut_ip);
		if(current_ip > end_ip){
			pthread_mutex_lock(&mut_done);
			if(!done) done = 1;
			pthread_mutex_unlock(&mut_done);
			pthread_exit(NULL);
		}else{
			addr.sin_addr.s_addr = htonl(current_ip++);
			printf("trying %s!\n", inet_ntoa(addr.sin_addr));
		}
		pthread_mutex_unlock(&mut_ip);
		
		/* 确保其创建成功 */
		while((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0);
		
		if(connect(sockfd, &addr, sizeof(addr)) < 0){
			fprintf(stderr, "%s : connect error!\n", inet_ntoa(addr.sin_addr));
			close(sockfd);
			continue;
		}
		
		/* 发送用户名 */
		sprintf(buffer, "USER anonymous \r\n");
		/* 确保数据发送成功 */
		while((i = send(sockfd, buffer, strlen(buffer), 0)) == -1);
	
		/* 接受响应数据，因为FTP服务器默认用户名
	   	   都存在，所以此时不需要进行额外的检查 */
		if((i = recv(sockfd, buffer, BUFF_SIZE, 0))== -1){
			fprintf(stderr, "%s : receive data error!\n", 
			        inet_ntoa(addr.sin_addr), pthread_self());
			continue;
		}
	
		/* 发送密码 */
		bzero(buffer, BUFF_SIZE);
		sprintf(buffer, "PASS shit@163.com \r\n");
		/* 确保数据发送成功 */
		while((i = send(sockfd, buffer, strlen(buffer), 0)) == -1);
		
		if((i = recv(sockfd, buffer, BUFF_SIZE, 0))== -1){
			fprintf(stderr, "%s : receive data error!\n", 
			        inet_ntoa(addr.sin_addr), pthread_self());
			continue;
		}
		
		/* 清空缓冲区并检查返回值 */
		bzero(buffer, BUFF_SIZE);
		if((i = recv(sockfd, buffer, BUFF_SIZE, 0))== -1){
			fprintf(stderr, "%s : receive data error!\n", 
			        inet_ntoa(addr.sin_addr), pthread_self());
			continue;
		}
	
		/* 检查返回值，其格式如下：
	   	   530 Not logged in. --->密码不正确   或者
	   	   230 User logged in, proceed. --->密码正确,
	   	   因此我们只需要检查第一个整数就可以了 */
	   	printf("%s --> %s\n", inet_ntoa(addr.sin_addr), buffer);
		sscanf(buffer, "%d", &i);
		if(i == 230){
			/* 找到密码了，写入文件并向父进程发送信号 */
			pthread_mutex_lock(&mut_fp);
			/* 确保文件打开成功 */
			while((fp = fopen(OUTPUT_FILE, "a+")) == NULL);
			fprintf(fp, "%s \n", inet_ntoa(addr.sin_addr));
		        fclose(fp);
		        pthread_mutex_unlock(&mut_fp);
		}
		close(sockfd);
		/* 清空缓冲区并检查返回值 */
		bzero(buffer, BUFF_SIZE);
	}
}

/* 显示信息头 */
void printHead(FILE* fp1)
{	time_t currTime;
	time(&currTime);
	
	fprintf(fp1, "\n************************************************************\n");
	fprintf(fp1, "********  ftpscaner 1.0.2 by dayangxi (2005/04/04) *********\n");
	fprintf(fp1, "************************************************************\n");
	fprintf(fp1, "now scaning IP from %s to %s \n", START_IP, END_IP);
	fprintf(fp1, "time : %s\n", asctime(gmtime(&currTime)));
	fprintf(fp1, "-------------------------------------------------------------\n");
}