📄 newscan.txt
字号:
发信人: biff (大可), 信区: Security
标 题: [转载] newscan
发信站: 武汉白云黄鹤站 (Wed Jun 2 17:24:01 1999), 站内信件
【 以下文字转载自 Winsock 讨论区 】
【 原文由 biff 所发表 】
/*
* Half open port scanner. Send SYNs, and look for a SYN-ACK. If you see one,
* the port is listening.
*
* The whole point is to evade TCP-wrapper software and other alarm systems
* which look for a fully established connection. Since this never establishes
* a connection, its existance isn't logged.
*
* Note, this can be detected by things like TCPdump, or other raw network
* monitors.
*
* Runs under SunOS 4.x with NIT. This is a proof-of-concept toy, not a
* production model. :-)
*
* Mike Neuman
* 12/7/93
*
* You can do whatever you want with this code as long as you leave this
* header intact.
*
* Contact information:
*
* Mike Neuman (mcn@EnGarde.com)
*/
#include <stdio.h>
#include <netdb.h>
#include <ctype.h>
#include <signal.h>
#include <errno.h>
#include <malloc.h>
#include <setjmp.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/timeb.h>
#include <sys/socket.h>
#include <sys/file.h>
#include <sys/ioctl.h>
#include <net/nit.h>
#include <sys/fcntlcom.h>
#include <sys/param.h>
#include <sys/dir.h>
#include <net/nit_if.h>
#include <net/nit_pf.h>
#include <net/nit_buf.h>
#include <net/packetfilt.h>
#include <sys/stropts.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <sys/stream.h>
#include <sys/tihdr.h>
#include <rpc/rpc.h>
#include <rpc/pmap_prot.h>
#include <rpc/pmap_clnt.h>
/* RPC makes an rpcdump call, which may be logged by a secure portmapper.
* If you're paranoid and want to guess at rpc stuff, specify -r
*/
main(argc,argv)
int argc;
char *argv[];
{
struct sockaddr_in server;
struct servent *sp;
struct hostent *hp;
int c, s, count, userpc=1, sock=RPC_ANYSOCK, minport = 1, maxport = 6001;
struct pmaplist *head = NULL, *headp=NULL;
struct timeval timeout;
register CLIENT *client;
struct rpcent *rpc;
unsigned long addr;
char *hostp;
extern char *optarg;
extern int optind;
/* 1: Parse options, get host addr */
while ((c = getopt(argc, argv, "rhm:M:")) != -1)
switch(c) {
case 'r':
userpc = 0;
break;
case 'm':
minport = atoi(optarg);
break;
case 'M':
maxport = atoi(optarg);
break;
case 'h':
usage(argv[0]);
exit(1);
}
if (optind != argc-1) {
usage(argv[0]);
exit(1);
}
if (minport > maxport || minport <= 0) {
fprintf(stderr, "ERROR: minport must be > 0 and <= maxport\n");
usage(argv[0]);
exit(1);
}
hostp = argv[optind];
if ((hp=gethostbyname(hostp))==NULL) {
addr = inet_addr(hostp);
if (addr == (u_long)-1) {
fprintf(stderr, "Unknown host '%s'\n", hostp);
usage(argv[0]);
exit(1);
}
bcopy(&server.sin_addr, &addr, 4);
} else {
bzero((char *)&server, sizeof server);
bcopy(hp->h_addr, (char *)&server.sin_addr, hp->h_length);
server.sin_family=hp->h_addrtype;
}
printf("Connections established for host %s:\n",hostp);
/* 2: Call rpc and get its ports */
head=NULL;
if (userpc) {
server.sin_port=htons(PMAPPORT);
timeout.tv_sec=10;
timeout.tv_usec=0;
if ((client = clnttcp_create(&server, PMAPPROG,
PMAPVERS, &sock, 50, 500))!=NULL) {
if (clnt_call(client, PMAPPROC_DUMP, xdr_void, NULL,
xdr_pmaplist, &head, timeout) != RPC_SUCCESS)
head=NULL;
}
}
/* 3: Try each port from minport - maxport */
for (count=minport;count<=maxport;count++) {
printf("\r%6d",count);
fflush(stdout);
server.sin_port=count;
if (!fakeconnect(&server, hostp)) {
printf("\r %4d tcp ",count);
sp=getservbyport(count,"tcp");
if (sp==NULL) {
switch(count) {
/* Put in known services not in /etc/services here */
case 2000: printf("(Xnews)");
break;
case 6000: printf("(X)");
break;
default:
if (userpc) {
headp=head;
while (headp!=NULL) {
if (headp->pml_map.pm_prot!=IPPROTO_TCP) {
headp=headp->pml_next;
continue;
}
if (count!=headp->pml_map.pm_port) {
headp=headp->pml_next;
continue;
}
rpc = getrpcbynumber(headp->pml_map.pm_prog);
if (rpc) {
printf("%-15s [rpc]", rpc->r_name);
break;
} else {
headp=headp->pml_next;
continue;
}
}
if (rpc==NULL)
printf(" [rpc]");
} else
printf("???\n");
break;
}
} else
printf("%-15s",sp->s_name);
printf("\n");
}
}
printf("\n");
exit(0);
}
usage(prog)
char *prog;
{
fprintf(stderr,"Usage: %s [-r] [-m minport] [-M maxport] host\n", prog);
fprintf(stderr,"Options:\n");
fprintf(stderr,"-r Don't use RPC for port info\n");
fprintf(stderr,"-m port Specify port number to start at (default 1)\n");
fprintf(stderr,"-M port Specify port number to end at (default 6001)\n");
return;
}
int scan_return(fd, iph, tcph)
int fd;
struct ip *iph;
struct tcphdr *tcph;
{
char buf[8*1024], *bp, *bufstop, *cp, abuf[2048];
int cc, done=0, retval=0;
struct nit_bufhdr *hdrp;
struct nit_iftime *ntp;
struct nit_ifdrops *ndp;
struct nit_iflen *nlp;
struct ether_header *ep;
u_short et;
register struct ip *ip;
struct tcphdr *tp;
while (!done) {
if ((cc=read(fd, buf, 8*1024)) >= 0) {
bp=buf;
bufstop = buf+cc;
while (bp < bufstop) {
cp = bp;
/* Get past NIT buffer */
hdrp = (struct nit_bufhdr *)cp;
cp += sizeof(*hdrp);
/* get past NIT timer */
ntp = (struct nit_iftime *)cp;
cp += sizeof(*ntp);
/* get past the drops */
ndp = (struct nit_ifdrops *)cp;
cp += sizeof(*ndp);
/* get past packet len */
nlp = (struct nit_iflen *)cp;
cp += sizeof(*nlp);
/* next snapshot */
bp += hdrp->nhb_totlen;
/* Okay, got the packet, make sure it's a SYN-ACK reply */
ep = (struct ether_header *)cp;
et = ntohs(ep->ether_type);
if ( et >= ETHERTYPE_TRAIL && et < ETHERTYPE_TRAIL+ETHERTYPE_NTRAILER)
continue;
cp += sizeof(struct ether_header);
nlp->nh_pktlen -= sizeof(struct ether_header);
if (et != ETHERTYPE_IP) continue;
/* It's: ethernet + IP */
ip=(struct ip *)cp;
bcopy((char *)ip, (char *)abuf, nlp->nh_pktlen); /* Align */
ip = (struct ip *)abuf;
if (ip->ip_p != IPPROTO_TCP)
continue;
/* It's ethernet + IP + TCP */
if (ip->ip_src.s_addr != iph->ip_dst.s_addr)
continue;
if (ip->ip_dst.s_addr != iph->ip_src.s_addr)
continue;
/* It's ethernet + IP + TCP + from target + to us */
cp+=sizeof(struct ip);
tp = (struct tcphdr *)cp;
if (tp->th_sport != tcph->th_dport)
continue;
if (tp->th_dport != tcph->th_sport)
continue;
/* It's ethernet + IP + TCP + from target + to us + ports right */
if ((tp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
retval=0;
done=1;
} else {
retval=1;
done=1;
}
break;
} /* While (bp<bufstop) */
} /* if read */
} /* while !done */
return(retval);
}
jmp_buf env_buf;
/* Signal handler for receive timeout */
handle_alarm()
{
alarm(0); /* Clear the alarm */
longjmp(env_buf, 1);
}
/*
* Sends a packet, and waits for the reply
*/
int send_packet(fd, server, servername, localnet, netmask)
int fd;
struct sockaddr_in *server;
char *servername;
u_long localnet;
u_long netmask;
{
static struct sockaddr sa;
static struct strbuf ctl, datah;
static struct ip iph;
static char buf[2048], pbuf[2048], *oldbp;
static int computed=0;
struct ether_header eh;
struct tcphdr tcph;
char *bp, *pbp;
struct ether_addr myaddr, faddr;
FILE *fp;
struct hostent *he;
u_long x;
int retval;
if (!computed) {
/* ARP for the router/host, if possible */
int s;
struct arpreq arpreq;
struct sockaddr_in *s_arp;
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("Socket");
exit(1);
}
arpreq.arp_pa.sa_family = AF_INET;
s_arp = (struct sockaddr_in *)&arpreq.arp_pa;
s_arp->sin_family = AF_INET;
s_arp->sin_addr.s_addr = server->sin_addr.s_addr;
/* First, send junk to it to get an ARP entry */
s_arp->sin_port = 9;
sendto(s, "blah", 4, 0, (struct sockaddr *)s_arp,
sizeof(struct sockaddr_in));
s_arp = (struct sockaddr_in *)&arpreq.arp_ha;
s_arp->sin_family = AF_UNSPEC;
if (ioctl(s, SIOCGARP, &arpreq) < 0) {
perror("ioctl");
close(s);
exit(1);
}
if (arpreq.arp_flags & ATF_COM) {
bcopy(arpreq.arp_ha.sa_data, &faddr, 6);
} else {
fprintf(stderr, "Can't find destination/router hardware address.\n");
exit(1);
}
/* faddr and myaddr are now computed, create the ether header */
bcopy(&faddr, &eh.ether_dhost, 6);
eh.ether_type = htons(ETHERTYPE_IP);
sa.sa_family = AF_UNSPEC;
bcopy((char *)&eh, (char *)sa.sa_data, sizeof(struct ether_header));
ctl.len = sizeof(struct sockaddr);
ctl.buf = (char *)&sa;
bp = buf;
iph.ip_v = IPVERSION;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -