tcpip a mammoth description, short and easy-everything u want to know.txt

黑客培训教程

3.) This third phase is optional and involves the sending of an ACK message by the client.

As TCP Scanners were detectable, programmers around the world developed a new kind of port scanner,
the SYN Scanner, which did not establish a complete TCP connection. These kinds of port scanners remain
undetectable by only sending the first single TCP Packet containing the  SYN flag and establishing a half
TCP Connection. T understand the working of a SYN or Half SYN Port Scanner simply read its 4 step
working-:

1. SYN Port Scanner sends the first TCP packet containing  the SYN flag to the remote host.
2. The remote system replies with, either a SYN plus ACK or a RST.
3. When the SYN Port scanner receives one of the above responses, it knows whether the respective port
is open or not and whether a daemon is ready listening for connections.

The SYN Port Scanners were undetectable by most normal system port scan detectors, however newer post
scan detectors like netstat and also some firewalls can filter out such scans. Another downside to such
scanning is that the method in which the scanner makes the IP packet varies from system to system.

UDP Scanning

It is yet another port scanning technique which can be used to scan a UDP port to see if it is listening. To
detect an open UDP port, simply send a single UDP Packet to the port. If it is listening, you will get the
response, if it is not, then ICMP takes over and displays the error message, " Destination Port
Unreachable".

FIN Port Scanners

FIN Port Scanners are my favorite type of port scanners. They send a single packet containg the FIN flag. If
the remote host returns a RST flag then the port is closed, if no RST flag is returned, then it is open and
listening.

Some port scanners also use the technique of sending a ACK packet and if the Time To Live or ttl of the
returning packets is lower than the RST packets received (earlier), or if the windows size is greater than
zero, then the port is probably open and listening.

The Following is the code of a supposedly Stealth Port Scanner which appeared in the Phrack Magazine.

/*
* scantcp.c
*
* version 1.32
*  
* Scans for listening TCP ports by sending packets to them and waiting for
* replies. Relys upon the TCP specs and some TCP implementation bugs found
* when viewing tcpdump logs.
*
* As always, portions recycled (eventually, with some stops) from n00k.c
* (Wow, that little piece of code I wrote long ago still serves as the base
*  interface for newer tools)
*
* Technique:
* 1. Active scanning: not supported - why bother.
*
* 2. Half-open scanning:
*      a. send SYN
*      b. if reply is SYN|ACK send RST, port is listening
*      c. if reply is RST, port is not listening
*
* 3. Stealth scanning: (works on nearly all systems tested)
*      a. sends FIN
*      b. if RST is returned, not listening.
*      c. otherwise, port is probably listening.
*
* (This bug in many TCP implementations is not limited to FIN only; in fact
*  many other flag combinations will have similar effects. FIN alone was
*  selected because always returns a plain RST when not listening, and the
*  code here was fit to handle RSTs already so it took me like 2 minutes
*  to add this scanning method)
*
* 4. Stealth scanning: (may not work on all systems)
*      a. sends ACK
*      b. waits for RST
*      c. if TTL is low or window is not 0, port is probably listening.
*
* (stealth scanning was created after I watched some tcpdump logs with
*  these symptoms. The low-TTL implementation bug is currently believed
*  to appear on Linux only, the non-zero window on ACK seems to exists on
*  all BSDs.)
*
* CHANGES:
* --------
* 0. (v1.0)
*    - First code, worked but was put aside since I didn't have time nor
*      need to continue developing it.
* 1. (v1.1)
*    - BASE CODE MOSTLY REWRITTEN (the old code wasn't that maintainable)
*    - Added code to actually enforce the usecond-delay without usleep()
*      (replies might be lost if usleep()ing)
* 2. (v1.2)
*    - Added another stealth scanning method (FIN).
*      Tested and passed on:
*      AIX 3
*      AIX 4
*      IRIX 5.3
*      SunOS 4.1.3  
*      System V 4.0
*      Linux
*      FreeBSD  
*      Solaris
*    
*      Tested and failed on:
*      Cisco router with services on ( IOS 11.0)
*
* 3. (v1.21)
*    - Code commented since I intend on abandoning this for a while.
*
* 4. (v1.3)
*    - Resending for ports that weren't replied for.
*      (took some modifications in the internal structures. this also
*  makes it possible to use non-linear port ranges
*  (say 1-1024 and 6000))
*
* 5. (v1.31)
*    - Flood detection - will slow up the sending rate if not replies are
* recieved for STCP_THRESHOLD consecutive sends. Saves alot of resends
* on easily-flooded networks.
*
* 6. (v1.32)
*      - Multiple port ranges support.
*        The format is: <start-end>|<num>[,<start-end>|<num>,...]
*
*        Examples: 20-26,113
*                  20-100,113-150,6000,6660-6669
*    
* PLANNED: (when I have time for this)
* ------------------------------------
* (v2.x) - Multiple flag combination selections, smart algorithm to point
*          out uncommon replies and cross-check them with another flag
*        
*/

#define RESOLVE_QUIET

#include <stdio.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_tcp.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <errno.h>
#include "resolve.c"
#include "tcppkt03.c"

#define STCP_VERSION "1.32"
#define STCP_PORT  1234         /* Our local port. */
#define STCP_SENDS 3            
#define STCP_THRESHOLD 8
#define STCP_SLOWFACTOR 10

/* GENERAL ROUTINES ------------------------------------------- */

void banner(void)
    {
printf("\nscantcp\n");
printf("version %s\n",STCP_VERSION);
    }
void usage(const char *progname)
    {
printf("\nusage: \n");
printf("%s <method> <source> <dest> <ports> <udelay> <delay> [sf]\n\n",progname);
       printf("\t<method> : 0: half-open scanning (type 0, SYN)\n");
printf("\t           1: stealth scanning (type 1, FIN)\n");
printf("\t           2: stealth scanning (type 2, ACK)\n");
printf("\t<source> : source address (this host)\n");
printf("\t<dest>   : target to scan\n");
printf("\t<ports>  : ports/and or ranges to scan - eg: 21-30,113,6000\n");
printf("\t<udelay> : microseconds to wait between TCP sends\n");
printf("\t<delay>  : seconds to wait for TCP replies\n");
printf("\t[sf]     : slow-factor in case sends are dectected to be too fast\n\n");
    }
/* OPTION PARSING etc ---------------------------------------- */
unsigned char *dest_name;
unsigned char *spoof_name;
struct sockaddr_in destaddr;
unsigned long dest_addr;
unsigned long spoof_addr;
unsigned long usecdelay;
unsigned      waitdelay;

int slowfactor = STCP_SLOWFACTOR;

struct portrec           /* the port-data structure */
{
  unsigned           n;
  int                state;
  unsigned char      ttl;
  unsigned short int window;
  unsigned long int  seq;
  char               sends;

} *ports;

char *portstr;

unsigned char scanflags;

int done;

int rawsock;          /* socket descriptors */
int tcpsock;

int lastidx = 0;         /* last sent index */
int maxports;                          /* total number of ports */

void timeout(int signum)        /* timeout handler           */
    {       &