📄 multiscan.c
字号:
#include "mscan.h"#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <signal.h>#include <sys/types.h>#include <netdb.h>#define TRUE 1 // YOU CAN'T HANDLE THE TRUTH PLUMBER#define FALSE 0/* messy, memory hog struct to store command line opts.. * convert to flags later. . * */void jsbach_exit(int exitno);void portsc(char *ip);void getips(void);void scan(char *ip);void ctrlc(int signo);void ret(int signo) {// printf("DEBUG: multiscan timed out.\n");return;}int count;int currchilds = 0;char stringip[32];char file[32];// char mybuf[512];FILE *filedes;int ostype = 0;char jsbach[256]; // worthlessint NUMCHILDREN;char singleip[32];/* things to scan for */void usage(void);main(int argc, char **argv){char ch; FILE *list; signal(SIGALRM, ret); bzero(&box, sizeof(box)); bzero(&opts, sizeof(opts));// strcpy(argv[0], "init");strcpy(ipfile, ".ipdb"); //default IP logging file. if (argc < 2) { usage(); exit(1); }NUMCHILDREN = 9;// setvbuf(stdout, mybuf, _IOFBF, sizeof(mybuf));while((ch = getopt(argc, argv, "c:f:r:z:h:o:FSECXWIPNVtab")) != EOF) switch ((char)ch) { case 'F': { opts.finger = TRUE; break; } case 'c': { fprintf(stderr, "scanning with %d children\n",atoi(optarg)); NUMCHILDREN = atoi(optarg); break; } case 'f': { strcpy(ipfile, optarg); //buf. overflow me @$^&!@ break; } case 'r': { #ifdef ARGDEBUG printf("DEBUG: scanning %s with rdns\n", argv[2]); #endif opts.rdns = TRUE; opts.zone = FALSE; opts.host = FALSE; opts.nogetips = FALSE; strcpy(opts.network,optarg); break; } case 'z': { #ifdef ARGDEBUG printf("DEBUG: scanning %s with z0ne\n", argv[2]); #endif opts.zone = TRUE; opts.rdns = FALSE; opts.host = FALSE; opts.nogetips = FALSE; strcpy(opts.network,optarg); break; } case 'h': { #ifdef ARGDEBUG printf("DEBUG: scanning %s with host\n", argv[2]); #endif opts.host = TRUE; opts.rdns = FALSE; opts.zone = FALSE; opts.nogetips = FALSE; strcpy(opts.network, optarg); break; } case 'o': { strcpy(singleip, optarg); opts.singleip = TRUE; opts.host = FALSE; opts.zone = FALSE; opts.nogetips = FALSE; break; } case 'P': { opts.pop = TRUE; break; } case 'n': { opts.host = FALSE; opts.rdns = FALSE; opts.zone = FALSE; opts.nogetips = TRUE; break; } case 'S': { opts.statd = TRUE; break; } case 'E': { opts.exports = TRUE; break; } case 'C': { opts.cgi = TRUE; break; } case 'X': { opts.xwin = TRUE; break; } case 'W': { opts.wingate = TRUE; break; } case 't': { opts.truncate = TRUE; break; } case 'V': { opts.verbose = TRUE; break; } case 'a': { opts.verbose = FALSE; opts.router = TRUE; opts.wingate = TRUE; opts.xwin = FALSE; opts.cgi = TRUE; opts.statd = TRUE; opts.finger = TRUE; opts.exports = FALSE; opts.named = TRUE; opts.pop = FALSE; break; } case 'b': { opts.verbose = TRUE; opts.router = TRUE; opts.wingate = TRUE; opts.xwin = TRUE; opts.cgi = TRUE; opts.statd = TRUE; opts.exports = FALSE; opts.named = TRUE; opts.pop = TRUE; opts.imapd = TRUE; break; } case 'N': { opts.named = TRUE; break; } case 'I': { opts.imapd = TRUE; break; } } if(!opts.nogetips || !opts.singleip) getips();if(opts.file){ if((filedes=(FILE *)fopen(file, "a+")) == NULL) { printf("ERROR: fatal error, couldn't open log file.\n"); exit(1); }}if(!opts.singleip){ if ((list=(FILE *)fopen(ipfile, "r")) == NULL) { printf("ERROR: fatal error, couldn't open ip database.\n"); exit(1); }switch(fork()) { case 0: { while( (fgets(stringip, sizeof(stringip), list)) != NULL) { switch(fork()) { case 0: { fclose(stderr); scan(stringip); fflush(stdout); exit(0); break; } case -1: { printf("cannot fork so many timez@!@^&\n"); exit(0); break; } default: { currchilds++; if (currchilds > NUMCHILDREN) wait(NULL); break; } } } } break; case -1: { printf("cannot do initial fork#^*&!@&*#$\n"); } default: { fprintf(stderr, "\n-\n.\n.\n.\nmscan by jsbach --june/1998.\n\n"); fprintf(stderr, "\nthanks to #kode for keeping me sane this year,\n"); fprintf(stderr, "being my friends, and inspiring me to write\n"); fprintf(stderr, "this prog. \n"); wait(NULL); break; } } exit(0);}scan(singleip);fclose(stderr);exit(0);} void getips(void) { int temp1, temp2, temp3, temp4, temp5, result; char temp[128]; int j, s, b, a, c, h; if (opts.rdns) { result = sscanf(opts.network, "%d.%d.%d.%d", &j, &s, &b, &c); switch(result) { case 0: { printf("Wrong format for rdns, exiting, read README-NOW.\n"); exit(1); break; } case 1: { sprintf(temp, "./rdns -a %s > %s 2> /dev/null", opts.network, ipfile); system(temp); return; break; } case 2: { sprintf(temp, "./rdns -b %s > %s 2> /dev/null", opts.network, ipfile); system(temp); return; break; } case 3: { sprintf(temp, "./rdns -c %s > %s 2> /dev/null", opts.network, ipfile); system(temp); return; break; } case 4: { printf("Wrong IP format for rdns. Read README-NOW.\n"); exit(1); break; } } } if(opts.zone) { sprintf(temp, "./z0ne -o %s > %s", opts.network, ipfile); fprintf(stderr, "Be patient, compiling IP list.\n"); system(temp); fprintf(stderr, "Done getting ip's.\n"); return; } if(opts.host) { sprintf(temp, "host -l %s | grep \"has address\" | awk '{print $4}' > %s", opts.network, ipfile); fprintf(stderr, "Be patient, compiling IP list.\n"); system(temp); fprintf(stderr, "Done getting ip's.\n"); return; } }void scan(char *ip) { int temp1, temp2, temp3; char printip[16]; char temp[32]; bzero(&box, sizeof(box)); alarm(9); portsc(ip); alarm(0); signal(SIGALRM, ret); alarm(10); if(portscan_.telnet) ostype = checkos(ip, 23); if(portscan_.finger && (ostype == _IRIX)) finger(ip, "lp", IRIX_LP_CHECK); signal(SIGALRM, ret);/* weird stuff to zero out the trailing newline in the ip string. */ strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); // strcat(printip, '\0'); bzero(&box, sizeof(box)); // this line is IMPORTANT :)// portscanning shitif(!opts.truncate)printf("-**-' scanning %s `-**-\n", printip);signal(SIGALRM, ret);alarm(0); alarm(5);if(portscan_.finger && opts.finger && (!opts.truncate)) { finger(printip, "\n", ALL_USERS); }alarm(9); if(opts.statd && portscan_.rpc) box.statd=statd(ip); if(box.statd) { if(!opts.truncate) printf("%s: VULN: runs statd.\n", printip); } if(opts.xwin && portscan_.xwin) box.xwin=checkXdisplay(printip); if(box.xwin) { if(!opts.truncate) printf("%s: VULN: open X server.\n", printip); else printf("%s: VULN: open X server.\n", printip); }signal(SIGALRM, ret);alarm(0);signal(SIGALRM, ret);alarm(4); if(opts.cgi && portscan_.httpd) { box.cgi.phf = check_data(ip, "/cgi-bin/phf", "<TITLE>Form for CSO PH", 80); alarm(0); alarm(3); if(box.cgi.phf) { if(!opts.truncate) printf("%s: VULN: runs /cgi-bin/phf. haha!\n", printip); else printf("%s: VULN: runs /cgi-bin/phf. haha!\n", printip); } alarm(0); alarm(3); box.cgi.test = check_data(ip, "/cgi-bin/test-cgi", "CGI/1.0 test script", 80); if(box.cgi.test) { if(!opts.truncate) printf("%s: VULN: runs /cgi-bin/test-cgi.\n", printip); else printf("%s: VULN: runs /cgi-bin/test-cgi\n", printip); }alarm(0); alarm(3); /*hmm lateron test for checking for \n's in handler! h0h0 */ alarm(0); signal(SIGALRM, ret); alarm(4); box.cgi.handler = check_data(ip, "/cgi-bin/handler", "<HTML>\n",80); if(box.cgi.handler) { if(!opts.truncate) printf("%s: VULN: runs /cgi-bin/handler\n", printip); else printf("%s: VULN: runs /cgi-bin/handler\n", printip); } alarm(0); signal(SIGALRM, ret); alarm(3); }alarm(0);signal(SIGALRM, ret);alarm(5);if(box.wingate) { printf("%s: VULN: runs wingate!\n", printip); }/* this gives annoying output and must be fixed SOON */ if(opts.exports && portscan_.rpc) { showmount(printip); } if(opts.verbose && portscan_.httpd) printf("PORTSCAN: runs httpd.\n"); if(opts.verbose && portscan_.finger) printf("PORTSCAN: runs finger. \n"); if(opts.verbose && portscan_.finger) printf("PORTSCAN: runs telnet.\n "); // sorta useless, bleh. if(opts.verbose && portscan_.imapd) printf("PORTSCAN: runs imapd. \n"); if(opts.verbose && portscan_.xwin) printf("PORTSCAN: runs X windows\n"); if(portscan_.named && opts.verbose) printf("%s: SCAN: this box is a nameserver.\n", printip); if((ostype == _LINUX) && portscan_.named) { checknamed(printip); } if((ostype == _REDHAT) && portscan_.named) { checknamed(printip); } if((ostype == _FREEBSD) && portscan_.named) printf("%s: VULN: freebsd running named. try named overflow^@!\n", printip); signal(SIGALRM, ret); alarm(0); if((ostype == _REDHAT) && portscan_.imapd) printf("%s: VULN: redhat linux box running imapd.\n", printip); if((ostype == _SOLARIS) && box.statd) printf("%s: VULN: solaris box running statd $@ h0h0\n",printip); if(((opts.pop) && (portscan_.pop)) && (box.cgi.test || portscan_.finger || box.cgi.phf || box.cgi.handler)) printf("%s: VULN: pop open and other holes\n",printip);if(!opts.truncate){ printf("\n\n\n'*********************`\n"); printf("'*********************`\n");} }void usage(void) {printf("Usage: ./mscan [-r ip of net] [-z network] [-h network] [scan options]\n");printf("\n");printf(" -r [ip of net] : reverse DNS lookup the network (use when\n"); printf(" nameservers don't allow host -l type queries)\n");printf(" refer to README-NOW for more info.\n");printf(" -z [network] : use z0ne to gather IP's; you should\n");printf(" use this if the nameserver allows host -l queries.\n\n");printf(" -h [network] : use 'host -l | grep \"has address\" | awk\n");printf(" '{print $4}' to gather ip addresses. This only\n");printf(" gathers IP's from the top level so z0ne is\n");printf(" preferred.\n");printf(" -c number : How many children to spawn. (i.e. if\n");printf(" you do -c 50, mscan will be scanning 50 hosts\n");printf(" at any given time.) Default is 9 (rather slow).\n");printf(" -n : don't gather ip's, read from .ipdb.\n");printf(" -f file : use \"file\" as IP database. When this opt isn't\n"); printf(" provided mscan logs to .ipdb.\n");printf(" -S : check for boxes running statd.\n");printf(" -E : check for boxes that export filesystems to everyone.\n");printf(" -C : check for boxes running vulnerable cgi programs.\n");printf(" -X : check for open X servers. \n");printf(" -W : check for wingate servers and open routers.\n");printf(" -I : check for redhat boxes running IMAP.\n");printf(" -N : report linux and freebsd servers running vulnerable\n"); printf(" named versions.\n");printf(" -F : attempt to get info via finger.\n");printf(" -P : check for pop3d when the server is vulnerable to another\n");printf(" exploit which allows us to get account names (test.cgi,\n");printf(" finger, phf, handler.)\n");printf(" -V : print OS type (if identified), open ports, and misc\n"); printf(" old vulnerabilities (AIX running rlogind, rex,\n");printf(" sendmail 8.6.9, etc)\n");printf(" -t : truncate output, only report boxes that you can immediately hax0r\n");printf(" and don't print pop banners, telnet banners and portscan info.\n");printf(" -a : report everything except X servers and exports.\n");printf(" -b : report everything. (this is significantly slower\n");printf(" than -a.) hint: pick only the options you need@&@\n");printf("\nExample : ./mscan -c 60 -h ac.kr -at > ac.kr.log &\n");printf("\n *-* by jsbach, june/1998 *-* \n");exit(1); }void portsc(char *ip){// printf("\n - portscanning %s - \n\n", ip);bzero(&portscan_, sizeof(portscan_));if (opts.verbose) { portscan_.smtp = portscan(ip, 25); portscan_.finger = portscan(ip, 79); portscan_.pop = portscan(ip, 110); }if(opts.pop && (!opts.verbose)) portscan_.pop = portscan(ip, 110);if(opts.finger && (!opts.verbose)) portscan_.finger = portscan(ip, 79); if(portscan_.pop && (box.cgi.phf || box.cgi.test || box.cgi.nphtest)) checkos(ip, 110);if(opts.wingate || opts.router || opts.verbose || opts.named || opts.imapd || opts.statd) portscan_.telnet = portscan(ip, 23);if (opts.verbose || opts.cgi) portscan_.httpd = portscan(ip, 80); if (1) portscan_.imapd = portscan(ip, 143);if(opts.named) portscan_.named = portscan(ip, 53);if(opts.pop) portscan_.pop = portscan(ip, 110);if(opts.statd || opts.exports) portscan_.rpc = portscan(ip, 110); if(opts.xwin) portscan_.xwin = portscan(ip, 6000);}void ctrlc(int signo){char check[12];printf("quit mscan? (yes / no) : ");scanf("%s", check);if((strcmp(check, "yes")) == 0) {printf("heh, you wanna quit eh.. should i save yer position in the ipfile? (yes / no) :");scanf("%s", check);if((strcmp(check, "yes")) == 0) printf("sorry, not implemented yet.\n");sleep(1);exit(0);}printf("returning where we left of then @$& make up yer fucking mind before you ctrl-c @&($\n");return;}void jsbach_exit(int exitno){printf("exiting mscan 1.0 by jsbach @&*@\n");exit(exitno);} ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -