📄 readme
字号:
============================================================
Dynamic Port Scanner [DPS] v1.1
A port scanner based on ARP poisoning/spoofing technique
(c) 2006 - 2008
AR Samhuri <ar@securebits.org>
(http://www.securebits.org)
============================================================
0x00 Introduction
0x01 Features of DPS Tool
0x02 Installation
0x03 Running DPS Tool
0x04 Copyright
0x05 Disclaimer
0x00 Introduction
-----------------
Dynamic Port Scanner [DPS] is a port scanner with a
functionality that allows for dynamic spoofing of source IP
addresses of scanning packets. The whole idea is based on
integrating ARP poisoning technique into the scanning
process. That is, for each TCP/UDP scan packet with a spoofed
source IP address, the program will poison the ARP cache of
the remote host/gateway in such a way that the scan reply
packet (TCP, UDP, or ICMP) will be delivered to the scanning
machine. Obviously, the spoofed IP must fall within the local
network IP range of the scanning machine.
When starting scanning a host, DPS will first identify
whether the target host is within the local network or not.
If it is within the local network, that host will be the
target of ARP poisoning as well as the scanning process. If
it is NOT within the local network, DPS will identify the
gateway as the ARP poisoning target. In the second case, the
ARP cache of the gateway is poisoned so that scan replies
coming from the target host will arrive to the local scanning
machine.
DPS supports 11 scanning methods: 10 methods for TCP scan
and 1 method for UDP scan. The 10 TCP scan methods are: SYN, FIN,
NULL, ACK, URG, PSH, XMAS, XMAS1, XMAS2, and XMAS3.
The home page of DPS tool is:
(http://www.securebits.org/dps.html)
0x01 Features of DPS Tool
--------------------------
0x00 DPS features 10 different TCP stealth scanning
techniques. These are: SYN, FIN, NULL, ACK, URG, PSH,
XMAS, XMAS1, XMAS2, XMAS3. (check sec. 0x03 for more
information). Those 10 techniques can be grouped into
three categories. The first category includes only the
SYN scan. It is the most reliable among the others. It
can identify the port as open of closed. The second
group contains the ACK scan. This scan has one
functionality, which is to determine if the port is
filtered or not. The third group contains all the
other 8 techniques. These techniques will identify
if the port is closed or either open or filtered.
One should note that scanning windows system with
one of these techniques always shows a result of
closed port.
0x01 DPS differentiate between a scanned host withing the
local net and a host outside the local net. If the
scanned host is within the local net, it is the target
of ARP poisoning. It not, the gateway/router will be
the target of ARP poisoning.
0x02 Generation of spoofed source IPs is random and based
on PRNG functions of Libnet. However, those spoofed
IPs are always adjusted to fall in the subnet IP range
of the scanning machine. For instance, if the scanning
machine is in class B subnet, the spoofed IPs range
from x.x.0.1 to x.x.255.254.
0x03 The spoofed source IP will never match the IP of the
scanned machine if it is within the local net. The
reason is that one cannot ARP-poison a host with fake
info about the machine itself.
0x04 With the use of -w option, the port status output will
have two different values. One for systems that follow
TCP/IP standards (i.e. Linux and UNIX-like) and one
for systems that violates TCP/IP standards (i.e.
Windows and Cisco Devices). One should note that the
differences occure only when scanning using group III
techniques (PSH, URG, FIN, NULL, XMAS, XMAS1, XMAS2,
and XMAS3.)
0x05 When generating the scan output. DPS shows the spoofed
IP used when scanning each port. And this IP will be
resolved to hostname as well. One should note that
even if the spoofed IP is not used in the local net,
it can be used without affecting the scan process at
all.
0x02 Installation
------------------
NOTE: before installing DPS, make sure to have libpcap and libnet
installed on your machine.
get libnet from: http://www.packetfactory.net/libnet
get libpcap from: http://www.tcpdump.org
To install:
#tar dps-xxx.tar.gz
#cd dps-xxx
#make && make install
To uninstall:
# make uninstall
0x03 Running DPS Tool
----------------------
#./dps [options] host|ip
[options]
-t <type> This will define the scan type.
S SYN Scan (Default). Only the SYN bit is
set in the TCP scan packet. If SYN/ACK
is received, the port is open. If RST/ACK
is received, the port is closed.
N NULL Scan. All flags are not set in the
TCP scan packet. If RST/ACK is received,
the port is closed. If no reply is
received, the port is either open or
filtered.
F FIN Scan. Only the FIN bit is set in the
TCP scan packet. If RST/ACK is received,
the port is closed. If no reply is
received, the port is either open or
filtered.
P PSH Scan. Only the PSH bit is set in the
TCP scan packet. If RST/ACK is received,
the port is closed. If no reply is
received, the port is either open or
filtered.
A ACK Scan. Only the ACK bit is set in the
TCP scan packet. If RST is received, the
port is unfiltered. If no reply is
received, the port is filtered.
U URG Scan. Only the URG bit is set in the
TCP scan packet. If RST/ACK is received,
the port is closed. If no reply is
received, the port is either open or
filtered.
X XMAS Scan. Bits PSH, URG, and FIN are set
in the TCP scan packet. If RST/ACK is
received, the port is closed. If no
reply is received, the port is either
open or closed.
X1 XMAS1 Scan. Bits PSH and FIN are set in
the TCP scan packet. If RST/ACK is
received, the port is closed. If no
reply is received, the port is either
open or closed.
X2 XMAS2 Scan. Bits URG and FIN are set in
the TCP scan packet. If RST/ACK is
received, the port is closed. If no
reply is received, the port is either
open or closed.
X3 XMAS3 Scan. Bits URG and PSH are set in
the TCP scan packet. If RST/ACK is
received, the port is closed. If no
reply is received, the port is either
open or closed.
UDP UDP scan. UDP packet is sent. If ICMP
port unreachable packet is received. If
no reply is received, the port is
filtered or open. If UDP packet is
received, the port is open.
-p <ports> Ports to scan (Default: 1-1024)
port list should be in the format:
x-y,z (e.g. 1-100,5000 or 1-200,900-1024)
-i <if> Interface to use (Optional) (e.g. eth0)
-T <secs> Scan time-out in seconds. Waiting for scan
response will timeout after <secs> seconds.
-P <no> PING option (Default: 1)
0 DONT PING
1 PING
If the PING option is on and the target host is
unPINGable, the program will terminate.
-d Do NOT resolve hostname or lookup IP addresses
-w Show port status if the scanned host is Windows
-h Drop the help menu.
-v[v] Output verbosity.
0x04 Copyright
---------------
This tool is distributed under the GNU General Public Lisence.
Check the COPYING file for more details on the lisence.
0x05 Disclaimer
----------------
This tool was develped for legal uses only. These include, but
not not limited to, penetration testing, vulnerability
assessment, security auditing, educational experiments, and
ethical hacking. The author hereby disclaims himself of any
damage caused by any illegal or lame usage of such tool.
EOF
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -