📄 dps.c
字号:
/*
* Dynamic Port Scanner (DPS)
* dps.c -- DPS core functions implementation
*
* Copyright (c) 2006 - 2008 AR Samhuri <ar@securebits.org>
* ALL RIGHTS RESERVED.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
* My Include
*/
#include "./dps.h"
/*
* DPS Function Implementations
*/
void dps_init()
{
int i;
struct libnet_ether_addr *mac_addr;
printf(
"============================================================\n"
BANNER "\n"
COPYRIGHT "\n"
"============================================================\n" );
if( cfg.verbosity )
printf("Initializing DPS...\n");
/*
* Catch the interrupt signal so the prgram can print
* the results before exiting
*/
if( dps_catch_signal( SIGINT, dps_signal_handler ) == -1 )
{
printf("Cannot catch SIGINT signal.\n");
exit( EXIT_FAILURE );
}
/* Initialize Libpcap, Libnet, and other DPS variables */
/* Finding the device if the user didn't specify one */
if( cfg.device == NULL )
{
cfg.device = pcap_lookupdev( pcap_cfg.p_errbuf );
if( cfg.device == NULL )
{
printf("Error while looking for an interface: %s\n", pcap_cfg.p_errbuf );
exit( EXIT_FAILURE );
}
}
/* Opening the device */
pcap_cfg.p = pcap_open_live( cfg.device, SNAPLEN, PROMISC, TIMEOUT, pcap_cfg.p_errbuf );
if( pcap_cfg.p == NULL )
{
printf("Cannot open the device: %s\n", pcap_cfg.p_errbuf );
exit( EXIT_FAILURE );
}
/* Checking the Data Link of the device */
if( pcap_datalink( pcap_cfg.p ) != DLT_EN10MB )
{
printf("This program works only on Ethernet networks\n");
pcap_close( pcap_cfg.p );
exit( EXIT_FAILURE );
}
/* Setting up the Subnet Mask and Local Network Address */
if( pcap_lookupnet( cfg.device, &pcap_cfg.local_net, &pcap_cfg.netmask, pcap_cfg.p_errbuf ) == -1 )
{
printf("Cannot set up the subnet mask and network address: %s\n", pcap_cfg.p_errbuf );
pcap_close( pcap_cfg.p );
exit( EXIT_FAILURE );
}
/* set the nonblock mode on the sniffin interface */
pcap_setnonblock( pcap_cfg.p, 1, pcap_cfg.p_errbuf );
/* Initialize the Libnet Context */
libnet_cfg.l = libnet_init( LIBNET_LINK, cfg.device, libnet_cfg.l_errbuf );
if( libnet_cfg.l == NULL )
{
printf("Cannot initialize Libnet context: %s\n", libnet_cfg.l_errbuf );
exit( EXIT_FAILURE );
}
/* Get the Local IP Address */
local_ip_addr = libnet_get_ipaddr4( libnet_cfg.l );
/* Get the Local MAC Address */
mac_addr = libnet_get_hwaddr( libnet_cfg.l );
if( mac_addr == NULL )
{
printf("Cannot probe for local MAC: %s\n", libnet_geterror( libnet_cfg.l ) );
exit( EXIT_FAILURE );
}
local_eth_addr = ( u_int8_t * ) malloc( HRD_ADDR_LENGTH );
for( i = 0; i < HRD_ADDR_LENGTH; i++ )
local_eth_addr[ i ] = mac_addr->ether_addr_octet[ i ];
/* Set the Target IP Address */
if( cfg.resolve )
target_ip = libnet_name2addr4( NULL, cfg.target_ips, LIBNET_RESOLVE );
else
target_ip = libnet_name2addr4( NULL, cfg.target_ips, LIBNET_DONT_RESOLVE );
if( target_ip == -1 )
{
printf("Incorrect IP Address: %s\n", cfg.target_ips );
exit( EXIT_FAILURE );
}
/*
* If the target IP is NOT within the local net,
* We need to get the IP of the default gateway.
*
* The remote MAC is the MAC of target IP if it's
* within the local net, and it is the MAC of the
* default gateway if the target IP is NOT within
* the local net.
*/
if( ( target_ip & pcap_cfg.netmask ) != pcap_cfg.local_net )
{
default_gateway = get_default_gateway();
if( default_gateway == 0 )
{
printf("The target IP is unreachable. Default gateway couldn't be found\n");
exit( EXIT_FAILURE );
}
remote_eth = get_macOfip( default_gateway );
if( remote_eth == NULL )
{
printf("Couldn't ARP %s\n", libnet_addr2name4( default_gateway, LIBNET_DONT_RESOLVE ) );
exit( EXIT_FAILURE );
}
}
else
{
remote_eth = get_macOfip( target_ip );
if( remote_eth == NULL )
{
printf("Couldn't ARP %s\n", libnet_addr2name4( target_ip, LIBNET_DONT_RESOLVE ) );
exit( EXIT_FAILURE );
}
default_gateway = 0; /* unneeded */
}
/* Up-to-now, we have the following in our hands:
* local_ip_addr Local IP Address
* local_eth_adddr Local MAC Address
* remote_eth Remote MAC Address
* target_ip Target IP Address
* pcap_cfg.netmask Local Subnet Mask
* pcap_cfg.local_net Local Network Address
* default_gateway Gateway IP Address [?!]
*/
/* Initialize the port list */
if( !cfg.port_list )
{
cfg.port_list = ( char * ) malloc( 10 );
strcpy( cfg.port_list, "1-1024" );
}
if( libnet_plist_chain_new( libnet_cfg.l, &libnet_cfg.plist, cfg.port_list ) == -1 )
{
printf("libnet_plist_chain_new(): %s\n", libnet_geterror( libnet_cfg.l ) );
exit( EXIT_FAILURE );
}
}
void dps_scan()
{
int received, i;
u_int16_t bport,
eport,
src_port,
dst_port;
u_int32_t spoofed_src_ip,
poisoned_ip;
u_int8_t *rcv_packet;
time_t start_time;
time_t scan_begin;
time_t scan_end;
struct pcap_pkthdr header;
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
struct libnet_udp_hdr *udp;
struct libnet_icmpv4_hdr *icmp;
struct port_data *current_port;
if( cfg.verbosity )
printf("Starting Scanning...\n");
/*
* if the user specified the Ping option,
* we need to ping the target before scanning.
* the target won't be scanned if it's unpingable
*/
if( cfg.ping != 0 )
if( dps_ping() == 0 )
{
printf("The target host is not PINGable. try -P0 to disable PINGing\n");
exit( EXIT_FAILURE );
}
result.data = ( struct port_data * ) malloc( sizeof( struct port_data ) );
result.counter = 0;
result.open = 0;
result.closed = 0;
result.filtered = 0;
result.unfiltered = 0;
result.open_filtered = 0;
current_port = result.data;
current_port->next = NULL;
scan_begin = time( NULL );
/*
* Here, we need to go through the list of ports,
* send ARP poisoning packets (2 packets),
* send the scan packet (TCP or UDP),
* and listen for the response (timeout)
*/
while( libnet_plist_chain_next_pair( libnet_cfg.plist, &bport, &eport ) >= 1 )
{
for( dst_port = bport; dst_port <= eport; dst_port++ )
{
src_port = generate_random_port( 2 ); /* PORT: 1025 <-> 65535 */
if( default_gateway ) poisoned_ip = default_gateway;
else poisoned_ip = target_ip;
do
{
spoofed_src_ip = generate_random_ip( pcap_cfg.local_net, pcap_cfg.netmask );
}while( spoofed_src_ip == poisoned_ip || spoofed_src_ip == pcap_cfg.local_net );
current_port->spoofed_ip = spoofed_src_ip;
current_port->port = dst_port;
result.counter ++;
if( cfg.verbosity == 2 )
printf("PORT [%d] SPOOFED IP [%s] ", current_port->port,
libnet_addr2name4( spoofed_src_ip, LIBNET_DONT_RESOLVE ) );
/*
* Poison the remote end with the following:
* spoofed_src_ip Source IP Address
* poisoned_ip Destination IP Address
* local_eth_addr Source MAC Address
* remote_eth Destination MAC Address
*/
/*
* QUICK ARP POISONING LESSON:
* To effectively poison a host, send two ARP packets.
* The first is a fake ARP request.
* The second is a fake ARP reply.
* That works on:
* Linux systems
* All windows systems: WIN9X, WINNT, WIN2k, WINXP,...
* Cisco systems: Router IOS, L3 Switch, PIX FW,...
*/
dps_build_arp( ARPOP_REQUEST, spoofed_src_ip, poisoned_ip, local_eth_addr, remote_eth );
dps_write_packet();
usleep( 50000 );
dps_build_arp( ARPOP_REPLY, spoofed_src_ip, poisoned_ip, local_eth_addr, remote_eth );
dps_write_packet();
usleep( 50000 );
/*
* For the scan packet, we have now:
* src_port Source Port Address
* dst_port Destination Port Address
* spoofed_src_ip Source IP Address
* target_ip Destination IP Address
*/
/* Build the scan packet */
if( strcmp( cfg.scan_type, "UDP" ) != 0 )
{
dps_build_tcp( tcp_control, src_port, dst_port, spoofed_src_ip, target_ip,
local_eth_addr, remote_eth );
current_port->sent_control = tcp_control;
/* set the filter:
* src host target_ip and dst host spoofed_src_ip
* and tcp src port dst_port and dst port src_port
*/
pcap_cfg.f_code = ( char * ) malloc( 100 );
sprintf(pcap_cfg.f_code,
"src host %s and dst host %s and tcp src port %d and dst port %d\0",
libnet_addr2name4( target_ip, LIBNET_DONT_RESOLVE ),
libnet_addr2name4( spoofed_src_ip, LIBNET_DONT_RESOLVE),
dst_port, src_port );
}
else
{
dps_build_udp( src_port, dst_port, spoofed_src_ip, target_ip,
local_eth_addr, remote_eth );
pcap_cfg.f_code = ( char * ) malloc( 200 );
sprintf( pcap_cfg.f_code,
"src host %s and dst host %s and icmp or "
"src host %s and dst host %s and udp src port %d and dst port %d\n",
libnet_addr2name4( target_ip, LIBNET_DONT_RESOLVE ),
libnet_addr2name4( spoofed_src_ip, LIBNET_DONT_RESOLVE ),
libnet_addr2name4( target_ip, LIBNET_DONT_RESOLVE ),
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -