Translation Works 4 Coding a TCP Connect Port Scanner: Using Input Files Rev1.0

xiaoxiao2021-03-06  61

Translation Works 4 Coding a TCP Connect Port Scanner: Using Input Files Rev1.0 - Nightcat

This article assumes that readers have read Truncode.org's articles Coding a TCP Connect Port Scanner: Step by Step, or already have the basic skills of TCP / IP socket programming. This article is based on Coding a TCP Connect Port Scanner: Step by Step.

] Introduction

The Internet provides almost numerous safety scanners for system administrators, network penetration testors, set fire wall analysts, and hackers. Try to search on the site like http://packetstormsecurity.com, there is a lot of very good C code to overwhelmed you.

Most small-port and vulnerability scanners only scan a goal each time. Here you have two options. You can cycle this program with a shell script, you can also modify one original code yourself.

If you are not satisfied with your own program, you can learn from the function of writing the perfect program to enrich your own procedure. I have taken this method in this article.

Because this article is an Input / Output example, I chose a perfect SNMP violent cracking scanner written from SolareClipse@phreedom.org OneSixTyone to separate a read_hosts (). In the future, modify and extract you encounter. After the code, you will naturally start developing your own procedures without having to think about it. When you are not very powerful, use the existing code to bring confidence. In fact, this is also the best way to learn. It is only to understand each line of code to use.

] File input function:

Let us first familiarize with the way of opening documents

-------------------------------------------------- -------------------------! ---------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

In order to use a file, we need to open it first, this can be done with fopen (). The prototype of this function is as follows: file * fopen (const char * path, const char * mode);

This fopen () function has two parameters: the path and open mode of the target file, the open mode decides how we will open it. If successful is open, a file pointer will be returned.

-------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

This function is as you think: Close a file. This function is expected to pass to a file pointer.

-------------------------------------------------- ------------------------- FGetc () ---------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

This function reads a character each time. This is a magical function allows us to read from an IP address or host list. For example: Each FGETC () returns, we simply add to the next character until the end of the file is reached.

The following simple programs open a file and print out each line with a previous function.

-------------------------------------------------- ------------------------- # include int main (int Argc, char * argv []) {file * fd; char BUF [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {printf ("% s / n", buf);} c = 0;} else {BUF [C ] = CH;} if (c> sizeof (buf) -1) {EXIT (1);}} fclose (fd); return 0;} --------------------------------- ----------------------------------------

First, we define a file pointer * fd. This fopen () function is turned on when the file is turned on by association to the file pointer stream. But we use the FGetc () loop each character, this program checks the new row, spaces, or Tab keys to indicate the end of the input. When you encounter a new row, space, or tab, you will print a string and start cycling again. This program is not necessarily interested. But he is suitable for a small port or vulnerability scanner.

Let us modify this program to replace the Printf () declaration by using the gethostbyaddr () program. Now this program is only a small adjustment. He can quickly reverse DNS lookup in a large IP list.

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include

INT Main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {PrintF ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0; While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 ' ; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyaddr ((Char *) & (t_addr.s_addr), sizeof (buf), AF_INET) == null) {Herror ("gethostByName"); exit (1);} printf ("% s / N ", he-> h_name);} c = 0;} else {buf [c ] = CH;} IF (c> sizeof (buf) -1) {exit (1);}} fclose (fd); return 0;} ------------------------------------------------------------------------------------------- ----------------------------

Look, this program looks more complicated than the front, but logically is the same. With this simple template, we can develop a lot of useful procedures. This time we can change out the gethostbyaddr () program with a simple TCP connection port scan function. This program is converted into a port scanner capable of scanning the entire subnet.

-------------------------------------------------- ------------------------- # cDE #include #include #include > #include #include #include #define true 1 # define false 0 # define ssh twenty two

/ * * SIMPLE TCP port scanner * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

SOCK_FD = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

MEMSET (& Target); target.sin_family = af_inet; target.sin_addr.s_addr = inet_addr (transote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (sock_fd); return state;} int main (int Arg, Char * argv []) {struct hostent * He; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C, i;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {IF ((i = portscan (buf, ssh) == 0)) Printf ("% s Has Port% D Closed./N", BUF, SSH); Else Printf ("%) S Has Port% D Open./N ", BUF, SSH);} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) -1) {EXIT (1);} } Fclose (fd); Return 0;} ------------------------------------------------------------------------------------------------------------------------------------------ -----------------------------------

It seems to be unlimited here for fopen (), fclose (), and FGETC (). As an exercise, choose some of you like only one command line with only one port scan and adding the code into new. At present, this port scanner only scans a port. It doesn't matter, here we need to do a simple loop and a new variable around portscan (), just below:

-------------------------------------------------- ------------------------- Int Start, end, counter;

START = ATOI (Argv [2]); end = atoi (argv [3]); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------

Add a simple loop around the portscan () function:

-------------------------------------------------- ------------------------- IF (c> 0) {for (counter = start; counter <= end; counter ) {= ((i = portscan (buf, counter) == 0)) Printf ("% s Has Port% D Closed./N", BUF, Counter; Else Printf ("% s Has Port% D Open./N", BUF, Counter;}} ------------------------------------------------------------------------------------------------------------------------------------ ------------------------------

The operation output is as follows:

modular @ truncode $ ./portscan hostips.txt 1 25192.168.1.100 has port 1 closed.192.168.1.100 has port 2 closed.192.168.1.100 has port 3 closed.192.168.1.100 has port 4 closed.192.168.1.100 has port 5 closed ....

This looks quite ugly, meaningful to modify this program, so he outputs an IP address and a host name list, open port, and service. The following example may be processed by a child process. In addition to this, finally showed each new modified constructor:

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include #include #define true 1 # define false 0

/ * * SIMPLE TCP port Scanner function * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

sock_fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); memset (& target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr (remote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (SOCK_FD); Return State;

INT main (int Argc, char * argv []) {strunt hostent * he; struct server * srvc; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C , I; int Start, end, counter; start = atoi (argv [2]); end = atoi (argv [3]);

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyAddr ((Char *) & (t_addr.s_addr), sizeof (buf), af_inet) == null) {Herror ("gethostbyname"); exit (1);} printf ("/ n" ); Printf ("Interesting Ports ON% S (% S) / N / N", HE-> h_name, buf); Printf ("Port / TState / TService / N"); for (counter = start; counter <= End; counter ) {IF ((i = portscan (buf, counter) == 0)))))))))))))))))))))) Continue; Else SRVC = GetServByport (Htons (Counter), "TCP"); Printf ("% D / TCP / TOPEN / T% S / N ", Counter, (SRVC == NULL)?" Unknown ": SRVC-> S_NAME);}} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) - 1) {EXIT (1);}} fclose (fd); return 0;} ---------

Added three structural definitions: struct hostent * he; struct server * srvc; struct in_addr t_addr;

The current version of this program has been merged from the previous example, so DNS HostNames can also be printed. GetServByport () functions also increases to match each port to standard services. Check the first article Coding a TCP Connect Port Scanner: Step by Step. If you need to review these functions how it is implemented.

The next article of this series will demonstrate how to combine the variable length subnet mask (VLSM) to a port scanner.

three. Attached:

Coding a TCP Connect Port Scanner: Using Input Files Rev 1.0- C Hacker's Handbook Series # 2 - _ _ | | _ _______________ | | | | | |. _ || _ | | _ | | ___ | _ | _ | ___ | ___ | ___ | ___ | * truncode security development * http://truncode.orgmodular

This paper assumes the reader has read truncode.org's paper, Coding a TCP Connect Port Scanner: Step by Step or already has basicTCP / IP socket programming skills This paper is intended to build upon the paper, Coding a TCP Connect Port Scanner:. Step By Step.

] Introduction

The Internet offers an almost endless amount of security scanners to the System Administrator, Network Penetration Tester, Firewall Analyst, and Hacker.Try a few searches on a web site like http://packetstormsecurity.com and it will not take long until the Massive Volume of C C code Available overwhelms you.

A majority of the smaller port and vulnerability scanners for example, will scan only one target at a time. This leaves you with two choices. You can either loop the program in a shell script or modify the source code itself.

If you do not yet feel comfortable with writing your own routines, look at some more of the robust scanners out there with the existing functionality you would like to see in your own tools. This is the approach I take in this paper.For this paper's file input / output example I chose to rip the read_hosts () function from the excellent snmp brute-force scanner onesixtyone written by solareclipse@phreedom.org. After some time modifying and tweaking existing code you come across, you'll naturally begin to develop your own routines without even thinking about it. It is a common belief that if you use existing code, you are not "elite". This is actually the best way to learn. Just make sure you understand every line you use!] File Input function:

Let us First Get Reacquainted with the process of opening files.

-------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -----------

In Order to Use A File, We First Need To Open It. This is accomplished withthe fopen () Function. This Function's Prototype is as Follows:

FILE * FOPEN (Const Char * Path, Const Char * Mode);

.

-------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -----------

.

-------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ----------- This Function Reads in One Character at a time. This is the magic functionthat will allow us to read in a list of ip addresss or hostnames, for example.each time fgetc () Returns, WE Simply Increment to the next character untric we reach the end of the line.

The Following Simple Program Open's A File and Prints Each Line Using Theprevious Functions: ----------------------------------- -------------------------------------------- # include

INT main (int Argc, char * argv []) {file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {printf ("% s / n", buf);} c = 0;} else {BUF [C ] = CH;} if (c> sizeof (buf) -1) {EXIT (1);}} fclose (fd); return 0;} --------------------------------- --------------------------------------------

First, we define the FILE pointer * fd. The fopen () function then opens a fileby associating a stream with the FILE pointer. As we loop through eachcharacter using fgetc (), the program checks for a newline, space, or tabindicating the end of an entry. When a new line, space, or tab is encountered, a string is printed and the loop starts again. This program is not exactlyinteresting, but it serves as a basis from which to begin writing a small portor vulnerability scanner. Let's modify this program by replacing the printf () statement with agethostbyaddr () routine. now this program has become useful with only a fewadjustments. It can now do speedy reverse DNS lookups on a large list of IPaddresses.

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include

INT Main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyaddr ((Char *) & (t_addr.s_addr), sizeof (buf), AF_INET) == null) {Herror ("gethostByName"); exit (1);} printf ("% s / N ", he-> h_name);} c = 0;} else {buf [c ] = CH;} IF (c> sizeof (buf) -1) {exit (1);}} fclose (fd); return 0;} ------------------------------------------------------------------------------------------- ------------------------------ AT First Glance, this Program Looks Much More Complex Than ITS Predecessor, But The Logic IS in fact the same. By using this simple template, we candevelop many useful programs. This time we can swap out the gethostbyaddr () routine with a simple TCP connect port scanning function. Suddenly thisprogram is transformed into a port scanner capable of scanning wholesubnets!

-------------------------------------------------- ----------------------------- # include #include #include #include #include #include #include #include #define true 1 # define false 0 # Define SSH 22

/ * * SIMPLE TCP port scanner * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

SOCK_FD = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

MEMSET (& Target); target.sin_family = af_inet; target.sin_addr.s_addr = inet_addr (transote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (SOCK_FD); Return State;}

INT main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C, i; if (fd = fopen (iPlist, "R")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); Exit (1);

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {IF ((i = portscan (buf, ssh) == 0)) Printf ("% s Has Port% D Closed./N", BUF, SSH); Else Printf ("%) S Has Port% D Open./N ", BUF, SSH);} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) -1) {EXIT (1);} } Fclose (fd); Return 0;} ------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------------

There seem to be unlimited possibilities with fopen (), fclose (), and fgetc (). As an exercise, pick some of your favorite scanners that are limited to onlyone host on the command line and hack the code into something new!

So Far this port scanner online, one port scanner, no problem, at this point,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -------------------------------------------------- ----------------- Int Start, end, counter

START = ATOI (Argv [2]); end = atoi (argv [3]); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------ a Simple for loop arround the portscan () function:

-------------------------------------------------- -----------------------------

IF (c> 0) {for (counter = start; counter <= end; counter ) {IF ((i = portscan (buf, counter) == 0)) Printf ("% s HAS Port% D Closed./n ", BUF, Counter; Else Printf ("% s Has Port% D Open./N ", BUF, Counter;}} -------------------- -------------------------------------------------- --------- The Output Is Superfluous and is Due for Some TWEAKING:

modular @ truncode $ ./portscan hostips.txt 1 25192.168.1.100 has port 1 closed.192.168.1.100 has port 2 closed.192.168.1.100 has port 3 closed.192.168.1.100 has port 4 closed.192.168.1.100 has port 5 closed ....

That looks rather ugly. It makes sense to modify the program so it outputsone IP address and a list of hostnames, open ports, and services. The following example may be child's play, but the point is to show how each new modification builds on the Last: -------------------------------------------------------------- -------------------------------

#include #include #include #include #include #include #include #include #define true 1 # define false 0

/ * * SIMPLE TCP port Scanner function * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

sock_fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); memset (& target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr (remote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (sock_fd); return state;} int main (int Arg, Char * argv []) {strunt hostent * he; struct server * srvc; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C, I; int Start, End, counter;

START = ATOI (Argv [2]); End = ATOI (Argv [3]);

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyAddr ((Char *) & (t_addr.s_addr), sizeof (buf), af_inet) == null) {Herror ("gethostbyname"); exit (1);} printf ("/ n" ); Printf ("Interesting Ports ON% S (% S) / N / N", HE-> h_name, buf); Printf ("Port / TState / TService / N"); for (counter = start; counter <= End; counter ) {IF ((i = portscan (buf, counter) == 0)))))))))))))))))))))) Continue; Else SRVC = GetServByport (Htons (Counter), "TCP"); Printf ("% D / TCP / TOPEN / T% S / N ", Counter, (SRVC == NULL)?" Unknown ": SRVC-> S_NAME);}} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) - 1) {EXIT (1);}} fclose (fd); return 0;} ------------------------------- ------------------------------------------------ Three New Structure definitions were added:

struct hostent * he; struct servent * srvc; struct in_addr t_addr;. The current version of this program has reincorpated the gethostbyaddr () routine from the first example so that DNS hostnames can be printed out as well The getservbyport () function was also added so that each port could be matched with a standard service Refer back to the first paper in this series Coding a TCP Connect Port Scanner:. Step by Step, if you need a refresher on how these functions are implemented.

-------------------------------------------------- ----------------------------- The Next Paper in this Series Will Demonstrate How To Incorporate Variable-Length Subnet Masking (VLSM) INTO A Port scanner.

--nightcat

This article assumes that readers have read Truncode.org's articles Coding a TCP Connect Port Scanner: Step by Step, or already have the basic skills of TCP / IP socket programming. This article is based on Coding a TCP Connect Port Scanner: Step by Step.

] Introduction

The Internet provides almost numerous safety scanners for system administrators, network penetration testors, set fire wall analysts, and hackers. Try to search on the site like http://packetstormsecurity.com, there is a lot of very good C code to overwhelmed you.

Most small-port and vulnerability scanners only scan a goal each time. Here you have two options. You can cycle this program with a shell script, you can also modify one original code yourself.

If you are not satisfied with your own program, you can learn from the function of writing the perfect program to enrich your own procedure. I have taken this method in this article.

Because this article is an Input / Output example, I chose a perfect SNMP violent cracking scanner written from SolareClipse@phreedom.org OneSixTyone to separate a read_hosts (). In the future, modify and extract you encounter. After the code, you will naturally start developing your own procedures without having to think about it. When you are not very powerful, use the existing code to bring confidence. In fact, this is also the best way to learn. It is only to understand each line of code to use.

] File input function:

Let us first familiarize with the way of opening documents

-------------------------------------------------- -------------------------! ---------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

In order to use a file, we need to open it first, this can be done with fopen (). The prototype of this function is as follows: file * fopen (const char * path, const char * mode);

This fopen () function has two parameters: the path and open mode of the target file, the open mode decides how we will open it. If successful is open, a file pointer will be returned. -------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

This function is as you think: Close a file. This function is expected to pass to a file pointer.

-------------------------------------------------- ------------------------- FGetc () ---------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ---

This function reads a character each time. This is a magical function allows us to read from an IP address or host list. For example: Each FGETC () returns, we simply add to the next character until the end of the file is reached.

The following simple programs open a file and print out each line with a previous function.

-------------------------------------------------- ------------------------- # include

INT main (int Argc, char * argv []) {file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {printf ("% s / n", buf);} c = 0;} else {BUF [C ] = CH;} if (c> sizeof (buf) -1) {EXIT (1);}} fclose (fd); return 0;} --------------------------------- ----------------------------------------

First, we define a file pointer * fd. This fopen () function is turned on when the file is turned on by association to the file pointer stream. But we use the FGetc () loop each character, this program checks the new row, spaces, or Tab keys to indicate the end of the input. When you encounter a new row, space, or tab, you will print a string and start cycling again. This program is not necessarily interested. But he is suitable for a small port or vulnerability scanner.

Let us modify this program to replace the Printf () declaration by using the gethostbyaddr () program. Now this program is only a small adjustment. He can quickly reverse DNS lookup in a large IP list.

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include

INT Main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyaddr ((Char *) & (t_addr.s_addr), sizeof (buf), AF_INET) == null) {Herror ("gethostByName"); exit (1);} printf ("% s / N ", he-> h_name);} c = 0;} else {buf [c ] = CH;} IF (c> sizeof (buf) -1) {exit (1);}} fclose (fd); return 0;} ------------------------------------------------------------------------------------------- ----------------------------

Look, this program looks more complicated than the front, but logically is the same. With this simple template, we can develop a lot of useful procedures. This time we can change out the gethostbyaddr () program with a simple TCP connection port scan function. This program is converted into a port scanner capable of scanning the entire subnet.

-------------------------------------------------- ------------------------- # cDE #include #include #include > #include #include #include #define true 1 # define false 0 # define ssh 22 / * * SIMPLE TCP port scanner * / int portscan (char * remote_ip, u_short port) {int Sock_fd; int state; struct sockaddr_in target;

SOCK_FD = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

MEMSET (& Target); target.sin_family = af_inet; target.sin_addr.s_addr = inet_addr (transote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (SOCK_FD); Return State;}

INT main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C, i;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {IF ((i = portscan (buf, ssh) == 0)) Printf ("% s Has Port% D Closed./N", BUF, SSH); Else Printf ("%) S Has Port% D Open./N ", BUF, SSH);} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) -1) {EXIT (1);} } Fclose (fd); Return 0;} ------------------------------------------------------------------------------------------------------------------------------------------ -----------------------------------

It seems to be unlimited here for fopen (), fclose (), and FGETC (). As an exercise, choose some of you like only one command line with only one port scan and adding the code into new. At present, this port scanner only scans a port. It doesn't matter, here we need to do a simple loop and a new variable around portscan (), just below:

-------------------------------------------------- ------------------------- Int Start, end, counter;

START = ATOI (Argv [2]); end = atoi (argv [3]); ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------

Add a simple loop around the portscan () function:

-------------------------------------------------- ------------------------- IF (c> 0) {for (counter = start; counter <= end; counter ) {= ((i = portscan (buf, counter) == 0)) Printf ("% s Has Port% D Closed./N", BUF, Counter; Else Printf ("% s Has Port% D Open./N", BUF, Counter;}}

-------------------------------------------------- -------------------------

The operation output is as follows:

modular @ truncode $ ./portscan hostips.txt 1 25192.168.1.100 has port 1 closed.192.168.1.100 has port 2 closed.192.168.1.100 has port 3 closed.192.168.1.100 has port 4 closed.192.168.1.100 has port 5 closed ....

This looks quite ugly, meaningful to modify this program, so he outputs an IP address and a host name list, open port, and service. The following example may be processed by a child process. In addition to this, finally showed each new modified constructor:

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include #include #define true 1 # define false 0

/ * * SIMPLE TCP port Scanner function * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

sock_fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); memset (& target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr (remote_ip); target.sin_port = htons (port); if (Connect (Sock_FD, (Struct SockAddr *) & Target, SIZEOF (Target)) == 0) {State = true;} else {state = false;} close (sock_fd); Return State;

INT main (int Argc, char * argv []) {strunt hostent * he; struct server * srvc; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C Int Start, end, counter

START = ATOI (Argv [2]); End = ATOI (Argv [3]);

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyAddr ((Char *) & (t_addr.s_addr), sizeof (buf), af_inet) == null) {Herror ("gethostbyname"); exit (1);} printf ("/ n" ); Printf ("Interesting Ports ON% S (% S) / N / N", HE-> h_name, buf); Printf ("Port / TState / TService / N"); for (counter = start; counter <= End; counter ) {IF ((i = portscan (buf, counter) == 0)))))))))))))))))))))) Continue; Else SRVC = GetServByport (Htons (Counter), "TCP"); Printf ("% D / TCP / TOPEN / T% S / N ", Counter, (SRVC == NULL)?" Unknown ": SRVC-> S_NAME);}} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) - 1) {EXIT (1);}} fclose (fd); return 0;} -------- Add three structural definitions: struct hostent * he; struct server * srvc; struct in_addr t_addr;

The current version of this program has been merged from the previous example, so DNS HostNames can also be printed. GetServByport () functions also increases to match each port to standard services. Check the first article Coding a TCP Connect Port Scanner: Step by Step. If you need to review these functions how it is implemented.

The next article of this series will demonstrate how to combine the variable length subnet mask (VLSM) to a port scanner.

three. Attached:

Coding a TCP Connect Port Scanner: Using Input Files Rev 1.0- C Hacker's Handbook Series # 2 - _ _ | | _ _______________ | | | | | |. _ || _ | | _ | | ___ | _ | _ | ___ | ___ | ___ | ___ |

* Truncode security development * http://truncode.orgmodular

This paper assumes the reader has read truncode.org's paper, Coding a TCP Connect Port Scanner: Step by Step or already has basicTCP / IP socket programming skills This paper is intended to build upon the paper, Coding a TCP Connect Port Scanner:. Step By Step.

] Introduction

The Internet offers an almost endless amount of security scanners to the System Administrator, Network Penetration Tester, Firewall Analyst, and Hacker.Try a few searches on a web site like http://packetstormsecurity.com and it will not take long until the massive volume of C code available overwhelms you.A majority of the smaller port and vulnerability scanners for example, will scan only one target at a time. This leaves you with two choices. you can either loop the program in a shell script or modify the Source Code Itself.

If you do not yet feel comfortable with writing your own routines, look at some more of the robust scanners out there with the existing functionality you would like to see in your own tools. This is the approach I take in this paper.For this paper's file input / output example I chose to rip the read_hosts () function from the excellent snmp brute-force scanner onesixtyone written by solareclipse@phreedom.org. After some time modifying and tweaking existing code you come across, you'll naturally begin to develop your own routines without even thinking about it. It is a common belief that if you use existing code, you are not "elite". This is actually the best way to learn. Just make sure you understand every line you use!

] File Input Function:

Let us First Get Reacquainted with the process of opening files.

-------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -----------

In Order to Use A File, We First Need To Open It. This is accomplished withthe fopen () Function. This Function's Prototype is as Follows:

FILE * FOPEN (Const Char * Path, Const Char * Mode);

The fopen () Function Takes Two Arguments: The Path of The Target File and The path of the target file and the path, whch. If we are successful fopen () Returns a file pointer. ----------- -------------------------------------------------- ----------------- fclose () ----------------------------- --------------------------------------------------

.

-------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- -----------

This function reads in one character at a time. This is the magic functionthat will allow us to read in a list of IP addresses or hostnames, for example.Each time fgetc () returns, we simply increment to the next character until we reach the End of the line.

The Following Simple Program Open's A File and Prints Each Line Using Theprevious Functions: ----------------------------------- -------------------------------------------- # include

INT main (int Argc, char * argv []) {file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {printf ("% s / n", buf);} c = 0;} else {BUF [C ] = CH;} if (c> sizeof (buf) -1) {EXIT (1);}} fclose (fd); return 0;} --------------------------------- ------------------------------------------- First, WE Define the File pointer * fd. The fopen () function then opens a fileby associating a stream with the FILE pointer. As we loop through eachcharacter using fgetc (), the program checks for a newline, space, or tabindicating the end of an entry. When a new line, space, or tab is encountered, a string is printed and the loop starts again. This program is not exactlyinteresting, but it serves as a basis from which to begin writing a small portor vulnerability scanner.

Let's modify this program by replacing the printf () statement with agethostbyaddr () routine. Now this program has become useful with only a fewadjustments. It can now do speedy reverse DNS lookups on a large list of IPaddresses.

-------------------------------------------------- -------------------------

#include #include #include #include #include #include #include

INT Main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C;

IF ((fd = fopen (iPlist, "r")) == 0) {PrintF ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0; While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 ' ; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyaddr ((Char *) & (t_addr.s_addr), sizeof (buf), AF_INET) == null) {Herror ("gethostByName"); exit (1);} printf ("% s / N ", he-> h_name);} c = 0;} else {buf [c ] = CH;} IF (c> sizeof (buf) -1) {exit (1);}} fclose (fd); return 0;} ------------------------------------------------------------------------------------------- --------------------------------

At first glance, this program looks much more complex than its predecessor, but the logic is in fact the same. By using this simple template, we candevelop many useful programs. This time we can swap out the gethostbyaddr () routine with a simple TCP CONNECT Port Scanning Function. Suddenly thisprogram Is Transformed Into a Port Scanner Capable of Scanning Wholesubnets!

-------------------------------------------------- ----------------------------- # include #include #include #include #include #include #include #include #define true 1 # define false 0 # Define SSH 22

/ * * SIMPLE TCP port scanner * / int portscan (char * remote_ip, u_short port) {int suck_fd; int state; struct sockaddr_in target;

sock_fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); memset (& target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr (remote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (SOCK_FD); Return State;}

INT main (int Argc, char * argv []) {struct hostent * he; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C, i;

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {IF ((i = portscan (buf, ssh) == 0)) Printf ("% s Has Port% D Closed./N", BUF, SSH); Else Printf ("%) S Has Port% D Open./N ", BUF, SSH);} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) -1) {EXIT (1);} } Fclose (fd); Return 0;} ------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------------

There seem to be unlimited possibilities with fopen (), fclose (), and fgetc (). As an exercise, pick some of your favorite scanners that are limited to onlyone host on the command line and hack the code into something new!

So Far this port scanner online, one port scanner, no problem, at this point,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -------------------------------------------------- ----------------- Int Start, end, counter; start = atoi (argv [2]); end = atoi (argv [3]); ----- -------------------------------------------------- ------------------------ And A Simple for loop arround the portscan () function:

-------------------------------------------------- -----------------------------

IF (c> 0) {for (counter = start; counter <= end; counter ) {IF ((i = portscan (buf, counter) == 0)) Printf ("% s HAS Port% D Closed./n ", buf, counter; Else Printf ("% s Has Port% D Open./N ", BUF, Counter;}}

-------------------------------------------------- ----------------------------- The Output Is Superfluous and is Due for Some Tweaking:

modular @ truncode $ ./portscan hostips.txt 1 25192.168.1.100 has port 1 closed.192.168.1.100 has port 2 closed.192.168.1.100 has port 3 closed.192.168.1.100 has port 4 closed.192.168.1.100 has port 5 closed ....

That looks rather ugly. It makes sense to modify the program so it outputsone IP address and a list of hostnames, open ports, and services. The following example may be child's play, but the point is to show how each new modification builds on the Last: -------------------------------------------------------------- -------------------------------

#include #include #include #include #include #include #include #include #define true 1 # define false 0 / * * Simple TCP port scanner function * / int portscan (char * remote_ip, u_short port) {int suck_fd; int 2; struct SockAddr_in Target;

sock_fd = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); memset (& target, 0, sizeof (target)); target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr (remote_ip); target.sin_port = htons (port);

IF (Connect (Sock_fd, (Struct SockAddr *) & Target, SizeOf (Target)) == 0) {State = true;} else {state = false;} close (SOCK_FD); Return State;

INT main (int Argc, char * argv []) {strunt hostent * he; struct server * srvc; struct in_addr t_addr; file * fd; char buf [100]; char ch, * iPlist = argv [1]; int C Int Start, end, counter

START = ATOI (Argv [2]); End = ATOI (Argv [3]);

IF ((fd = fopen (iPlist, "r")) == 0) {Printf ("Error Opening Input File% S / N", IPLIST); EXIT (1);} C = 0; CH = 0;

While ((CH = FGETC (FD))! = EOF) {if (CH == '/ n' || CH == '|| CH ==' / t ') {BUF [C] =' / 0 '; If (c> 0) {

T_addr.s_addr = inet_addr (buf);

IF ((He = gethOstbyAddr ((Char *) & (t_addr.s_addr), sizeof (buf), af_inet) == null) {Herror ("gethostbyname"); exit (1);} printf ("/ n" ); Printf ("Interesting Ports ON% S (% S) / N / N", HE-> h_name, buf); Printf ("Port / TState / TService / N"); for (counter = start; counter <= End; counter ) {IF ((i = portscan (buf, counter) == 0)))))))))))))))))))))) Continue; Else SRVC = GetServByport (Htons (Counter), "TCP"); Printf ("% D / TCP / TOPEN / T% S / N ", Counter, (SRVC == NULL)?" Unknown ": SRVC-> S_NAME);}} c = 0;} else {BUF [C ] = CH;} IF (c> sizeof (buf) - 1) {EXIT (1);}} fclose (fd); return 0;} ------------------------------- ------------------------------------------------ Three New Structure Definitions Were Added: Struct Hostent * He; Struct Server * SRVC; STRUCT IN_ADDR T_ADDR;

The current version of this program has reincorpated the gethostbyaddr () routine from the first example so that DNS hostnames can be printed out as well. The getservbyport () function was also added so that each port could be matched with a standard service. Refer back To The First Paper in This Series Coding A TCP Connect Port Scanner: Step by Step, IF you need a refresher on how these functions areplement.

-------------------------------------------------- ----------------------------- The Next Paper in this Series Will Demonstrate How To Incorporate Variable-Length Subnet Masking (VLSM) INTO A Port scanner.

转载请注明原文地址:https://www.9cbs.com/read-119174.html

New Post(0)