Port and CGI scanning implementation
Writeby: liond8
Email: liond8@eyou.com
Website: http://liond8.126.com
I. DIY A Port Scanner - Advanced Technology
The scanning technology of the port is now roughly divided into two kinds, one is a low-level traditional scanner, and there is an advanced technology. Today we will talk about the principles of advanced technology and in its current basic code.
After testing, we know that the port is being taking, if it is received in a SYN package (that is, the first time of the TCP handshake), it will return a syn | ACK (0x12) package, if an off port is received, the SYN package will be returned One PSH | RST | SYN (0x14) package and the SYN serial number is 0. If the remote host does not exist, then no packet is returned.
According to the above analysis, we can construct a scanner.
If we send a SYN package to the target machine, if we receive a SYN | ACK (0x12) package we know that the remote port is survived. If you receive a PSH | RST | SYN (0x14), then determine that the port is not open.
Ok, then we need to establish a listening thread before you have a bag, and add an analysis.
1. Define the listening thread:
DWORD WINAPI LISTENINGFUNG (LPVOID LPVOID)
{
First, you need to create an original set.
Socket Rawsock = Socket (AF_INET, SOCK_RAW, IPPROTO_IP);
Then get the IP address of this unit to determine a port to bind Rawsock.
Struct hostent * phostent;
Char Name [100] = {0};
GethostName (Name, 100);
phostent = gethostByName (Name);
Copy the native IP address to Addr_in.sin_addr.s_un.s_addr.
Memcpy (& addr_in.sin_addr.s_un.s_addr, phostent-> h_addr_list [0], phostent-> h_length;
Bind.
Int ret = bind (Rawsock, (Struct SockAddr *) & addr_in, sizeof (addr_in));
Set SiO_RCVALL to receive all packets
DWORD LPVBUFFER = 1;
DWORD LPCBBYTESRETURNED = 0;
WSAIOCTL (Rawsock, SiO_RCVALL, & LPVBUFFER, SIZEOF (LPVBuffer), NULL, 0, & LPCBBYTESRETURNED, NULL, NULL;
Then the remaining is the capture analysis of the packet. Use a dead loop to constantly capture the received packet, and analyze if it is the package returned by the survival port, not, give up, do not do any processing, continue to capture the next packet.
While (True)
{
SockAddr_in from = {0};
INT size = sizeof (from);
Char recvbuf [256] = {0};
// receive the packet
RET = Recvfrom (Rawsock, Recvbuf, Sizeof (Recvbuf), 0, (Struct SockAddr *) & from, & size);
Char * sourceip = inet_ntoa (* (struct in_addr *) & from.sin_addr);
IF (RET! = Socket_ERROR)
{
// Analyze the data package
Ipheader * lpipheader;
Lpipheader = (ipheader *) Recvbuf; if (lpipheader-> proto == ipproto_tcp)
{
TCPHEADER * LPTCPHEADER = (TCPHEADER *) (Recvbuf SizeOf (IpHeader));
// Judgment is the packet returned by the remote open port
IF (LPTCPHEADER-> TH_SEQ! = 0 && lptcpheader-> th_flag == 0x12)
{
// If it is, the port source port information is proposed from the TCP header, print it out.
Printf ("===% S:% D / N", SourceIP, NTOHS (LPTCPHEADER-> TH_SPORT));
}
}
}
} // End while
} One is the listening analysis thread we have to build.
The definitions of Ipheter and TCPHeader are as follows.
Typedef struct ip_head // Defines IP headers
{
Unsigned char h_verlen; // 4 top length, 4-digit IP version number
Unsigned char TOS; // 8 service type TOS
Unsigned short total_len; // 16-bit total length (bytes)
UNSIGNED short ident; // 16 bit identity
Unsigned short frame_and_flags; // 3 bits (such as SYN, ACK, etc.)
Unsigned char TTL; // 8-bit survival time TTL
UNSIGNED Char proto; // 8-bit protocol (such as ICMP, TCP, etc.)
UNSIGNED Short Checksum; // 16-bit IP header checksum
Unsigned int sourceip; // 32 bitsource IP address
UNSIGNED INT Destip; // 32 bit IP address
} Ipheader;
Typedef struct tcp_head // Defines TCP header
{
Ushort th_sport; // 16 bond source port
USHORT TH_DPORT; / / 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
UNSIGNED INT TH_ACK; / / 32 bit confirmation number
Unsigned char th_lenres; // 4 head length / 6 reserved words
Unsigned char th_flag; // 6 bit flag
Ushort TH_WIN; / / 16-bit window size
USHORT TH_SUM; / / 16-bit checksum
Ushort TH_URP; // 16-bit emergency data offset
} TCPHEADER;
Listening is done, the remaining problem is how to construct the SYN package. The transmission of the general SYN package is to construct an IP header and TCP header, and then use a TCP pseudo-head to calculate the functions and in general. This is also possible to make SYN, but our program efficiency will greatly decrease, we use another high efficiency method. How can I send a SYN bag and don't construct it myself? Do you know if you have a connect () API? Originally, it is used to establish a connection. It hides TCP three handshakes. If we turn off the clamps after sending a SYN package, can it be able to send a SYN package? So it is necessary to set the sleeve as non-blocking.
2. The implementation of the SYN package is as follows.
DWORD WINAPI SCAN (LPVOID LP)
{
// LP is an IP address and port information for the scan target for a structural address. // as follows:
// typedef struct // Define a structure that delivers IP and port, information
// {
// Ulong IP;
// ushort port;
//} infor;
Socket Sock = NULL;
SockAddr_in addr_in = {0};
TCHAR Sendbuf [256] = {0};
Infor * lpinfor = (infor *) lp;
Int Ierr;
Ulong ul = 1;
Ushort port = lpinfor-> port;
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (port);
Addr_in.sin_addr.s_un.s_addr = lpinfor-> ip;
IF ((Sock = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == Invalid_socket
Printf ("socket setup error! / n");
Ierr = ioctlsocket (sock, fionbio, (unsigned long *) & ul); // Set SOCK is non-blocking
Connect (STRUCK, STRUCKADDR *) & addr_in, sizeof (addr_in)); // Send SYN package
CloseSocket (SOCK);
Return 0;
}
The most important listening and sending thread are all completed, and the rest is just how to extract the IP address and the port and then pass it to the send function.
Int main (int Argc, char * argv [])
{
Wsadata wsadata;
Infor INFOR = {0};
Ulong startip = 0, Endip = 0;
INT number = 0;
IF (WsaStartup (MakeWord (2, 2), & WSADATA)! = 0)
{
Printf ("INITWSASTARTUP ERROR! / N");
Return 0;
}
// Create a thread analysis of the ingredient to analyze the package.
CreateThread (NULL, 0, ListeningFunc, & Tempnum, Null, NULL);
Sleep (500); // Waiting for the initialization of the thread
Ulong startip = 0, Endip = 0;
Startip = NTOHL (INET_ADDR (Argv [1]));
Endip = NTOHL (INET_ADDR (Argv [2]));
For (; startip <= endip; startip ) // from the first IP to the last IP
{
Infor.ip = HTONL (STARTIP);
INT NUM = ListNum; // ListNum is the length of the defined port list
While (NUM -)
{
Infor.Port = portList [NUM]; // From the list, you get the port value, ready to pass to the package function
SCAN (& Infor); // Sends a SYN package for the target IP and port.
}
} // end for
SLEEP (2000); // Last Wait 2S, the last package of the last issued package is returned.
Printf ("Scan Completely.");
Return 1;
} // The main thread returns the end.
The above all code is basically a scanner. This scanning method according to the actual test is quite fast. Second. CGI scanner
CGI's scanning premise is that an open 80 (web service) can be utilized. First we must establish a connection with the remote 80 port. Then by submitting the GET request, then determine according to the returned information. For example, the 200 returned 200 represents success, everything is normal. 404 represents the resource that cannot be found in the specified location. 403 represents resource not available. Then we listen to the returned data is a substring such as "http / 1.1 200". There is a successful request, otherwise the request will fail.
The general implementation is as follows:
Int main (int Argc, char * argv [])
{
Wsadata wsadata;
File * fp = null;
FP = FOPEN ("CGI.LST", "R");
//cgi.lst is all in the list of CGI vulnerabilities. It is similar to "Get /_vti_bin/shtml.exe".
WSASTARTUP (Makeword (2, 2), & WSADATA);
Infor INFOR = {0};
// Infor structure is used to pass CGI information and IP information
// Defined as follows:
// typedef struct
// {
// Char Sendbuf [100];
// char ip [20];
//} infor;
IF (argc! = 2) Return 0;
Memcpy (INFOR.IP, Argv [1], Strlen (Argv [1]));
Printf ("Scan Start ....... / N");
/ / Read the CGI information scanned from the file
While (Fgets (Infor.sendbuf, 100, FP)! = null)
{
Handle h = 0;
H = Createthread (NULL, 0, SCAN, & Infor, Null, NULL); // Create a thread scan
IF (h == NULL)
Printf ("CreateThread False / N");
WaitforsingleObject (h, infinite); // Waiting for a scan to end
MEMSET (Infor.sendbuf, 0,100);
}
Printf ("Scan Completely./N");
} // end main
The SCAN thread is defined as follows:
DWORD WINAPI SCAN (LPVOID LP)
{
Socket Sock = NULL;
SockAddr_in Target = {0};
INT Error = 0;
Char BUF [256] = {0};
CHAR * P = NULL;
Infor * lpinfor = (infor *) lp;
IF ((Sock = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == Invalid_socket
{
Printf ("socket setup error! / n");
Return False;
}
Target.sin_family = AF_INET;
Target.sin_port = HTONS (80);
Target.sin_addr.s_un.s_addr = inet_addr (lpinfor-> ip);
Error = Connect (Sock, (Struct SockAddr *) & Target, Sizeof (Target)); // Connection
IF (error == Socket_ERROR)
{
Printf ("Connect False! / N"); Return 0;
}
Send (sock, lpinfor-> sendbuf, 100, 0); // Send GET request
RECV (SOCK, BUF, 256, 0); // Receive the return information
P = strstr (buf, "http / 1.1 200"); // There is an HTTP / 1.1 200 substring in the information returned.
IF (p! = null) // 200 means everything is normal, the answer document requesting GET and POST requests followed
{
Printf ("% s", lpinfor-> sendbuf); // play the scanned vulnerability
}
CloseSocket (SOCK);
Return 1;
}
If reproduced: Please explain the author information, indicating the starting publication.
