Last time I got a WebShell, but then I was in trouble - the host was installed hardware firewall. Although the host's MSSQL is found to have a Hello overflow vulnerability, since the firewall has not been able to get the shell (reverse connection, it is found to be connected, there is no data over), and the N kinds of local improved rights are finally tried, but the end of failure . depressed! Later, I thought that if I used SQLHELLO in WebShell to overflow ports that were allowed to open, it would not be OK. Of course, this port must be closed now.
Everyone knows if you can connect a port of the remote host, then this port is naturally a firewall to allow open. The current problem is that how do the ports are closed, how to determine?
Here I thought that when there is a prawn to say the Telnet remote host port, if the connection is quickly returned, the port is turned off; if you have waited for more than ten seconds, it will return most, and the other party has a firewall. This method is right, but there is a total of 65535 ports, which will not let me go to Telnet, so write a program to automatically go sweep.
Similar to the port scanner, this program also calls the Winsock's Connect function, but because the port is turned off, Connect returns an error code 10061 (the connection is rejected. "Due to the target machine, the connection cannot be established); but if it is the other party The firewall is intercepted by the connection request, and the 10060 error will be returned over time (connection timeout). We can determine if the port is open to the remote host firewall using the returned error type. However, here, if the target IP does not exist, it will timele.
The principle is very simple to understand the writing process, that is, call Winsock's Connect. About Winsock Programming Reference "Windows Network Programming Technology"; Well, I don't pay attention to multithreading, otherwise, huh, huh, I can't finish all day. Multi-threaded uses CreateTHRead this API function to see MSDN. Just find a scanner code reference online, write this program, the code is as follows:
#include
#define maxthreadcount 100 // Set the maximum number of threads #define SUMSCANCOUNT 65535 // Set the total number of scan port struct sockaddr_in server; int threadcount = 0; int DWTHRDPARAM = 1; // CreateThread parameters, mention the front calculation
Unsigned int resolve (char * name) {struct hostent * he; unsigned int ip;
IF ((ip = inet_addr (name)) == (- 1)) {IF ((He = gethStByName (Name)) == 0) {Printf ("Error: don't find the% s ./N", Name); exit (0);} Memcpy (& IP, He-> h_addr, 4);} return ip;}
DWORD WINAPI SCAN (LPVOID LPPARAM) {INT MYSOCK, CODE, Port = (int) lpparam; mysock = socket (AF_INET, SOCK_STREAM, 0); IF (MySock <0) {Printf ("Socket Error!");} Server. SIN_PORT = HTONS (Port); IF (Connect (Mysock, (Struct SockAddr *) & Server, SIZEOF (Server))! = 0) {code = getLastError (); if (code == 10061) Printf ("Port% D Allown open / n ", port);} else {printf (" port% d Openning / n ", port);} clossoSocket (mysock); threadcount--; return 0;} void thread (int port) {dword dwthreadID; Handle hthread; wsadata ws; if (MakeTartup (MakeWord (2, 2), & WS)! = 0) {printf ("[-] wsastartup () error / n"); exit (0);} hthread = CreateThread (null , // use default stack size scan, // thread function (lpvoid) port, // argument to thread function 0, // use default code flags & dwthreadid; // Returns the th TH Read Identifier if ("CreateTHRead Failed."); DWTHRDPARAM ; ThreadCount ; Sleep (200); // Delay, otherwise the CPU will be full ... CloseHandle (hthread);
Void main (int Argc, char * argv []) {if (argc! = 2) {Printf ("/ n- this program Find Port That FireWall Allow Open - / N"); Printf ("- Only for test by Lake2 - / N "); Printf (" USAGE:% S IP / N ", Argv [0]); exit (0);} Server.sin_Family = AF_INET; Server.sin_Addr.s_addr = Resolve (Argv [1]); Printf ("Starting and Waiting .............. / n"); while (dwthrdparam <= susscount) {if (threadcount The program is Of course, it is necessary to use it. After a long 3 hours of scan, get the result: the target host firewall only opens 80 ports. Dizzy on the spot! Hey, "The road is long and the road is long, I will go up and down" ...... Lake2 2005-1-18
