├── CHANGELOG ├── COPYING.GPL ├── COPYING.YAPSCAN ├── INSTALL ├── Makefile ├── README ├── TODO ├── md5.c ├── md5.h ├── ports-tcp-all.txt ├── ports-tcp-common.txt ├── ports-tcp-database.txt ├── ports-tcp-known.txt ├── ports-udp-all.txt ├── ports-udp-common.txt ├── ports-udp-known.txt ├── scanner-icmp.cpp ├── scanner-icmp.h ├── scanner-port.cpp ├── scanner-port.h ├── scanner-tcp.cpp ├── scanner-tcp.h ├── scanner-udp.cpp ├── scanner-udp.h ├── scanner.cpp ├── scanner.h ├── utils.cpp ├── yapscan.cpp └── yapscan.h /CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2008-04-06 Yapscan v0.7.4-beta 3 | 4 | * Removed "STRANGE" messages from ICMP scanning. These 5 | messages are now only displayed in verbose mode. 6 | 7 | 2007-12-21 Yapscan v0.7.3-beta 8 | 9 | * Fixed crash during debugging with -d -d 10 | 11 | 2007-07-03 Yapscan v0.7.2-beta 12 | 13 | * Fixed crash during ICMP scanning 14 | 15 | 2007-06-19 Yapscan v0.7.1-beta 16 | 17 | * Estimated scan time completion bug fixed 18 | 19 | 2007-06-10 Yapscan v0.7.0-beta 20 | 21 | * Added -m option to specify maximum amount of memory to use 22 | * If scan can't be completed with the memory available 23 | the scan is split into chunks. 24 | * Changed the "Tries" scan info line to "Retries" 25 | * Fixed some off-by-one's. Oops. 26 | 27 | 2007-04-12 Yapscan v0.6.1-beta 28 | 29 | * Prints type of scan being performed in "Scan Information" 30 | * UDP port list files included 31 | 32 | 2007-03-07 Yapscan v0.6.0-beta 33 | 34 | * Source port is no longer static by default 35 | * "-l port" now works for UDP scans too 36 | 37 | 2007-01-16 Yapscan v0.5.9-beta 38 | 39 | * Included time.h for compilation on debian 40 | * -t also takes comma-separated list like -t echo,time,addr 41 | * Scan type defaults to -sS if -s option is omitted 42 | * Fixed some warnings caused by gcc-4.1.x 43 | 44 | 2006-12-13 Yapscan v0.5.8-beta 45 | 46 | * Can now specify a static source port with -l 47 | 48 | 2006-12-11 Yapscan v0.5.7-beta 49 | 50 | * Fixed double-free bug for ICMP scanning 51 | * Removed support for DoS attacks 52 | 53 | 2006-10-23 Yapscan v0.5.6-beta 54 | 55 | * Overhauled PDF documentation and included in distro tarball. 56 | 57 | 2006-10-22 Yapscan v0.5.5-beta 58 | 59 | * -P option now works for UDP scans 60 | * ICMP scans now default to ping scans if -t isn't specified 61 | * Warning message displayed if kernel drops packets 62 | 63 | 2006-10-07 Yapscan v0.5.4-beta 64 | 65 | * Added -n option to turn off name resultion 66 | * Added -N option to turn off service name resolution 67 | * -T option now sets TTL (help message wrongly stated -t before) 68 | * IP ranges can now be specified in 'slash' notation (e.g. 127.0.0.1/24) 69 | * Fixed crash during TCP scanning 70 | 71 | 2006-09-26 Yapscan v0.5.2-beta 72 | 73 | * Fixes some errors when compiling on gcc 4.1.x 74 | 75 | 2006-09-23 Yapscan v0.5.1-beta 76 | 77 | * Fixed crash during TCP scanning 78 | 79 | 2006-09-16 Yapscan v0.5.0-beta 80 | 81 | * Fixed some errors when compiling on gcc 3.3.x 82 | 83 | 2006-08-22 Yapscan v0.4.9-beta 84 | 85 | * Initial public release 86 | 87 | -------------------------------------------------------------------------------- /COPYING.GPL: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /COPYING.YAPSCAN: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | make 2 | make install 3 | 4 | There are comments in the Makefile about compiling without OpenSSL libraries. 5 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CC=g++ 2 | DATADIR=/usr/local/share/yapscan/ 3 | BINDIR=/usr/local/bin/ 4 | YAPSCAN_VERSION=yapscan-0.7.6-beta 5 | 6 | # Tip for optimising speed: Set march option in CFLAGS, e.g. -march=athlon-xp TODO detect this automatically 7 | 8 | # If debugging 9 | # CFLAGS=-g -Wall -Woverloaded-virtual -Wsign-promo -Wno-non-virtual-dtor -fno-inline # debugging flags 10 | # DEBUGDEFINES=-DDEBUG 11 | 12 | # If not debugging 13 | CFLAGS=-s -Wall -Woverloaded-virtual -Wsign-promo -Wno-non-virtual-dtor -O3 -fomit-frame-pointer # normal flags 14 | CFLAGS=-s -Wno-write-strings -O3 -fomit-frame-pointer # normal flags 15 | 16 | # OpenSSL's MD5 library speeds up scanning. If you have openssl installed, do this: 17 | DEFINES=-DHAVE_LIBCRYPTO ${DEBUGDEFINES} 18 | LDLIBS=-lpcap -lcrypto 19 | 20 | # Otherwise do this: 21 | # DEFINES=${DEBUGDEFINES} 22 | # LDLIBS=-lpcap 23 | 24 | # TODO Write good enough code to avoid these warning... 25 | # CFLAGSTODO=-Weffc++ -Wold-style-cast 26 | 27 | # TODO pass LDLIBS, LIBS through from configure. Only compile md5.o if we need to. 28 | OBJS=scanner.o scanner-port.o scanner-tcp.o scanner-udp.o scanner-icmp.o md5.o yapscan.o utils.o 29 | 30 | all: yapscan 31 | 32 | install: yapscan ports-tcp-all.txt ports-tcp-known.txt ports-tcp-common.txt ports-tcp-database.txt ports-udp-all.txt ports-udp-known.txt ports-udp-common.txt 33 | mkdir -p -m 0755 $(BINDIR) $(DATADIR) 34 | install -m 0755 -o root -g root yapscan $(BINDIR) 35 | install -m 0644 -o root -g root ports-tcp-all.txt $(DATADIR) 36 | install -m 0644 -o root -g root ports-tcp-known.txt $(DATADIR) 37 | install -m 0644 -o root -g root ports-tcp-common.txt $(DATADIR) 38 | install -m 0644 -o root -g root ports-udp-all.txt $(DATADIR) 39 | install -m 0644 -o root -g root ports-udp-known.txt $(DATADIR) 40 | install -m 0644 -o root -g root ports-udp-common.txt $(DATADIR) 41 | install -m 0644 -o root -g root ports-tcp-database.txt $(DATADIR) 42 | 43 | yapscan: $(OBJS) 44 | $(CC) $(CFLAGS) ${OBJS} $(OPTS) $(LDLIBS) $(DEFINES) -o $@ 45 | 46 | static: $(OBJS) 47 | $(CC) $(STATICCFLAGS) ${OBJS} $(OPTS) $(LDLIBS) $(DEFINES) -static -o yapscan 48 | 49 | efence: $(OBJS) 50 | $(CC) $(CFLAGS) ${OBJS} $(OPTS) $(LDLIBS) $(DEFINES) -lefence -o yapscan 51 | 52 | utils.o: utils.cpp yapscan.h 53 | $(CC) $(CFLAGS) $(DEFINES) -c utils.cpp -o utils.o 54 | 55 | yapscan.o: yapscan.cpp yapscan.h 56 | $(CC) $(CFLAGS) $(DEFINES) -c yapscan.cpp -o yapscan.o 57 | 58 | md5.o: md5.c md5.h 59 | $(CC) $(CFLAGS) $(DEFINES) -c md5.c -o md5.o 60 | 61 | scanner-tcp.o: scanner-tcp.cpp scanner-tcp.h 62 | $(CC) $(CFLAGS) $(DEFINES) -c scanner-tcp.cpp -o scanner-tcp.o 63 | 64 | scanner-port.o: scanner-port.cpp scanner-port.h 65 | $(CC) $(CFLAGS) $(DEFINES) -c scanner-port.cpp -o scanner-port.o 66 | 67 | scanner-udp.o: scanner-udp.cpp scanner-udp.h 68 | $(CC) $(CFLAGS) $(DEFINES) -c scanner-udp.cpp -o scanner-udp.o 69 | 70 | scanner-icmp.o: scanner-icmp.cpp scanner-icmp.h 71 | $(CC) $(CFLAGS) $(DEFINES) -c scanner-icmp.cpp -o scanner-icmp.o 72 | 73 | scanner.o: scanner.cpp scanner.h 74 | $(CC) $(CFLAGS) $(DEFINES) -c scanner.cpp -o scanner.o 75 | 76 | docs: 77 | pdflatex yapscan-user-docs.tex 78 | pdflatex yapscan-user-docs.tex 79 | pdflatex yapscan-user-docs.tex 80 | 81 | dist: 82 | rm -rf $(YAPSCAN_VERSION) 83 | mkdir $(YAPSCAN_VERSION) 84 | cat dist-files.txt | xargs -I FILES cp FILES $(YAPSCAN_VERSION) 85 | tar --owner root --group 0 -cz -f $(YAPSCAN_VERSION).tar.gz $(YAPSCAN_VERSION) 86 | 87 | clean: 88 | -rm -f *.o yapscan yapscan-user-docs.pdf 89 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | This documentation is a work in progress. Also see help message: yapscan -h 2 | 3 | Contents 4 | ======== 5 | 6 | Section# Title 7 | -------- ----- 8 | 9 | 1 Credit 10 | 11 | 2 Why write Yet Another Port Scanner? 12 | 13 | 3 Features 14 | 3.1 TCP SYN Scanning 15 | 3.2 (Limited) UDP Port Scanning 16 | 3.3 ICMP Scanning 17 | 3.4 SYN Flooding 18 | 3.5 TCP Connect Flooding 19 | 3.6 Scanning Speed 20 | 3.7 Retries 21 | 22 | 4 Limitations 23 | 4.1 Memory-hungry 24 | 4.2 Replies from different IPs 25 | 26 | 27 | (1) Credit 28 | ========== 29 | 30 | Much inspiration (and even small amounts of code) as been drawn from other 31 | tools. It's only right that I pay my dues... 32 | 33 | 34 | synscan (http://bindshell.net/tools/synscan) 35 | -------------------------------------------- 36 | 37 | The fastest half-open portscanner that I'm aware of. I borrowed the code 38 | for determining link-layer header lengths from synscan. 39 | 40 | 41 | nmap (http://insecure.org/nmap) 42 | ------------------------------- 43 | 44 | The most reliable portscanner I'm aware of. I use nmap during every pentest. 45 | Most of yapscan's options are designed to be intuitive for nmap users. 46 | 47 | 48 | ike-scan (http://www.nta-monitor.com/tools/ike-scan) 49 | ---------------------------------------------------- 50 | 51 | Hostlist structures and retries are heavily inspired by ike-scan. 52 | 53 | 54 | hping2 (http://www.hping.org) 55 | ----------------------------- 56 | 57 | The output format is loosly based on hping2's. 58 | 59 | 60 | scanrand (http://www.doxpara.com/paketto) 61 | ----------------------------------------- 62 | 63 | I love the Inverse SYN Cookies idea. Very simple method to determine if 64 | replies on the wire are meant for your scanner or some other app. 65 | 66 | 67 | netkill (http://www.security.nnov.ru/files/netkill.pl) 68 | ------------------------------------------------------ 69 | 70 | Simple little PERL script to do TCP connect floods and more. I thought it'd 71 | be useful to build some of this into yapscan. 72 | 73 | 74 | (2) Why write Yet Another Port Scanner? 75 | ======================================= 76 | 77 | When I started writing yapscan I wanted to: 78 | a: Learn some C++ 79 | b: Write some generic classes that handle all the mundane parts of port 80 | scanning (like hostlist traversal, retries, bandwidth usage). 81 | 82 | The idea being that next time I needed to write a scanner (whether it 83 | be ARP, IPv6, DNS server-finder, mass DoS payload deliverer, etc.) 84 | I'd be able to quickly code up the probe, define how to parse responses 85 | and the generic classes would take care of the rest. 86 | 87 | Alas, my eyes were too big for my belly and I've ended up with yet 88 | another IPv4 port scanner. 89 | 90 | Maybe I'll acheive my original goal someday, but as of today I'm still 91 | some way off. 92 | 93 | That said, I do find yapscan useful during most pentests, so I thought 94 | I'd submit it back to he community in hope that others would too. 95 | 96 | 97 | (3) Features 98 | ============ 99 | 100 | (3.1) TCP SYN Scanning 101 | ---------------------- 102 | 103 | Also known as half-open scanning. 104 | 105 | On an internal network you probably just want to see the open ports. Here 106 | are some example of how to specify hosts and ports: 107 | 108 | # yapscan -sS 192.168.0.1-254 -p 1-1024 109 | # yapscan -sS 10.0.0.1-10.0.255.255 -p 21,22,23,53,80,139,445,3389 110 | # yapscan -sS -f targets-ips.txt -p 4444 111 | 112 | From an external network, you might also want to see the closed ports (-c): 113 | 114 | # yapscan -sS www.example.com -p 1-65535 -c 115 | 116 | You can scan just the common ports (using a portlist derived from nmap): 117 | 118 | # yapscan -sS 127.0.0.1 -i lo -P common 119 | 120 | (supported keywords are based on filesnames what ship with yapscan. 121 | As of v0.4.9-beta there is: all, known, common, database) 122 | 123 | Note that we needed to specify the different interface to listen for 124 | replies on (default is eth0). 125 | 126 | Specify ports using names as well as numbers (from /etc/services): 127 | 128 | # yapscan -sS router -i eth1 -p telnet,80,443,ssh,6000-6063 129 | 130 | Or specify your own port list (1 port per line): 131 | 132 | # yapscan -sS -f mytargets.txt -P myports.txt 133 | 134 | You can do "-p -" like in nmap too if you want to scan 1-65535: 135 | 136 | # yapscan -sS -f mytargets.txt -p - 137 | 138 | I've also implemented the exotic type of scans like Xmas tree, null, etc. 139 | These aren't particularly well tested as of v0.4.9-beta. See the 140 | help message for more info: yapscan -h 141 | 142 | Also see "Scanning Speed" and "Retries" near the end of this section. In 143 | particular, make sure you specify a low speed for remote testing (e.g. -b 32k). 144 | 145 | (3.2) (Limited) UDP Port Scanning 146 | --------------------------------- 147 | 148 | This scan mode is designed to answer the question "Does host X have any closed 149 | UDP ports?" i.e. does it reply with an ICMP Port Unreachable for probes sent 150 | to one or more of its UDP ports. 151 | 152 | This type of scan will (unfortunately) not tell you all the upon UDP ports. 153 | 154 | I use this mainly for scanning Firewalled hosts which I'm pretty sure won't 155 | have any closed UDP ports. 156 | 157 | Yapscan sends empty UDP packets to a range of ports at a steady (usually 158 | quite fast) rate. It will report any ICMP port unreachable messages 159 | it receives. 160 | 161 | If you receive no replies then you know there are no closed UDP ports. 162 | 163 | # yapscan -su router -i eth1 -p 1-65535 164 | 165 | IMPORTANT NOTE: If you receive 1 or more ICMP port unreachable error 166 | messages, you cannot infer that these are the only close ports. 167 | Yapscan does not back-off intellegently like nmap, so a host which 168 | limits that rate at which it sends ICMP errors, will (falsly) 169 | appear to have less ports open. 170 | 171 | (3.3) ICMP Scanning 172 | ------------------- 173 | 174 | Yapscan can perform the following type of ICMP sweeps: 175 | - Echo Request 176 | - Timestamp Request 177 | - Addressmask Request 178 | - Information Request 179 | 180 | You can perform 1 or more types of scan at once: 181 | 182 | # yapscan -sI 10.0.0.0-10.10.255.255 -t echo 183 | # yapscan -sI 10.0.0.0-10.10.255.255 -t echo -t addr 184 | # yapscan -sI 10.0.0.0-10.10.255.255 -t info 185 | # yapscan -sI 10.0.0.0-10.10.255.255 -t time 186 | # yapscan -sI 10.0.0.0-10.10.255.255 -t - 187 | 188 | The last example will scan all supported ICMP types. 189 | 190 | As of v0.4.9-beta yapscan is also able to send Router Solicitations, but 191 | it won't report replies, so this 5th type isn't much use at present. 192 | 193 | (3.4) SYN Flooding 194 | ------------------ 195 | 196 | Bombard some TCP ports with SYN packets. The DoS attack is only effective 197 | if the source IP is spoofed to an address that doesn't respond. 198 | 199 | The following will send 100000 SYNs as fast as possible to port 445 on 200 | my.victim.intranet. The spoofed source IP is set to 10.0.0.1. 201 | 202 | ./yapscan -sS -F -b 99M -r 100000 -p 445 -S 10.0.0.1 my.victim.intranet 203 | 204 | (3.5) TCP Connect Flooding 205 | -------------------------- 206 | 207 | The basic method used here is: 208 | 1: Yapscan sends a SYN to an open port on the host 209 | 2: Yapscan see the SYN/ACK reply from the host 210 | 3: Yapscan crafts an ACK to open the connection 211 | 212 | To work properly we can't use the host's IP address. Otherwise the kernel 213 | will reply to the SYN/ACK with RST and tear down the connection. 214 | 215 | Find an unused IP address on your local network (i.e. the network from 216 | where you're running yapscan). We'll use 172.16.16.100 in this example. 217 | 218 | ARP for this address, but make sure your kernel doesn't process the packets. 219 | A simple way to do this is using arp-sk. 220 | 221 | # arp-sk -i vmnet1 -r -S 172.16.16.100 222 | + Initialization of the packet structure 223 | + Running mode "reply" 224 | + Ifname: vmnet1 225 | + Source MAC: 00:50:56:c0:00:01 226 | + Source ARP MAC: 00:50:56:c0:00:01 227 | + Source ARP IP : 172.16.16.100 228 | + Target MAC: ff:ff:ff:ff:ff:ff 229 | + Target ARP MAC: ff:ff:ff:ff:ff:ff 230 | + Target ARP IP : 255.255.255.255 231 | 232 | --- Start classical sending --- 233 | TS: 13:59:42.640305 234 | To: ff:ff:ff:ff:ff:ff From: 00:50:56:c0:00:01 0x0806 235 | ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff): 236 | 172.16.16.100 is at 00:50:56:c0:00:01 237 | 238 | TS: 13:59:47.646367 239 | To: ff:ff:ff:ff:ff:ff From: 00:50:56:c0:00:01 0x0806 240 | ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff): 241 | 172.16.16.100 is at 00:50:56:c0:00:01 242 | ... 243 | 244 | (An alternative approach would be to use your own IP address, but set up 245 | iptables rules to block RSTs from your kernel.) 246 | 247 | Now that we're arping for 172.16.16.100 we just need to tell yapscan to use 248 | this as the source address (with -S), and to reply to SYN/ACKs (with -A): 249 | 250 | # ./yapscan -sS -A -F -b 10k -r 100 -p 445 172.16.16.130 -S 172.16.16.100 -i vmnet1 251 | Starting Yapscan v0.4.9-beta ( http://pentestmonkey.net/tools/yapscan ) 252 | 253 | ---------------------------------------------------------- 254 | | Scan Information | 255 | ---------------------------------------------------------- 256 | Target count: ...... 1 257 | Interface: ......... vmnet1 258 | Bandwidth limit: ... 10000 bits/sec 259 | Source address: .... 172.16.16.100 260 | RTT: ............... 0.950000 secs 261 | Tries: ............. 101 262 | Port range: ........ 445 263 | Port count: ........ 1 264 | Show closed ports .. off 265 | *** Synflooding! Output supressed for speed... *** 266 | *** Replying to SYN/ACKs *** 267 | 268 | ######## Scan started at 2006-08-26 13:00:36 +0000 ######### 269 | 172.16.16.130:445 microsoft-ds Len=44 TTL=128 DF IPID=54268 FLAGS=SA______ SEQ=0x9bd5cc6e ACK=0xc7656191 WIN=64240 270 | Replying with ACK from 172.16.16.100:9033 to 172.16.16.100:445 SEQ=c7656192, ACK=9bd5cc6f 271 | 172.16.16.130:445 microsoft-ds Len=44 TTL=128 DF IPID=54269 FLAGS=SA______ SEQ=0x9bd69537 ACK=0xb028ca26 WIN=64240 272 | Replying with ACK from 172.16.16.100:9034 to 172.16.16.100:445 SEQ=b028ca27, ACK=9bd69538 273 | 172.16.16.130:445 microsoft-ds Len=44 TTL=128 DF IPID=54270 FLAGS=SA______ SEQ=0x9bd75e9b ACK=0x0b076828 WIN=64240 274 | Replying with ACK from 172.16.16.100:9035 to 172.16.16.100:445 SEQ=b076829, ACK=9bd75e9c 275 | 172.16.16.130:445 microsoft-ds Len=44 TTL=128 DF IPID=54271 FLAGS=SA______ SEQ=0x9bd81307 ACK=0x79b04d44 WIN=64240 276 | ... 277 | ####### Scan completed at 2006-08-26 13:00:40 +0000 ######### 278 | 70 positive results. 279 | 280 | 101 packets (4040 bytes) sent in 3.04 secs. 281 | Scan rate was: 10621 bits/sec | 1328 bytes/sec | 33 packets/sec. 282 | 283 | 3.6) Scanning Speed 284 | ------------------- 285 | 286 | Yapscan scans at a steady (and configurable) speed. You can get an ETA on 287 | you scan by pressing Enter during the scan. 288 | 289 | As of v0.4.9-beta yapscan will never underestimate the remaining scan time, 290 | though it can over estimate it under certain conditions. 291 | 292 | By default yapscan scans at 1000000 Bits / Second. Unless you have a fast 293 | link / understanding clients or both I suggest you only use the default for 294 | LAN testing. I wouldn't recommend going much about 2Mb/s for reliability / 295 | DoS reasons, but you can try it if you like: 296 | 297 | # yapscan -sS -p - 192.168.0.1-14 -b 4M 298 | 299 | WAN testing's probably better done at a more sociable speed like 64Kb/s: 300 | 301 | # yapscan -sS -p - www.example.com -b 64k 302 | 303 | Obviously, if the scan rate is set higher than either your upstream bandwidth 304 | or the client's downstream bandwidth, packets will be dropped and the 305 | reliability of the scan reduced. 306 | 307 | (3.7) Retries 308 | ------------- 309 | 310 | Reliability is obviously paramount during pentests, so the use of retries 311 | is encouraged. ICMP scans do 2 retries by default (a total of 3 tries in all). 312 | TCP and UDP only do 1. 313 | 314 | For an even more reliable ICMP scan you could do: 315 | 316 | # yapscan -sI -r 5 myhost -t - 317 | 318 | A TCP scan would be made more reliable by: 319 | 320 | # yapscan -sS -r 2 myhost -p - 321 | 322 | 323 | (4) Limitations 324 | =============== 325 | 326 | (4.1) Memory-hungry 327 | ------------------- 328 | 329 | Yapscan implements retries by keeping a list of hosts and ports to be scanned 330 | in memory. This has the side effect of using an awful lot of memory on large 331 | scans: 332 | 770MB for 65535 ports on 256 hosts 333 | 334 | This a pretty big problem. I really need to break the scan into chunks. 335 | 336 | (4.2) Replies from different IPs 337 | -------------------------------- 338 | 339 | If you send a packet to an addess which elicits a reply from a different IP 340 | address (e.g. you ping 192.168.0.255 and get a reply from 192.168.0.5) 341 | the reply will not be reported by yapscan. 342 | 343 | This is because all cookies carry a "cookie" of some description which 344 | is derived from the source and destination IP of the original probe. Yapscan 345 | will inspect the reply and ensure that cookie contained within it is 346 | derived from the source and destination IP. If an unexpcted IP replies 347 | yapscan will assume that the traffic is not a response to a probe. 348 | 349 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | Transfer README to a man page. 2 | Allow ICMP types to be separated with commas (like ports). 3 | Doesn't scan destination port 0. 4 | Does it scan n/w, b/c addresses? 5 | Crashes after the scan is complete sometimes (destructors broken) 6 | How to handle duplicate replies? 7 | -------------------------------------------------------------------------------- /md5.c: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved. 3 | 4 | This software is provided 'as-is', without any express or implied 5 | warranty. In no event will the authors be held liable for any damages 6 | arising from the use of this software. 7 | 8 | Permission is granted to anyone to use this software for any purpose, 9 | including commercial applications, and to alter it and redistribute it 10 | freely, subject to the following restrictions: 11 | 12 | 1. The origin of this software must not be misrepresented; you must not 13 | claim that you wrote the original software. If you use this software 14 | in a product, an acknowledgment in the product documentation would be 15 | appreciated but is not required. 16 | 2. Altered source versions must be plainly marked as such, and must not be 17 | misrepresented as being the original software. 18 | 3. This notice may not be removed or altered from any source distribution. 19 | 20 | L. Peter Deutsch 21 | ghost@aladdin.com 22 | 23 | */ 24 | /* 25 | Independent implementation of MD5 (RFC 1321). 26 | 27 | This code implements the MD5 Algorithm defined in RFC 1321, whose 28 | text is available at 29 | http://www.ietf.org/rfc/rfc1321.txt 30 | The code is derived from the text of the RFC, including the test suite 31 | (section A.5) but excluding the rest of Appendix A. It does not include 32 | any code or documentation that is identified in the RFC as being 33 | copyrighted. 34 | 35 | The original and principal author of md5.c is L. Peter Deutsch 36 | . Other authors are noted in the change history 37 | that follows (in reverse chronological order): 38 | 39 | 2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order 40 | either statically or dynamically; added missing #include 41 | in library. 42 | 2002-03-11 lpd Corrected argument list for main(), and added int return 43 | type, in test program and T value program. 44 | 2002-02-21 lpd Added missing #include in test program. 45 | 2000-07-03 lpd Patched to eliminate warnings about "constant is 46 | unsigned in ANSI C, signed in traditional"; made test program 47 | self-checking. 48 | 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. 49 | 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5). 50 | 1999-05-03 lpd Original version. 51 | */ 52 | 53 | #include "md5.h" 54 | #include 55 | 56 | #undef BYTE_ORDER /* 1 = big-endian, -1 = little-endian, 0 = unknown */ 57 | #ifdef ARCH_IS_BIG_ENDIAN 58 | # define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1) 59 | #else 60 | # define BYTE_ORDER 0 61 | #endif 62 | 63 | #define T_MASK ((md5_word_t)~0) 64 | #define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87) 65 | #define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9) 66 | #define T3 0x242070db 67 | #define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111) 68 | #define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050) 69 | #define T6 0x4787c62a 70 | #define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec) 71 | #define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe) 72 | #define T9 0x698098d8 73 | #define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850) 74 | #define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e) 75 | #define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841) 76 | #define T13 0x6b901122 77 | #define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c) 78 | #define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71) 79 | #define T16 0x49b40821 80 | #define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d) 81 | #define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf) 82 | #define T19 0x265e5a51 83 | #define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855) 84 | #define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2) 85 | #define T22 0x02441453 86 | #define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e) 87 | #define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437) 88 | #define T25 0x21e1cde6 89 | #define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829) 90 | #define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278) 91 | #define T28 0x455a14ed 92 | #define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa) 93 | #define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07) 94 | #define T31 0x676f02d9 95 | #define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375) 96 | #define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd) 97 | #define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e) 98 | #define T35 0x6d9d6122 99 | #define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3) 100 | #define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb) 101 | #define T38 0x4bdecfa9 102 | #define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f) 103 | #define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f) 104 | #define T41 0x289b7ec6 105 | #define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805) 106 | #define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a) 107 | #define T44 0x04881d05 108 | #define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6) 109 | #define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a) 110 | #define T47 0x1fa27cf8 111 | #define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a) 112 | #define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb) 113 | #define T50 0x432aff97 114 | #define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58) 115 | #define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6) 116 | #define T53 0x655b59c3 117 | #define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d) 118 | #define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82) 119 | #define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e) 120 | #define T57 0x6fa87e4f 121 | #define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f) 122 | #define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb) 123 | #define T60 0x4e0811a1 124 | #define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d) 125 | #define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca) 126 | #define T63 0x2ad7d2bb 127 | #define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e) 128 | 129 | 130 | static void 131 | md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/) 132 | { 133 | md5_word_t 134 | a = pms->abcd[0], b = pms->abcd[1], 135 | c = pms->abcd[2], d = pms->abcd[3]; 136 | md5_word_t t; 137 | #if BYTE_ORDER > 0 138 | /* Define storage only for big-endian CPUs. */ 139 | md5_word_t X[16]; 140 | #else 141 | /* Define storage for little-endian or both types of CPUs. */ 142 | md5_word_t xbuf[16]; 143 | const md5_word_t *X; 144 | #endif 145 | 146 | { 147 | #if BYTE_ORDER == 0 148 | /* 149 | * Determine dynamically whether this is a big-endian or 150 | * little-endian machine, since we can use a more efficient 151 | * algorithm on the latter. 152 | */ 153 | static const int w = 1; 154 | 155 | if (*((const md5_byte_t *)&w)) /* dynamic little-endian */ 156 | #endif 157 | #if BYTE_ORDER <= 0 /* little-endian */ 158 | { 159 | /* 160 | * On little-endian machines, we can process properly aligned 161 | * data without copying it. 162 | */ 163 | if (!((data - (const md5_byte_t *)0) & 3)) { 164 | /* data are properly aligned */ 165 | X = (const md5_word_t *)data; 166 | } else { 167 | /* not aligned */ 168 | memcpy(xbuf, data, 64); 169 | X = xbuf; 170 | } 171 | } 172 | #endif 173 | #if BYTE_ORDER == 0 174 | else /* dynamic big-endian */ 175 | #endif 176 | #if BYTE_ORDER >= 0 /* big-endian */ 177 | { 178 | /* 179 | * On big-endian machines, we must arrange the bytes in the 180 | * right order. 181 | */ 182 | const md5_byte_t *xp = data; 183 | int i; 184 | 185 | # if BYTE_ORDER == 0 186 | X = xbuf; /* (dynamic only) */ 187 | # else 188 | # define xbuf X /* (static only) */ 189 | # endif 190 | for (i = 0; i < 16; ++i, xp += 4) 191 | xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24); 192 | } 193 | #endif 194 | } 195 | 196 | #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) 197 | 198 | /* Round 1. */ 199 | /* Let [abcd k s i] denote the operation 200 | a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ 201 | #define F(x, y, z) (((x) & (y)) | (~(x) & (z))) 202 | #define SET(a, b, c, d, k, s, Ti)\ 203 | t = a + F(b,c,d) + X[k] + Ti;\ 204 | a = ROTATE_LEFT(t, s) + b 205 | /* Do the following 16 operations. */ 206 | SET(a, b, c, d, 0, 7, T1); 207 | SET(d, a, b, c, 1, 12, T2); 208 | SET(c, d, a, b, 2, 17, T3); 209 | SET(b, c, d, a, 3, 22, T4); 210 | SET(a, b, c, d, 4, 7, T5); 211 | SET(d, a, b, c, 5, 12, T6); 212 | SET(c, d, a, b, 6, 17, T7); 213 | SET(b, c, d, a, 7, 22, T8); 214 | SET(a, b, c, d, 8, 7, T9); 215 | SET(d, a, b, c, 9, 12, T10); 216 | SET(c, d, a, b, 10, 17, T11); 217 | SET(b, c, d, a, 11, 22, T12); 218 | SET(a, b, c, d, 12, 7, T13); 219 | SET(d, a, b, c, 13, 12, T14); 220 | SET(c, d, a, b, 14, 17, T15); 221 | SET(b, c, d, a, 15, 22, T16); 222 | #undef SET 223 | 224 | /* Round 2. */ 225 | /* Let [abcd k s i] denote the operation 226 | a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ 227 | #define G(x, y, z) (((x) & (z)) | ((y) & ~(z))) 228 | #define SET(a, b, c, d, k, s, Ti)\ 229 | t = a + G(b,c,d) + X[k] + Ti;\ 230 | a = ROTATE_LEFT(t, s) + b 231 | /* Do the following 16 operations. */ 232 | SET(a, b, c, d, 1, 5, T17); 233 | SET(d, a, b, c, 6, 9, T18); 234 | SET(c, d, a, b, 11, 14, T19); 235 | SET(b, c, d, a, 0, 20, T20); 236 | SET(a, b, c, d, 5, 5, T21); 237 | SET(d, a, b, c, 10, 9, T22); 238 | SET(c, d, a, b, 15, 14, T23); 239 | SET(b, c, d, a, 4, 20, T24); 240 | SET(a, b, c, d, 9, 5, T25); 241 | SET(d, a, b, c, 14, 9, T26); 242 | SET(c, d, a, b, 3, 14, T27); 243 | SET(b, c, d, a, 8, 20, T28); 244 | SET(a, b, c, d, 13, 5, T29); 245 | SET(d, a, b, c, 2, 9, T30); 246 | SET(c, d, a, b, 7, 14, T31); 247 | SET(b, c, d, a, 12, 20, T32); 248 | #undef SET 249 | 250 | /* Round 3. */ 251 | /* Let [abcd k s t] denote the operation 252 | a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ 253 | #define H(x, y, z) ((x) ^ (y) ^ (z)) 254 | #define SET(a, b, c, d, k, s, Ti)\ 255 | t = a + H(b,c,d) + X[k] + Ti;\ 256 | a = ROTATE_LEFT(t, s) + b 257 | /* Do the following 16 operations. */ 258 | SET(a, b, c, d, 5, 4, T33); 259 | SET(d, a, b, c, 8, 11, T34); 260 | SET(c, d, a, b, 11, 16, T35); 261 | SET(b, c, d, a, 14, 23, T36); 262 | SET(a, b, c, d, 1, 4, T37); 263 | SET(d, a, b, c, 4, 11, T38); 264 | SET(c, d, a, b, 7, 16, T39); 265 | SET(b, c, d, a, 10, 23, T40); 266 | SET(a, b, c, d, 13, 4, T41); 267 | SET(d, a, b, c, 0, 11, T42); 268 | SET(c, d, a, b, 3, 16, T43); 269 | SET(b, c, d, a, 6, 23, T44); 270 | SET(a, b, c, d, 9, 4, T45); 271 | SET(d, a, b, c, 12, 11, T46); 272 | SET(c, d, a, b, 15, 16, T47); 273 | SET(b, c, d, a, 2, 23, T48); 274 | #undef SET 275 | 276 | /* Round 4. */ 277 | /* Let [abcd k s t] denote the operation 278 | a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ 279 | #define I(x, y, z) ((y) ^ ((x) | ~(z))) 280 | #define SET(a, b, c, d, k, s, Ti)\ 281 | t = a + I(b,c,d) + X[k] + Ti;\ 282 | a = ROTATE_LEFT(t, s) + b 283 | /* Do the following 16 operations. */ 284 | SET(a, b, c, d, 0, 6, T49); 285 | SET(d, a, b, c, 7, 10, T50); 286 | SET(c, d, a, b, 14, 15, T51); 287 | SET(b, c, d, a, 5, 21, T52); 288 | SET(a, b, c, d, 12, 6, T53); 289 | SET(d, a, b, c, 3, 10, T54); 290 | SET(c, d, a, b, 10, 15, T55); 291 | SET(b, c, d, a, 1, 21, T56); 292 | SET(a, b, c, d, 8, 6, T57); 293 | SET(d, a, b, c, 15, 10, T58); 294 | SET(c, d, a, b, 6, 15, T59); 295 | SET(b, c, d, a, 13, 21, T60); 296 | SET(a, b, c, d, 4, 6, T61); 297 | SET(d, a, b, c, 11, 10, T62); 298 | SET(c, d, a, b, 2, 15, T63); 299 | SET(b, c, d, a, 9, 21, T64); 300 | #undef SET 301 | 302 | /* Then perform the following additions. (That is increment each 303 | of the four registers by the value it had before this block 304 | was started.) */ 305 | pms->abcd[0] += a; 306 | pms->abcd[1] += b; 307 | pms->abcd[2] += c; 308 | pms->abcd[3] += d; 309 | } 310 | 311 | void 312 | md5_init(md5_state_t *pms) 313 | { 314 | pms->count[0] = pms->count[1] = 0; 315 | pms->abcd[0] = 0x67452301; 316 | pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476; 317 | pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301; 318 | pms->abcd[3] = 0x10325476; 319 | } 320 | 321 | void 322 | md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes) 323 | { 324 | const md5_byte_t *p = data; 325 | int left = nbytes; 326 | int offset = (pms->count[0] >> 3) & 63; 327 | md5_word_t nbits = (md5_word_t)(nbytes << 3); 328 | 329 | if (nbytes <= 0) 330 | return; 331 | 332 | /* Update the message length. */ 333 | pms->count[1] += nbytes >> 29; 334 | pms->count[0] += nbits; 335 | if (pms->count[0] < nbits) 336 | pms->count[1]++; 337 | 338 | /* Process an initial partial block. */ 339 | if (offset) { 340 | int copy = (offset + nbytes > 64 ? 64 - offset : nbytes); 341 | 342 | memcpy(pms->buf + offset, p, copy); 343 | if (offset + copy < 64) 344 | return; 345 | p += copy; 346 | left -= copy; 347 | md5_process(pms, pms->buf); 348 | } 349 | 350 | /* Process full blocks. */ 351 | for (; left >= 64; p += 64, left -= 64) 352 | md5_process(pms, p); 353 | 354 | /* Process a final partial block. */ 355 | if (left) 356 | memcpy(pms->buf, p, left); 357 | } 358 | 359 | void 360 | md5_finish(md5_state_t *pms, md5_byte_t digest[16]) 361 | { 362 | static const md5_byte_t pad[64] = { 363 | 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 364 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 365 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 366 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 367 | }; 368 | md5_byte_t data[8]; 369 | int i; 370 | 371 | /* Save the length before padding. */ 372 | for (i = 0; i < 8; ++i) 373 | data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3)); 374 | /* Pad to 56 bytes mod 64. */ 375 | md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1); 376 | /* Append the length. */ 377 | md5_append(pms, data, 8); 378 | for (i = 0; i < 16; ++i) 379 | digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3)); 380 | } 381 | -------------------------------------------------------------------------------- /md5.h: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 1999, 2002 Aladdin Enterprises. All rights reserved. 3 | 4 | This software is provided 'as-is', without any express or implied 5 | warranty. In no event will the authors be held liable for any damages 6 | arising from the use of this software. 7 | 8 | Permission is granted to anyone to use this software for any purpose, 9 | including commercial applications, and to alter it and redistribute it 10 | freely, subject to the following restrictions: 11 | 12 | 1. The origin of this software must not be misrepresented; you must not 13 | claim that you wrote the original software. If you use this software 14 | in a product, an acknowledgment in the product documentation would be 15 | appreciated but is not required. 16 | 2. Altered source versions must be plainly marked as such, and must not be 17 | misrepresented as being the original software. 18 | 3. This notice may not be removed or altered from any source distribution. 19 | 20 | L. Peter Deutsch 21 | ghost@aladdin.com 22 | 23 | */ 24 | /* 25 | Independent implementation of MD5 (RFC 1321). 26 | 27 | This code implements the MD5 Algorithm defined in RFC 1321, whose 28 | text is available at 29 | http://www.ietf.org/rfc/rfc1321.txt 30 | The code is derived from the text of the RFC, including the test suite 31 | (section A.5) but excluding the rest of Appendix A. It does not include 32 | any code or documentation that is identified in the RFC as being 33 | copyrighted. 34 | 35 | The original and principal author of md5.h is L. Peter Deutsch 36 | . Other authors are noted in the change history 37 | that follows (in reverse chronological order): 38 | 39 | 2002-04-13 lpd Removed support for non-ANSI compilers; removed 40 | references to Ghostscript; clarified derivation from RFC 1321; 41 | now handles byte order either statically or dynamically. 42 | 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. 43 | 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5); 44 | added conditionalization for C++ compilation from Martin 45 | Purschke . 46 | 1999-05-03 lpd Original version. 47 | */ 48 | 49 | #ifndef md5_INCLUDED 50 | # define md5_INCLUDED 51 | 52 | #ifdef HAVE_CONFIG_H 53 | #include "config.h" 54 | /* 55 | * Autoconf's AC_C_BIGENDIAN check defines WORDS_BIGENDIAN 56 | */ 57 | #ifdef WORDS_BIGENDIAN 58 | #define ARCH_IS_BIG_ENDIAN 1 59 | #else 60 | #define ARCH_IS_BIG_ENDIAN 0 61 | #endif 62 | #endif 63 | 64 | /* 65 | * This package supports both compile-time and run-time determination of CPU 66 | * byte order. If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be 67 | * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is 68 | * defined as non-zero, the code will be compiled to run only on big-endian 69 | * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to 70 | * run on either big- or little-endian CPUs, but will run slightly less 71 | * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined. 72 | */ 73 | 74 | typedef unsigned char md5_byte_t; /* 8-bit byte */ 75 | typedef unsigned int md5_word_t; /* 32-bit word */ 76 | 77 | /* Define the state of the MD5 Algorithm. */ 78 | typedef struct md5_state_s { 79 | md5_word_t count[2]; /* message length in bits, lsw first */ 80 | md5_word_t abcd[4]; /* digest buffer */ 81 | md5_byte_t buf[64]; /* accumulate block */ 82 | } md5_state_t; 83 | 84 | #ifdef __cplusplus 85 | extern "C" 86 | { 87 | #endif 88 | 89 | /* Initialize the algorithm. */ 90 | void md5_init(md5_state_t *pms); 91 | 92 | /* Append a string to the message. */ 93 | void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes); 94 | 95 | /* Finish the message and return the digest. */ 96 | void md5_finish(md5_state_t *pms, md5_byte_t digest[16]); 97 | 98 | #ifdef __cplusplus 99 | } /* end extern "C" */ 100 | #endif 101 | 102 | #endif /* md5_INCLUDED */ 103 | -------------------------------------------------------------------------------- /ports-tcp-common.txt: -------------------------------------------------------------------------------- 1 | 21 2 | 22 3 | 23 4 | 25 5 | 53 6 | 79 7 | 80 8 | 88 9 | 110 10 | 111 11 | 113 12 | 119 13 | 139 14 | 256 15 | 257 16 | 264 17 | 389 18 | 443 19 | 445 20 | 512 21 | 513 22 | 514 23 | 515 24 | 540 25 | 593 26 | 631 27 | 1025 28 | 1433 29 | 1494 30 | 1521 31 | 1524 32 | 1526 33 | 1723 34 | 1812 35 | 1900 36 | 2001 37 | 2049 38 | 2301 39 | 2381 40 | 2433 41 | 3128 42 | 3268 43 | 3269 44 | 3306 45 | 3372 46 | 3389 47 | 4001 48 | 5000 49 | 5631 50 | 5800 51 | 5900 52 | 6000 53 | 6001 54 | 6112 55 | 7100 56 | 8000 57 | 8080 58 | 9001 59 | 13701 60 | 13702 61 | 13705 62 | 13706 63 | 13708 64 | 13709 65 | 13710 66 | 13711 67 | 13712 68 | 13713 69 | 13714 70 | 13715 71 | 13716 72 | 13717 73 | 13718 74 | 13720 75 | 13721 76 | 13722 77 | 13782 78 | 13783 79 | 18181 80 | 18182 81 | 18183 82 | 18184 83 | 18185 84 | 18187 85 | 32770 86 | 32771 87 | 32772 88 | 32773 89 | 32774 90 | 32775 91 | 32776 92 | 32777 93 | 32778 94 | 32779 95 | 32780 96 | 32786 97 | 32787 98 | 49400 99 | 60000 100 | 65301 101 | -------------------------------------------------------------------------------- /ports-tcp-database.txt: -------------------------------------------------------------------------------- 1 | 1433 2 | 1521 3 | 1526 4 | 2433 5 | 3306 6 | 5432 7 | 50000 8 | -------------------------------------------------------------------------------- /ports-tcp-known.txt: -------------------------------------------------------------------------------- 1 | 21 2 | 22 3 | 23 4 | 25 5 | 53 6 | 79 7 | 80 8 | 88 9 | 110 10 | 111 11 | 113 12 | 119 13 | 139 14 | 256 15 | 257 16 | 264 17 | 389 18 | 443 19 | 445 20 | 512 21 | 513 22 | 514 23 | 515 24 | 540 25 | 593 26 | 631 27 | 1025 28 | 1433 29 | 1494 30 | 1521 31 | 1524 32 | 1526 33 | 1723 34 | 1812 35 | 1900 36 | 2001 37 | 2049 38 | 2301 39 | 2381 40 | 3128 41 | 3268 42 | 3269 43 | 3306 44 | 3372 45 | 3389 46 | 4001 47 | 5000 48 | 5631 49 | 5800 50 | 5900 51 | 6000 52 | 6001 53 | 6112 54 | 7100 55 | 8000 56 | 8080 57 | 9001 58 | 13701 59 | 13702 60 | 13705 61 | 13706 62 | 13708 63 | 13709 64 | 13710 65 | 13711 66 | 13712 67 | 13713 68 | 13714 69 | 13715 70 | 13716 71 | 13717 72 | 13718 73 | 13720 74 | 13721 75 | 13722 76 | 13782 77 | 13783 78 | 18181 79 | 18182 80 | 18183 81 | 18184 82 | 18185 83 | 18187 84 | 32770 85 | 32771 86 | 32772 87 | 32773 88 | 32774 89 | 32775 90 | 32776 91 | 32777 92 | 32778 93 | 32779 94 | 32780 95 | 32786 96 | 32787 97 | 49400 98 | 65301 99 | 1 100 | 2 101 | 3 102 | 4 103 | 5 104 | 6 105 | 7 106 | 9 107 | 11 108 | 13 109 | 15 110 | 17 111 | 18 112 | 19 113 | 20 114 | 24 115 | 27 116 | 29 117 | 31 118 | 33 119 | 35 120 | 37 121 | 38 122 | 39 123 | 41 124 | 42 125 | 43 126 | 44 127 | 45 128 | 46 129 | 47 130 | 48 131 | 49 132 | 50 133 | 51 134 | 52 135 | 54 136 | 55 137 | 56 138 | 57 139 | 58 140 | 59 141 | 61 142 | 62 143 | 63 144 | 64 145 | 65 146 | 66 147 | 67 148 | 68 149 | 69 150 | 70 151 | 71 152 | 72 153 | 73 154 | 74 155 | 75 156 | 76 157 | 77 158 | 78 159 | 81 160 | 82 161 | 83 162 | 84 163 | 85 164 | 86 165 | 87 166 | 89 167 | 90 168 | 91 169 | 92 170 | 93 171 | 94 172 | 95 173 | 96 174 | 97 175 | 98 176 | 99 177 | 100 178 | 101 179 | 102 180 | 103 181 | 104 182 | 105 183 | 106 184 | 107 185 | 108 186 | 109 187 | 112 188 | 114 189 | 115 190 | 116 191 | 117 192 | 118 193 | 120 194 | 121 195 | 122 196 | 123 197 | 124 198 | 125 199 | 126 200 | 127 201 | 128 202 | 129 203 | 130 204 | 131 205 | 132 206 | 133 207 | 134 208 | 135 209 | 136 210 | 137 211 | 138 212 | 140 213 | 141 214 | 142 215 | 143 216 | 144 217 | 145 218 | 146 219 | 147 220 | 148 221 | 149 222 | 150 223 | 151 224 | 152 225 | 153 226 | 154 227 | 155 228 | 156 229 | 157 230 | 158 231 | 159 232 | 160 233 | 161 234 | 162 235 | 163 236 | 164 237 | 165 238 | 166 239 | 167 240 | 168 241 | 169 242 | 170 243 | 171 244 | 172 245 | 173 246 | 174 247 | 175 248 | 176 249 | 177 250 | 178 251 | 179 252 | 180 253 | 181 254 | 182 255 | 183 256 | 184 257 | 185 258 | 186 259 | 187 260 | 188 261 | 189 262 | 190 263 | 191 264 | 192 265 | 193 266 | 194 267 | 195 268 | 196 269 | 197 270 | 198 271 | 199 272 | 200 273 | 201 274 | 202 275 | 203 276 | 204 277 | 205 278 | 206 279 | 207 280 | 208 281 | 209 282 | 210 283 | 211 284 | 212 285 | 213 286 | 214 287 | 215 288 | 216 289 | 217 290 | 218 291 | 219 292 | 220 293 | 221 294 | 222 295 | 223 296 | 242 297 | 243 298 | 244 299 | 245 300 | 246 301 | 247 302 | 248 303 | 258 304 | 259 305 | 260 306 | 261 307 | 262 308 | 263 309 | 265 310 | 280 311 | 281 312 | 282 313 | 308 314 | 309 315 | 310 316 | 311 317 | 312 318 | 313 319 | 314 320 | 315 321 | 316 322 | 317 323 | 321 324 | 344 325 | 345 326 | 346 327 | 347 328 | 348 329 | 349 330 | 350 331 | 351 332 | 352 333 | 353 334 | 354 335 | 355 336 | 356 337 | 357 338 | 358 339 | 359 340 | 360 341 | 361 342 | 362 343 | 363 344 | 364 345 | 365 346 | 366 347 | 367 348 | 368 349 | 369 350 | 370 351 | 371 352 | 372 353 | 373 354 | 374 355 | 375 356 | 376 357 | 377 358 | 378 359 | 379 360 | 380 361 | 381 362 | 382 363 | 383 364 | 384 365 | 385 366 | 386 367 | 387 368 | 388 369 | 390 370 | 391 371 | 392 372 | 393 373 | 394 374 | 395 375 | 396 376 | 397 377 | 398 378 | 399 379 | 400 380 | 401 381 | 402 382 | 403 383 | 404 384 | 405 385 | 406 386 | 407 387 | 408 388 | 409 389 | 410 390 | 411 391 | 412 392 | 413 393 | 414 394 | 415 395 | 416 396 | 417 397 | 418 398 | 419 399 | 420 400 | 421 401 | 422 402 | 423 403 | 424 404 | 425 405 | 426 406 | 427 407 | 428 408 | 429 409 | 430 410 | 431 411 | 432 412 | 433 413 | 434 414 | 435 415 | 436 416 | 437 417 | 438 418 | 439 419 | 440 420 | 441 421 | 442 422 | 444 423 | 446 424 | 447 425 | 448 426 | 449 427 | 450 428 | 451 429 | 452 430 | 453 431 | 454 432 | 455 433 | 456 434 | 457 435 | 458 436 | 459 437 | 460 438 | 461 439 | 462 440 | 463 441 | 464 442 | 465 443 | 466 444 | 467 445 | 468 446 | 469 447 | 470 448 | 471 449 | 472 450 | 473 451 | 474 452 | 475 453 | 476 454 | 477 455 | 478 456 | 479 457 | 480 458 | 481 459 | 482 460 | 483 461 | 484 462 | 485 463 | 486 464 | 487 465 | 488 466 | 489 467 | 490 468 | 491 469 | 492 470 | 493 471 | 494 472 | 495 473 | 496 474 | 497 475 | 498 476 | 499 477 | 500 478 | 501 479 | 502 480 | 503 481 | 504 482 | 505 483 | 506 484 | 507 485 | 508 486 | 509 487 | 510 488 | 511 489 | 516 490 | 517 491 | 518 492 | 519 493 | 520 494 | 521 495 | 522 496 | 523 497 | 524 498 | 525 499 | 526 500 | 527 501 | 528 502 | 529 503 | 530 504 | 531 505 | 532 506 | 533 507 | 534 508 | 535 509 | 536 510 | 537 511 | 538 512 | 539 513 | 541 514 | 542 515 | 543 516 | 544 517 | 545 518 | 546 519 | 547 520 | 548 521 | 549 522 | 550 523 | 551 524 | 552 525 | 553 526 | 554 527 | 555 528 | 556 529 | 557 530 | 558 531 | 559 532 | 560 533 | 561 534 | 562 535 | 563 536 | 564 537 | 565 538 | 566 539 | 567 540 | 568 541 | 569 542 | 570 543 | 571 544 | 572 545 | 573 546 | 574 547 | 575 548 | 576 549 | 577 550 | 578 551 | 579 552 | 580 553 | 581 554 | 582 555 | 583 556 | 584 557 | 585 558 | 586 559 | 587 560 | 588 561 | 589 562 | 590 563 | 591 564 | 592 565 | 594 566 | 595 567 | 596 568 | 597 569 | 598 570 | 599 571 | 600 572 | 603 573 | 606 574 | 607 575 | 608 576 | 609 577 | 610 578 | 611 579 | 612 580 | 617 581 | 624 582 | 625 583 | 626 584 | 627 585 | 628 586 | 629 587 | 630 588 | 634 589 | 635 590 | 636 591 | 637 592 | 640 593 | 650 594 | 655 595 | 660 596 | 666 597 | 674 598 | 691 599 | 694 600 | 704 601 | 706 602 | 709 603 | 723 604 | 729 605 | 730 606 | 731 607 | 737 608 | 740 609 | 741 610 | 742 611 | 744 612 | 747 613 | 748 614 | 749 615 | 750 616 | 751 617 | 752 618 | 753 619 | 754 620 | 758 621 | 759 622 | 760 623 | 761 624 | 762 625 | 763 626 | 764 627 | 765 628 | 767 629 | 769 630 | 770 631 | 771 632 | 772 633 | 773 634 | 774 635 | 775 636 | 776 637 | 780 638 | 781 639 | 782 640 | 783 641 | 786 642 | 799 643 | 800 644 | 801 645 | 808 646 | 871 647 | 873 648 | 888 649 | 898 650 | 901 651 | 902 652 | 903 653 | 950 654 | 953 655 | 975 656 | 989 657 | 990 658 | 991 659 | 992 660 | 993 661 | 994 662 | 995 663 | 996 664 | 997 665 | 998 666 | 999 667 | 1000 668 | 1002 669 | 1008 670 | 1012 671 | 1023 672 | 1024 673 | 1026 674 | 1027 675 | 1028 676 | 1029 677 | 1030 678 | 1031 679 | 1032 680 | 1033 681 | 1040 682 | 1043 683 | 1050 684 | 1058 685 | 1059 686 | 1067 687 | 1068 688 | 1076 689 | 1080 690 | 1083 691 | 1084 692 | 1099 693 | 1103 694 | 1109 695 | 1110 696 | 1112 697 | 1127 698 | 1139 699 | 1155 700 | 1167 701 | 1178 702 | 1212 703 | 1214 704 | 1220 705 | 1222 706 | 1234 707 | 1236 708 | 1241 709 | 1248 710 | 1300 711 | 1313 712 | 1337 713 | 1346 714 | 1347 715 | 1348 716 | 1349 717 | 1350 718 | 1351 719 | 1352 720 | 1353 721 | 1354 722 | 1355 723 | 1356 724 | 1357 725 | 1358 726 | 1359 727 | 1360 728 | 1361 729 | 1362 730 | 1363 731 | 1364 732 | 1365 733 | 1366 734 | 1367 735 | 1368 736 | 1369 737 | 1370 738 | 1371 739 | 1372 740 | 1373 741 | 1374 742 | 1375 743 | 1376 744 | 1377 745 | 1378 746 | 1379 747 | 1380 748 | 1381 749 | 1383 750 | 1384 751 | 1385 752 | 1386 753 | 1387 754 | 1388 755 | 1389 756 | 1390 757 | 1391 758 | 1392 759 | 1393 760 | 1394 761 | 1395 762 | 1396 763 | 1397 764 | 1398 765 | 1399 766 | 1400 767 | 1401 768 | 1402 769 | 1403 770 | 1404 771 | 1405 772 | 1406 773 | 1407 774 | 1408 775 | 1409 776 | 1410 777 | 1411 778 | 1412 779 | 1413 780 | 1414 781 | 1415 782 | 1416 783 | 1417 784 | 1418 785 | 1419 786 | 1420 787 | 1421 788 | 1422 789 | 1423 790 | 1424 791 | 1425 792 | 1426 793 | 1427 794 | 1428 795 | 1429 796 | 1430 797 | 1431 798 | 1432 799 | 1434 800 | 1435 801 | 1436 802 | 1437 803 | 1438 804 | 1439 805 | 1440 806 | 1441 807 | 1442 808 | 1443 809 | 1444 810 | 1445 811 | 1446 812 | 1447 813 | 1448 814 | 1449 815 | 1450 816 | 1451 817 | 1452 818 | 1453 819 | 1454 820 | 1455 821 | 1456 822 | 1457 823 | 1458 824 | 1459 825 | 1460 826 | 1461 827 | 1462 828 | 1463 829 | 1464 830 | 1465 831 | 1466 832 | 1467 833 | 1468 834 | 1469 835 | 1470 836 | 1471 837 | 1472 838 | 1473 839 | 1474 840 | 1475 841 | 1476 842 | 1477 843 | 1478 844 | 1479 845 | 1480 846 | 1481 847 | 1482 848 | 1483 849 | 1484 850 | 1485 851 | 1486 852 | 1487 853 | 1488 854 | 1489 855 | 1490 856 | 1491 857 | 1492 858 | 1493 859 | 1495 860 | 1496 861 | 1497 862 | 1498 863 | 1499 864 | 1500 865 | 1501 866 | 1502 867 | 1503 868 | 1504 869 | 1505 870 | 1506 871 | 1507 872 | 1508 873 | 1509 874 | 1510 875 | 1511 876 | 1512 877 | 1513 878 | 1514 879 | 1515 880 | 1516 881 | 1517 882 | 1518 883 | 1519 884 | 1520 885 | 1522 886 | 1523 887 | 1525 888 | 1527 889 | 1528 890 | 1529 891 | 1530 892 | 1531 893 | 1532 894 | 1533 895 | 1534 896 | 1535 897 | 1536 898 | 1537 899 | 1538 900 | 1539 901 | 1540 902 | 1541 903 | 1542 904 | 1543 905 | 1544 906 | 1545 907 | 1546 908 | 1547 909 | 1548 910 | 1549 911 | 1550 912 | 1551 913 | 1552 914 | 1600 915 | 1645 916 | 1646 917 | 1647 918 | 1648 919 | 1649 920 | 1650 921 | 1651 922 | 1652 923 | 1661 924 | 1662 925 | 1663 926 | 1664 927 | 1665 928 | 1666 929 | 1667 930 | 1668 931 | 1669 932 | 1670 933 | 1671 934 | 1672 935 | 1680 936 | 1701 937 | 1718 938 | 1719 939 | 1720 940 | 1755 941 | 1758 942 | 1761 943 | 1762 944 | 1763 945 | 1764 946 | 1789 947 | 1813 948 | 1827 949 | 1911 950 | 1935 951 | 1957 952 | 1984 953 | 1985 954 | 1986 955 | 1987 956 | 1988 957 | 1989 958 | 1990 959 | 1991 960 | 1992 961 | 1993 962 | 1994 963 | 1995 964 | 1996 965 | 1997 966 | 1998 967 | 1999 968 | 2000 969 | 2002 970 | 2003 971 | 2004 972 | 2005 973 | 2006 974 | 2007 975 | 2008 976 | 2009 977 | 2010 978 | 2011 979 | 2012 980 | 2013 981 | 2014 982 | 2015 983 | 2016 984 | 2017 985 | 2018 986 | 2019 987 | 2020 988 | 2021 989 | 2022 990 | 2023 991 | 2024 992 | 2025 993 | 2026 994 | 2027 995 | 2028 996 | 2030 997 | 2032 998 | 2033 999 | 2034 1000 | 2035 1001 | 2038 1002 | 2040 1003 | 2041 1004 | 2042 1005 | 2043 1006 | 2044 1007 | 2045 1008 | 2046 1009 | 2047 1010 | 2048 1011 | 2053 1012 | 2064 1013 | 2065 1014 | 2067 1015 | 2068 1016 | 2101 1017 | 2102 1018 | 2103 1019 | 2104 1020 | 2105 1021 | 2106 1022 | 2108 1023 | 2111 1024 | 2112 1025 | 2120 1026 | 2121 1027 | 2150 1028 | 2201 1029 | 2232 1030 | 2241 1031 | 2307 1032 | 2401 1033 | 2430 1034 | 2431 1035 | 2432 1036 | 2433 1037 | 2500 1038 | 2501 1039 | 2564 1040 | 2583 1041 | 2600 1042 | 2601 1043 | 2602 1044 | 2603 1045 | 2604 1046 | 2605 1047 | 2606 1048 | 2607 1049 | 2608 1050 | 2627 1051 | 2628 1052 | 2638 1053 | 2766 1054 | 2784 1055 | 2809 1056 | 2882 1057 | 2903 1058 | 2967 1059 | 2988 1060 | 2998 1061 | 3000 1062 | 3001 1063 | 3005 1064 | 3006 1065 | 3049 1066 | 3050 1067 | 3052 1068 | 3064 1069 | 3086 1070 | 3130 1071 | 3141 1072 | 3264 1073 | 3292 1074 | 3333 1075 | 3346 1076 | 3401 1077 | 3421 1078 | 3455 1079 | 3456 1080 | 3457 1081 | 3462 1082 | 3493 1083 | 3531 1084 | 3632 1085 | 3689 1086 | 3690 1087 | 3900 1088 | 3928 1089 | 3929 1090 | 3984 1091 | 3985 1092 | 3986 1093 | 3996 1094 | 3997 1095 | 3998 1096 | 3999 1097 | 4000 1098 | 4002 1099 | 4003 1100 | 4004 1101 | 4005 1102 | 4006 1103 | 4007 1104 | 4008 1105 | 4045 1106 | 4125 1107 | 4132 1108 | 4133 1109 | 4144 1110 | 4224 1111 | 4321 1112 | 4333 1113 | 4343 1114 | 4444 1115 | 4480 1116 | 4500 1117 | 4557 1118 | 4559 1119 | 4600 1120 | 4660 1121 | 4672 1122 | 4827 1123 | 4899 1124 | 4987 1125 | 4998 1126 | 5001 1127 | 5002 1128 | 5003 1129 | 5010 1130 | 5011 1131 | 5050 1132 | 5051 1133 | 5060 1134 | 5100 1135 | 5101 1136 | 5102 1137 | 5145 1138 | 5190 1139 | 5191 1140 | 5192 1141 | 5193 1142 | 5222 1143 | 5232 1144 | 5236 1145 | 5269 1146 | 5300 1147 | 5301 1148 | 5302 1149 | 5303 1150 | 5304 1151 | 5305 1152 | 5308 1153 | 5354 1154 | 5355 1155 | 5400 1156 | 5405 1157 | 5428 1158 | 5432 1159 | 5490 1160 | 5500 1161 | 5510 1162 | 5520 1163 | 5530 1164 | 5540 1165 | 5550 1166 | 5553 1167 | 5554 1168 | 5555 1169 | 5632 1170 | 5679 1171 | 5680 1172 | 5713 1173 | 5714 1174 | 5715 1175 | 5716 1176 | 5717 1177 | 5801 1178 | 5802 1179 | 5803 1180 | 5901 1181 | 5902 1182 | 5903 1183 | 5977 1184 | 5978 1185 | 5979 1186 | 5997 1187 | 5998 1188 | 5999 1189 | 6002 1190 | 6003 1191 | 6004 1192 | 6005 1193 | 6006 1194 | 6007 1195 | 6008 1196 | 6009 1197 | 6010 1198 | 6017 1199 | 6050 1200 | 6101 1201 | 6103 1202 | 6105 1203 | 6106 1204 | 6110 1205 | 6111 1206 | 6141 1207 | 6142 1208 | 6143 1209 | 6144 1210 | 6145 1211 | 6146 1212 | 6147 1213 | 6148 1214 | 6346 1215 | 6347 1216 | 6400 1217 | 6401 1218 | 6502 1219 | 6543 1220 | 6544 1221 | 6547 1222 | 6548 1223 | 6549 1224 | 6558 1225 | 6566 1226 | 6588 1227 | 6666 1228 | 6667 1229 | 6668 1230 | 6699 1231 | 6969 1232 | 7000 1233 | 7001 1234 | 7002 1235 | 7003 1236 | 7004 1237 | 7005 1238 | 7006 1239 | 7007 1240 | 7008 1241 | 7009 1242 | 7010 1243 | 7070 1244 | 7200 1245 | 7201 1246 | 7273 1247 | 7326 1248 | 7464 1249 | 7597 1250 | 7648 1251 | 7649 1252 | 7650 1253 | 7651 1254 | 8007 1255 | 8008 1256 | 8009 1257 | 8021 1258 | 8081 1259 | 8082 1260 | 8443 1261 | 8888 1262 | 8892 1263 | 9090 1264 | 9100 1265 | 9101 1266 | 9102 1267 | 9103 1268 | 9111 1269 | 9152 1270 | 9359 1271 | 9535 1272 | 9876 1273 | 9888 1274 | 9898 1275 | 9991 1276 | 9992 1277 | 9999 1278 | 10000 1279 | 10005 1280 | 10080 1281 | 10081 1282 | 10082 1283 | 10083 1284 | 11201 1285 | 11371 1286 | 11720 1287 | 12000 1288 | 12345 1289 | 12346 1290 | 13724 1291 | 15126 1292 | 15345 1293 | 16959 1294 | 17007 1295 | 17185 1296 | 17300 1297 | 18000 1298 | 18264 1299 | 19150 1300 | 20005 1301 | 20011 1302 | 20012 1303 | 22273 1304 | 22289 1305 | 22305 1306 | 22321 1307 | 22370 1308 | 24554 1309 | 26000 1310 | 26208 1311 | 26900 1312 | 27000 1313 | 27001 1314 | 27002 1315 | 27003 1316 | 27004 1317 | 27005 1318 | 27006 1319 | 27007 1320 | 27008 1321 | 27009 1322 | 27010 1323 | 27015 1324 | 27374 1325 | 27444 1326 | 27500 1327 | 27665 1328 | 27910 1329 | 27960 1330 | 28910 1331 | 31335 1332 | 31337 1333 | 32768 1334 | 33434 1335 | 38037 1336 | 38292 1337 | 38293 1338 | 39213 1339 | 43188 1340 | 44334 1341 | 44442 1342 | 44443 1343 | 45000 1344 | 47557 1345 | 54320 1346 | 54321 1347 | 60177 1348 | 60179 1349 | 61439 1350 | 61440 1351 | 61441 1352 | -------------------------------------------------------------------------------- /ports-udp-common.txt: -------------------------------------------------------------------------------- 1 | 21 2 | 22 3 | 23 4 | 25 5 | 53 6 | 79 7 | 80 8 | 88 9 | 110 10 | 111 11 | 113 12 | 119 13 | 139 14 | 256 15 | 257 16 | 264 17 | 389 18 | 443 19 | 445 20 | 512 21 | 513 22 | 514 23 | 515 24 | 540 25 | 593 26 | 631 27 | 1025 28 | 1433 29 | 1494 30 | 1521 31 | 1524 32 | 1526 33 | 1723 34 | 1812 35 | 1900 36 | 2001 37 | 2049 38 | 2301 39 | 2381 40 | 2433 41 | 3128 42 | 3268 43 | 3269 44 | 3306 45 | 3372 46 | 3389 47 | 4001 48 | 5000 49 | 5631 50 | 5800 51 | 5900 52 | 6000 53 | 6001 54 | 6112 55 | 7100 56 | 8000 57 | 8080 58 | 9001 59 | 13701 60 | 13702 61 | 13705 62 | 13706 63 | 13708 64 | 13709 65 | 13710 66 | 13711 67 | 13712 68 | 13713 69 | 13714 70 | 13715 71 | 13716 72 | 13717 73 | 13718 74 | 13720 75 | 13721 76 | 13722 77 | 13782 78 | 13783 79 | 18181 80 | 18182 81 | 18183 82 | 18184 83 | 18185 84 | 18187 85 | 32770 86 | 32771 87 | 32772 88 | 32773 89 | 32774 90 | 32775 91 | 32776 92 | 32777 93 | 32778 94 | 32779 95 | 32780 96 | 32786 97 | 32787 98 | 49400 99 | 60000 100 | 65301 101 | -------------------------------------------------------------------------------- /ports-udp-known.txt: -------------------------------------------------------------------------------- 1 | 21 2 | 22 3 | 23 4 | 25 5 | 53 6 | 79 7 | 80 8 | 88 9 | 110 10 | 111 11 | 113 12 | 119 13 | 139 14 | 256 15 | 257 16 | 264 17 | 389 18 | 443 19 | 445 20 | 512 21 | 513 22 | 514 23 | 515 24 | 540 25 | 593 26 | 631 27 | 1025 28 | 1433 29 | 1494 30 | 1521 31 | 1524 32 | 1526 33 | 1723 34 | 1812 35 | 1900 36 | 2001 37 | 2049 38 | 2301 39 | 2381 40 | 3128 41 | 3268 42 | 3269 43 | 3306 44 | 3372 45 | 3389 46 | 4001 47 | 5000 48 | 5631 49 | 5800 50 | 5900 51 | 6000 52 | 6001 53 | 6112 54 | 7100 55 | 8000 56 | 8080 57 | 9001 58 | 13701 59 | 13702 60 | 13705 61 | 13706 62 | 13708 63 | 13709 64 | 13710 65 | 13711 66 | 13712 67 | 13713 68 | 13714 69 | 13715 70 | 13716 71 | 13717 72 | 13718 73 | 13720 74 | 13721 75 | 13722 76 | 13782 77 | 13783 78 | 18181 79 | 18182 80 | 18183 81 | 18184 82 | 18185 83 | 18187 84 | 32770 85 | 32771 86 | 32772 87 | 32773 88 | 32774 89 | 32775 90 | 32776 91 | 32777 92 | 32778 93 | 32779 94 | 32780 95 | 32786 96 | 32787 97 | 49400 98 | 65301 99 | 1 100 | 2 101 | 3 102 | 4 103 | 5 104 | 6 105 | 7 106 | 9 107 | 11 108 | 13 109 | 15 110 | 17 111 | 18 112 | 19 113 | 20 114 | 24 115 | 27 116 | 29 117 | 31 118 | 33 119 | 35 120 | 37 121 | 38 122 | 39 123 | 41 124 | 42 125 | 43 126 | 44 127 | 45 128 | 46 129 | 47 130 | 48 131 | 49 132 | 50 133 | 51 134 | 52 135 | 54 136 | 55 137 | 56 138 | 57 139 | 58 140 | 59 141 | 61 142 | 62 143 | 63 144 | 64 145 | 65 146 | 66 147 | 67 148 | 68 149 | 69 150 | 70 151 | 71 152 | 72 153 | 73 154 | 74 155 | 75 156 | 76 157 | 77 158 | 78 159 | 81 160 | 82 161 | 83 162 | 84 163 | 85 164 | 86 165 | 87 166 | 89 167 | 90 168 | 91 169 | 92 170 | 93 171 | 94 172 | 95 173 | 96 174 | 97 175 | 98 176 | 99 177 | 100 178 | 101 179 | 102 180 | 103 181 | 104 182 | 105 183 | 106 184 | 107 185 | 108 186 | 109 187 | 112 188 | 114 189 | 115 190 | 116 191 | 117 192 | 118 193 | 120 194 | 121 195 | 122 196 | 123 197 | 124 198 | 125 199 | 126 200 | 127 201 | 128 202 | 129 203 | 130 204 | 131 205 | 132 206 | 133 207 | 134 208 | 135 209 | 136 210 | 137 211 | 138 212 | 140 213 | 141 214 | 142 215 | 143 216 | 144 217 | 145 218 | 146 219 | 147 220 | 148 221 | 149 222 | 150 223 | 151 224 | 152 225 | 153 226 | 154 227 | 155 228 | 156 229 | 157 230 | 158 231 | 159 232 | 160 233 | 161 234 | 162 235 | 163 236 | 164 237 | 165 238 | 166 239 | 167 240 | 168 241 | 169 242 | 170 243 | 171 244 | 172 245 | 173 246 | 174 247 | 175 248 | 176 249 | 177 250 | 178 251 | 179 252 | 180 253 | 181 254 | 182 255 | 183 256 | 184 257 | 185 258 | 186 259 | 187 260 | 188 261 | 189 262 | 190 263 | 191 264 | 192 265 | 193 266 | 194 267 | 195 268 | 196 269 | 197 270 | 198 271 | 199 272 | 200 273 | 201 274 | 202 275 | 203 276 | 204 277 | 205 278 | 206 279 | 207 280 | 208 281 | 209 282 | 210 283 | 211 284 | 212 285 | 213 286 | 214 287 | 215 288 | 216 289 | 217 290 | 218 291 | 219 292 | 220 293 | 221 294 | 222 295 | 223 296 | 242 297 | 243 298 | 244 299 | 245 300 | 246 301 | 247 302 | 248 303 | 258 304 | 259 305 | 260 306 | 261 307 | 262 308 | 263 309 | 265 310 | 280 311 | 281 312 | 282 313 | 308 314 | 309 315 | 310 316 | 311 317 | 312 318 | 313 319 | 314 320 | 315 321 | 316 322 | 317 323 | 321 324 | 344 325 | 345 326 | 346 327 | 347 328 | 348 329 | 349 330 | 350 331 | 351 332 | 352 333 | 353 334 | 354 335 | 355 336 | 356 337 | 357 338 | 358 339 | 359 340 | 360 341 | 361 342 | 362 343 | 363 344 | 364 345 | 365 346 | 366 347 | 367 348 | 368 349 | 369 350 | 370 351 | 371 352 | 372 353 | 373 354 | 374 355 | 375 356 | 376 357 | 377 358 | 378 359 | 379 360 | 380 361 | 381 362 | 382 363 | 383 364 | 384 365 | 385 366 | 386 367 | 387 368 | 388 369 | 390 370 | 391 371 | 392 372 | 393 373 | 394 374 | 395 375 | 396 376 | 397 377 | 398 378 | 399 379 | 400 380 | 401 381 | 402 382 | 403 383 | 404 384 | 405 385 | 406 386 | 407 387 | 408 388 | 409 389 | 410 390 | 411 391 | 412 392 | 413 393 | 414 394 | 415 395 | 416 396 | 417 397 | 418 398 | 419 399 | 420 400 | 421 401 | 422 402 | 423 403 | 424 404 | 425 405 | 426 406 | 427 407 | 428 408 | 429 409 | 430 410 | 431 411 | 432 412 | 433 413 | 434 414 | 435 415 | 436 416 | 437 417 | 438 418 | 439 419 | 440 420 | 441 421 | 442 422 | 444 423 | 446 424 | 447 425 | 448 426 | 449 427 | 450 428 | 451 429 | 452 430 | 453 431 | 454 432 | 455 433 | 456 434 | 457 435 | 458 436 | 459 437 | 460 438 | 461 439 | 462 440 | 463 441 | 464 442 | 465 443 | 466 444 | 467 445 | 468 446 | 469 447 | 470 448 | 471 449 | 472 450 | 473 451 | 474 452 | 475 453 | 476 454 | 477 455 | 478 456 | 479 457 | 480 458 | 481 459 | 482 460 | 483 461 | 484 462 | 485 463 | 486 464 | 487 465 | 488 466 | 489 467 | 490 468 | 491 469 | 492 470 | 493 471 | 494 472 | 495 473 | 496 474 | 497 475 | 498 476 | 499 477 | 500 478 | 501 479 | 502 480 | 503 481 | 504 482 | 505 483 | 506 484 | 507 485 | 508 486 | 509 487 | 510 488 | 511 489 | 516 490 | 517 491 | 518 492 | 519 493 | 520 494 | 521 495 | 522 496 | 523 497 | 524 498 | 525 499 | 526 500 | 527 501 | 528 502 | 529 503 | 530 504 | 531 505 | 532 506 | 533 507 | 534 508 | 535 509 | 536 510 | 537 511 | 538 512 | 539 513 | 541 514 | 542 515 | 543 516 | 544 517 | 545 518 | 546 519 | 547 520 | 548 521 | 549 522 | 550 523 | 551 524 | 552 525 | 553 526 | 554 527 | 555 528 | 556 529 | 557 530 | 558 531 | 559 532 | 560 533 | 561 534 | 562 535 | 563 536 | 564 537 | 565 538 | 566 539 | 567 540 | 568 541 | 569 542 | 570 543 | 571 544 | 572 545 | 573 546 | 574 547 | 575 548 | 576 549 | 577 550 | 578 551 | 579 552 | 580 553 | 581 554 | 582 555 | 583 556 | 584 557 | 585 558 | 586 559 | 587 560 | 588 561 | 589 562 | 590 563 | 591 564 | 592 565 | 594 566 | 595 567 | 596 568 | 597 569 | 598 570 | 599 571 | 600 572 | 603 573 | 606 574 | 607 575 | 608 576 | 609 577 | 610 578 | 611 579 | 612 580 | 617 581 | 624 582 | 625 583 | 626 584 | 627 585 | 628 586 | 629 587 | 630 588 | 634 589 | 635 590 | 636 591 | 637 592 | 640 593 | 650 594 | 655 595 | 660 596 | 666 597 | 674 598 | 691 599 | 694 600 | 704 601 | 706 602 | 709 603 | 723 604 | 729 605 | 730 606 | 731 607 | 737 608 | 740 609 | 741 610 | 742 611 | 744 612 | 747 613 | 748 614 | 749 615 | 750 616 | 751 617 | 752 618 | 753 619 | 754 620 | 758 621 | 759 622 | 760 623 | 761 624 | 762 625 | 763 626 | 764 627 | 765 628 | 767 629 | 769 630 | 770 631 | 771 632 | 772 633 | 773 634 | 774 635 | 775 636 | 776 637 | 780 638 | 781 639 | 782 640 | 783 641 | 786 642 | 799 643 | 800 644 | 801 645 | 808 646 | 871 647 | 873 648 | 888 649 | 898 650 | 901 651 | 902 652 | 903 653 | 950 654 | 953 655 | 975 656 | 989 657 | 990 658 | 991 659 | 992 660 | 993 661 | 994 662 | 995 663 | 996 664 | 997 665 | 998 666 | 999 667 | 1000 668 | 1002 669 | 1008 670 | 1012 671 | 1023 672 | 1024 673 | 1026 674 | 1027 675 | 1028 676 | 1029 677 | 1030 678 | 1031 679 | 1032 680 | 1033 681 | 1040 682 | 1043 683 | 1050 684 | 1058 685 | 1059 686 | 1067 687 | 1068 688 | 1076 689 | 1080 690 | 1083 691 | 1084 692 | 1099 693 | 1103 694 | 1109 695 | 1110 696 | 1112 697 | 1127 698 | 1139 699 | 1155 700 | 1167 701 | 1178 702 | 1212 703 | 1214 704 | 1220 705 | 1222 706 | 1234 707 | 1236 708 | 1241 709 | 1248 710 | 1300 711 | 1313 712 | 1337 713 | 1346 714 | 1347 715 | 1348 716 | 1349 717 | 1350 718 | 1351 719 | 1352 720 | 1353 721 | 1354 722 | 1355 723 | 1356 724 | 1357 725 | 1358 726 | 1359 727 | 1360 728 | 1361 729 | 1362 730 | 1363 731 | 1364 732 | 1365 733 | 1366 734 | 1367 735 | 1368 736 | 1369 737 | 1370 738 | 1371 739 | 1372 740 | 1373 741 | 1374 742 | 1375 743 | 1376 744 | 1377 745 | 1378 746 | 1379 747 | 1380 748 | 1381 749 | 1383 750 | 1384 751 | 1385 752 | 1386 753 | 1387 754 | 1388 755 | 1389 756 | 1390 757 | 1391 758 | 1392 759 | 1393 760 | 1394 761 | 1395 762 | 1396 763 | 1397 764 | 1398 765 | 1399 766 | 1400 767 | 1401 768 | 1402 769 | 1403 770 | 1404 771 | 1405 772 | 1406 773 | 1407 774 | 1408 775 | 1409 776 | 1410 777 | 1411 778 | 1412 779 | 1413 780 | 1414 781 | 1415 782 | 1416 783 | 1417 784 | 1418 785 | 1419 786 | 1420 787 | 1421 788 | 1422 789 | 1423 790 | 1424 791 | 1425 792 | 1426 793 | 1427 794 | 1428 795 | 1429 796 | 1430 797 | 1431 798 | 1432 799 | 1434 800 | 1435 801 | 1436 802 | 1437 803 | 1438 804 | 1439 805 | 1440 806 | 1441 807 | 1442 808 | 1443 809 | 1444 810 | 1445 811 | 1446 812 | 1447 813 | 1448 814 | 1449 815 | 1450 816 | 1451 817 | 1452 818 | 1453 819 | 1454 820 | 1455 821 | 1456 822 | 1457 823 | 1458 824 | 1459 825 | 1460 826 | 1461 827 | 1462 828 | 1463 829 | 1464 830 | 1465 831 | 1466 832 | 1467 833 | 1468 834 | 1469 835 | 1470 836 | 1471 837 | 1472 838 | 1473 839 | 1474 840 | 1475 841 | 1476 842 | 1477 843 | 1478 844 | 1479 845 | 1480 846 | 1481 847 | 1482 848 | 1483 849 | 1484 850 | 1485 851 | 1486 852 | 1487 853 | 1488 854 | 1489 855 | 1490 856 | 1491 857 | 1492 858 | 1493 859 | 1495 860 | 1496 861 | 1497 862 | 1498 863 | 1499 864 | 1500 865 | 1501 866 | 1502 867 | 1503 868 | 1504 869 | 1505 870 | 1506 871 | 1507 872 | 1508 873 | 1509 874 | 1510 875 | 1511 876 | 1512 877 | 1513 878 | 1514 879 | 1515 880 | 1516 881 | 1517 882 | 1518 883 | 1519 884 | 1520 885 | 1522 886 | 1523 887 | 1525 888 | 1527 889 | 1528 890 | 1529 891 | 1530 892 | 1531 893 | 1532 894 | 1533 895 | 1534 896 | 1535 897 | 1536 898 | 1537 899 | 1538 900 | 1539 901 | 1540 902 | 1541 903 | 1542 904 | 1543 905 | 1544 906 | 1545 907 | 1546 908 | 1547 909 | 1548 910 | 1549 911 | 1550 912 | 1551 913 | 1552 914 | 1600 915 | 1645 916 | 1646 917 | 1647 918 | 1648 919 | 1649 920 | 1650 921 | 1651 922 | 1652 923 | 1661 924 | 1662 925 | 1663 926 | 1664 927 | 1665 928 | 1666 929 | 1667 930 | 1668 931 | 1669 932 | 1670 933 | 1671 934 | 1672 935 | 1680 936 | 1701 937 | 1718 938 | 1719 939 | 1720 940 | 1755 941 | 1758 942 | 1761 943 | 1762 944 | 1763 945 | 1764 946 | 1789 947 | 1813 948 | 1827 949 | 1911 950 | 1935 951 | 1957 952 | 1984 953 | 1985 954 | 1986 955 | 1987 956 | 1988 957 | 1989 958 | 1990 959 | 1991 960 | 1992 961 | 1993 962 | 1994 963 | 1995 964 | 1996 965 | 1997 966 | 1998 967 | 1999 968 | 2000 969 | 2002 970 | 2003 971 | 2004 972 | 2005 973 | 2006 974 | 2007 975 | 2008 976 | 2009 977 | 2010 978 | 2011 979 | 2012 980 | 2013 981 | 2014 982 | 2015 983 | 2016 984 | 2017 985 | 2018 986 | 2019 987 | 2020 988 | 2021 989 | 2022 990 | 2023 991 | 2024 992 | 2025 993 | 2026 994 | 2027 995 | 2028 996 | 2030 997 | 2032 998 | 2033 999 | 2034 1000 | 2035 1001 | 2038 1002 | 2040 1003 | 2041 1004 | 2042 1005 | 2043 1006 | 2044 1007 | 2045 1008 | 2046 1009 | 2047 1010 | 2048 1011 | 2053 1012 | 2064 1013 | 2065 1014 | 2067 1015 | 2068 1016 | 2101 1017 | 2102 1018 | 2103 1019 | 2104 1020 | 2105 1021 | 2106 1022 | 2108 1023 | 2111 1024 | 2112 1025 | 2120 1026 | 2121 1027 | 2150 1028 | 2201 1029 | 2232 1030 | 2241 1031 | 2307 1032 | 2401 1033 | 2430 1034 | 2431 1035 | 2432 1036 | 2433 1037 | 2500 1038 | 2501 1039 | 2564 1040 | 2583 1041 | 2600 1042 | 2601 1043 | 2602 1044 | 2603 1045 | 2604 1046 | 2605 1047 | 2606 1048 | 2607 1049 | 2608 1050 | 2627 1051 | 2628 1052 | 2638 1053 | 2766 1054 | 2784 1055 | 2809 1056 | 2882 1057 | 2903 1058 | 2967 1059 | 2988 1060 | 2998 1061 | 3000 1062 | 3001 1063 | 3005 1064 | 3006 1065 | 3049 1066 | 3050 1067 | 3052 1068 | 3064 1069 | 3086 1070 | 3130 1071 | 3141 1072 | 3264 1073 | 3292 1074 | 3333 1075 | 3346 1076 | 3401 1077 | 3421 1078 | 3455 1079 | 3456 1080 | 3457 1081 | 3462 1082 | 3493 1083 | 3531 1084 | 3632 1085 | 3689 1086 | 3690 1087 | 3900 1088 | 3928 1089 | 3929 1090 | 3984 1091 | 3985 1092 | 3986 1093 | 3996 1094 | 3997 1095 | 3998 1096 | 3999 1097 | 4000 1098 | 4002 1099 | 4003 1100 | 4004 1101 | 4005 1102 | 4006 1103 | 4007 1104 | 4008 1105 | 4045 1106 | 4125 1107 | 4132 1108 | 4133 1109 | 4144 1110 | 4224 1111 | 4321 1112 | 4333 1113 | 4343 1114 | 4444 1115 | 4480 1116 | 4500 1117 | 4557 1118 | 4559 1119 | 4600 1120 | 4660 1121 | 4672 1122 | 4827 1123 | 4899 1124 | 4987 1125 | 4998 1126 | 5001 1127 | 5002 1128 | 5003 1129 | 5010 1130 | 5011 1131 | 5050 1132 | 5051 1133 | 5060 1134 | 5100 1135 | 5101 1136 | 5102 1137 | 5145 1138 | 5190 1139 | 5191 1140 | 5192 1141 | 5193 1142 | 5222 1143 | 5232 1144 | 5236 1145 | 5269 1146 | 5300 1147 | 5301 1148 | 5302 1149 | 5303 1150 | 5304 1151 | 5305 1152 | 5308 1153 | 5354 1154 | 5355 1155 | 5400 1156 | 5405 1157 | 5428 1158 | 5432 1159 | 5490 1160 | 5500 1161 | 5510 1162 | 5520 1163 | 5530 1164 | 5540 1165 | 5550 1166 | 5553 1167 | 5554 1168 | 5555 1169 | 5632 1170 | 5679 1171 | 5680 1172 | 5713 1173 | 5714 1174 | 5715 1175 | 5716 1176 | 5717 1177 | 5801 1178 | 5802 1179 | 5803 1180 | 5901 1181 | 5902 1182 | 5903 1183 | 5977 1184 | 5978 1185 | 5979 1186 | 5997 1187 | 5998 1188 | 5999 1189 | 6002 1190 | 6003 1191 | 6004 1192 | 6005 1193 | 6006 1194 | 6007 1195 | 6008 1196 | 6009 1197 | 6010 1198 | 6017 1199 | 6050 1200 | 6101 1201 | 6103 1202 | 6105 1203 | 6106 1204 | 6110 1205 | 6111 1206 | 6141 1207 | 6142 1208 | 6143 1209 | 6144 1210 | 6145 1211 | 6146 1212 | 6147 1213 | 6148 1214 | 6346 1215 | 6347 1216 | 6400 1217 | 6401 1218 | 6502 1219 | 6543 1220 | 6544 1221 | 6547 1222 | 6548 1223 | 6549 1224 | 6558 1225 | 6566 1226 | 6588 1227 | 6666 1228 | 6667 1229 | 6668 1230 | 6699 1231 | 6969 1232 | 7000 1233 | 7001 1234 | 7002 1235 | 7003 1236 | 7004 1237 | 7005 1238 | 7006 1239 | 7007 1240 | 7008 1241 | 7009 1242 | 7010 1243 | 7070 1244 | 7200 1245 | 7201 1246 | 7273 1247 | 7326 1248 | 7464 1249 | 7597 1250 | 7648 1251 | 7649 1252 | 7650 1253 | 7651 1254 | 8007 1255 | 8008 1256 | 8009 1257 | 8021 1258 | 8081 1259 | 8082 1260 | 8443 1261 | 8888 1262 | 8892 1263 | 9090 1264 | 9100 1265 | 9101 1266 | 9102 1267 | 9103 1268 | 9111 1269 | 9152 1270 | 9359 1271 | 9535 1272 | 9876 1273 | 9888 1274 | 9898 1275 | 9991 1276 | 9992 1277 | 9999 1278 | 10000 1279 | 10005 1280 | 10080 1281 | 10081 1282 | 10082 1283 | 10083 1284 | 11201 1285 | 11371 1286 | 11720 1287 | 12000 1288 | 12345 1289 | 12346 1290 | 13724 1291 | 15126 1292 | 15345 1293 | 16959 1294 | 17007 1295 | 17185 1296 | 17300 1297 | 18000 1298 | 19150 1299 | 20005 1300 | 20011 1301 | 20012 1302 | 22273 1303 | 22289 1304 | 22305 1305 | 22321 1306 | 22370 1307 | 24554 1308 | 26000 1309 | 26208 1310 | 26900 1311 | 27000 1312 | 27001 1313 | 27002 1314 | 27003 1315 | 27004 1316 | 27005 1317 | 27006 1318 | 27007 1319 | 27008 1320 | 27009 1321 | 27010 1322 | 27015 1323 | 27374 1324 | 27444 1325 | 27500 1326 | 27665 1327 | 27910 1328 | 27960 1329 | 28910 1330 | 31335 1331 | 31337 1332 | 32768 1333 | 33434 1334 | 38037 1335 | 38292 1336 | 38293 1337 | 39213 1338 | 43188 1339 | 44334 1340 | 44442 1341 | 44443 1342 | 45000 1343 | 47557 1344 | 54320 1345 | 54321 1346 | 60177 1347 | 60179 1348 | 61439 1349 | 61440 1350 | 61441 1351 | -------------------------------------------------------------------------------- /scanner-icmp.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "scanner-icmp.h" 29 | 30 | // TODO 31 | // 32 | // Retries aren't implemented for ICMP scanning!! 33 | 34 | // char *icmp_type[] = { 35 | const char *icmp_type[] = { 36 | "ECHO_REPLY", 37 | "UNKNOWN-TYPE1", 38 | "UNKNOWN-TYPE2", 39 | "DEST_UNREACH", 40 | "SOURCE_QUENCH", 41 | "REDIRECT", 42 | "UNKNOWN-TYPE6", 43 | "UNKNOWN-TYPE7", 44 | "ECHO_REQUEST", 45 | "UNKNOWN-TYPE9", 46 | "ROUTER_SOLICITATION", 47 | "TIME_EXCEEDED", 48 | "PARAMETERPROB", 49 | "TIMESTAMP_REQUEST", 50 | "TIMESTAMP_REPLY", 51 | "INFO_REQUEST", 52 | "INFO_REPLY", 53 | "ADDRESS_REQUEST", 54 | "ADDRESS_REPLY" 55 | }; 56 | 57 | /* 58 | * Constructor args: 59 | * 60 | * char *device - Device to listen of for returned packets 61 | * 62 | */ 63 | IcmpScanner::IcmpScanner(char *device) { 64 | if (debug > 2) printf("IcmpScanner: Constructing\n"); 65 | setDevice(device); 66 | scan_complete = 0; 67 | resetCounters(); 68 | } 69 | 70 | IcmpScanner::IcmpScanner() { 71 | if (debug > 2) printf("IcmpScanner: Constructing\n"); 72 | scan_complete = 0; 73 | resetCounters(); 74 | } 75 | 76 | void IcmpScanner::resetCounters() { 77 | icmp_test_count = 0; 78 | host_test_count = 0; 79 | } 80 | 81 | void IcmpScanner::setPcapFilter() { 82 | snprintf(pfilter, PCAP_FILTER_LEN, "icmp and dst host %s", src_ip_str); 83 | } 84 | 85 | int IcmpScanner::getPercentComplete() { 86 | return int(100 * packets_sent / (icmp_test_count * getHostCount() * tries)); 87 | } 88 | 89 | int IcmpScanner::getRemainingScanTime() { 90 | int bytes_per_packet = int(total_bytes_sent / packets_sent); 91 | return int(1 + getRTT().tv_sec + getRTT().tv_usec / 1000000 + (icmp_test_count * getHostCount() * tries - packets_sent) * bytes_per_packet * 8 / getBandwidthMax()); 92 | } 93 | 94 | int IcmpScanner::sendPacket() { 95 | if (debug > 2) printf("IcmpScanner::sendPacket: Called\n"); 96 | 97 | if (scan_complete) { 98 | return 0; 99 | } 100 | 101 | // First check if there's anything left to scan. Return 0 if not. 102 | // 103 | // This involves moving onto the next host/port and checking if we've found 104 | // something that can be scanned. It's a bit untidy, but it's important that 105 | // this func can be called even if nothing needs scanning. 106 | 107 | // Note the current port element 108 | // We need to note this so we can tell we've been completely round the port list 109 | 110 | // If all host elements have been deleted, we're done. 111 | if (!pcurrent_host_element) return 0; 112 | 113 | #ifdef DEBUG 114 | if (!pcurrent_host_element) { 115 | printf("DEBUG WARNING: TcpScanner::sendPacket called with pcurrent_host_element = null\n"); 116 | } 117 | 118 | if (!pcurrent_host_element->pcurrent) { 119 | printf("DEBUG WARNING: TcpScanner::sendPacket called with pcurrent_host_element->pcurrent = null\n"); 120 | } 121 | #endif 122 | 123 | struct icmp_element *pstart_icmp_element = pcurrent_host_element->pcurrent; 124 | 125 | // Increment the port pointer on this host 126 | pcurrent_host_element->pcurrent = pcurrent_host_element->pcurrent->pnext; 127 | int more_tests = 0; 128 | 129 | // Move onto next host 130 | pcurrent_host_element = pcurrent_host_element->pnext; 131 | 132 | // optimisation to avoid too much pointer defrerencing. Hardly worth it. 133 | struct icmp_element *pcurhost_curicmp = pcurrent_host_element->pcurrent; 134 | 135 | while (!more_tests and pcurhost_curicmp != pstart_icmp_element) { 136 | // can we send to the current port in this portlist? 137 | if (pcurhost_curicmp->send_count < tries) { 138 | // we can send to this 139 | more_tests = 1; 140 | } else { 141 | // we can't send. increment the port pointer on this host 142 | pcurrent_host_element->pcurrent = pcurhost_curicmp->pnext; 143 | 144 | // change to next host 145 | pcurrent_host_element = pcurrent_host_element->pnext; 146 | pcurhost_curicmp = pcurrent_host_element->pcurrent; 147 | } 148 | } 149 | 150 | // Return 0 if there is nothing left to scan 151 | if (!(more_tests or pcurhost_curicmp->send_count < tries)) { 152 | return 0; 153 | } 154 | 155 | /* vars for sending */ 156 | struct send_icmp send_icmp; 157 | struct sockaddr_in sin; 158 | int send_socket; 159 | 160 | /* setup for sending */ 161 | int packet_size = sizeof(send_icmp); 162 | 163 | send_icmp.ip.ihl = 5; 164 | send_icmp.ip.version = 4; 165 | send_icmp.ip.tos = 0; 166 | send_icmp.ip.tot_len = htons(packet_size); 167 | send_icmp.ip.frag_off = 0; 168 | send_icmp.ip.ttl = getTTL(); 169 | send_icmp.ip.protocol = IPPROTO_ICMP; 170 | send_icmp.ip.check = 0; 171 | memcpy(&send_icmp.ip.saddr, &src_ip, sizeof(src_ip)); 172 | 173 | /* end of sending setup */ 174 | 175 | sin.sin_family = AF_INET; 176 | send_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); 177 | if(!send_socket) { 178 | perror("socket"); 179 | exit(1); 180 | } 181 | int options; 182 | options = O_NONBLOCK | fcntl(send_socket, F_GETFL); 183 | if(fcntl(send_socket, F_SETFL, options) < 0) { 184 | perror("FCNTL"); 185 | exit(1); 186 | } 187 | 188 | int one = 1; 189 | int *oneptr = &one; 190 | 191 | if (setsockopt(send_socket, IPPROTO_IP, IP_HDRINCL, oneptr, sizeof(one)) == -1) { 192 | printf("setsockopt: set IP_HDRINCL failed\n"); 193 | } 194 | 195 | // what does this do. is it important? 196 | if (setsockopt(send_socket, SOL_SOCKET, SO_BROADCAST, oneptr, sizeof(one)) == -1) 197 | { 198 | printf("libnet_open_raw_sock: set SO_BROADCAST failed\n"); 199 | } 200 | 201 | if(send_socket < 0) 202 | { 203 | perror("send socket cannot be open. Are you root?"); 204 | exit(1); 205 | } 206 | 207 | send_icmp.ip.daddr = pcurrent_host_element->ip.s_addr; 208 | sin.sin_addr.s_addr = send_icmp.ip.daddr; 209 | 210 | // send_icmp.icmp.type = icmp_probe_type; 211 | send_icmp.icmp.type = pcurrent_host_element->pcurrent->type; 212 | // send_icmp.icmp.code = 0; 213 | send_icmp.icmp.code = pcurrent_host_element->pcurrent->code; 214 | int current_syncookie = syncookie(send_icmp.ip.saddr, send_icmp.ip.daddr, getpid(), getpid()); 215 | 216 | /* Store the 16 high order bytes from the syncookie in id */ 217 | send_icmp.icmp.un.echo.id = htons((unsigned short int)(current_syncookie % 65536)); 218 | 219 | /* Store the 16 low order bytes from the syncookie in sequence */ 220 | send_icmp.icmp.un.echo.sequence = htons((unsigned short int)(current_syncookie >> 16)); 221 | 222 | /* recalc checksum */ 223 | send_icmp.ip.check = 0; 224 | send_icmp.icmp.checksum = 0; 225 | send_icmp.ip.check = in_cksum((unsigned short *)&send_icmp.ip, sizeof(send_icmp.ip)); 226 | 227 | // Now hack packets depending on their type 228 | char binary_packet[40]; 229 | bcopy(&send_icmp, &binary_packet, packet_size); // length probably 28 230 | 231 | /* special case [read "hack"] for router solicitation */ 232 | if (pcurrent_host_element->pcurrent->type == 10) { 233 | /* change ip header length */ 234 | int new_packet_size = 28; 235 | send_icmp.ip.tot_len = htons(new_packet_size); 236 | send_icmp.ip.check = 0; 237 | send_icmp.ip.check = in_cksum((unsigned short *)&binary_packet, sizeof(send_icmp.ip)); 238 | 239 | /* copy again now ip header is correct */ 240 | bcopy(&send_icmp, &binary_packet, packet_size); // length probably 28 241 | 242 | /* fill in timestamp specific fields */ 243 | binary_packet[24] = 0; // Reserved - must be 0 244 | binary_packet[25] = 0; 245 | binary_packet[26] = 0; 246 | binary_packet[27] = 0; 247 | 248 | /* update length so we copy right no of bytes to wire */ 249 | packet_size = new_packet_size; 250 | } 251 | 252 | /* special case [read "hack"] for timestamp */ 253 | if (pcurrent_host_element->pcurrent->type == 13) { 254 | /* change ip header length */ 255 | int new_packet_size = 40; 256 | send_icmp.ip.tot_len = htons(new_packet_size); 257 | send_icmp.ip.check = 0; 258 | send_icmp.ip.check = in_cksum((unsigned short *)&binary_packet, sizeof(send_icmp.ip)); 259 | 260 | /* copy again now ip header is correct */ 261 | bcopy(&send_icmp, &binary_packet, packet_size); // length probably 28 262 | 263 | /* fill in timestamp specific fields */ 264 | binary_packet[39] = 0; // Transmit timestamp 265 | binary_packet[38] = 0; 266 | binary_packet[37] = 0; 267 | binary_packet[36] = 0; 268 | 269 | binary_packet[35] = 0; // Receive timestamp 270 | binary_packet[34] = 0; 271 | binary_packet[33] = 0; 272 | binary_packet[32] = 0; 273 | 274 | struct timeval tv; // Originate timestamp (msecs sinces midnight) 275 | gettimeofday(&tv, NULL); 276 | int msecs = htonl(1000 * (tv.tv_sec % (24*60*60)) + int(tv.tv_usec / 1000)); 277 | memcpy(binary_packet + 28, &msecs, 4); 278 | 279 | /* update length so we copy right no of bytes to wire */ 280 | packet_size = new_packet_size; 281 | } 282 | 283 | /* special case [read "hack"] for address mask */ 284 | if (pcurrent_host_element->pcurrent->type == 17) { 285 | /* change ip header length */ 286 | int new_packet_size = 32; 287 | send_icmp.ip.tot_len = htons(new_packet_size); 288 | send_icmp.ip.check = 0; 289 | send_icmp.ip.check = in_cksum((unsigned short *)&binary_packet, sizeof(send_icmp.ip)); 290 | 291 | /* copy again now ip header is correct */ 292 | bcopy(&send_icmp, &binary_packet, packet_size); // length probably 28 293 | 294 | /* fill in the source address mask */ 295 | binary_packet[31] = 0; // Source ip = 0.0.0.0 296 | binary_packet[30] = 0; 297 | binary_packet[29] = 0; 298 | binary_packet[28] = 0; 299 | 300 | /* update length so we copy right no of bytes to wire */ 301 | packet_size = new_packet_size; 302 | } 303 | 304 | // Calculate ICMP checksum 305 | binary_packet[23] = 0; 306 | binary_packet[22] = 0; 307 | *((unsigned short *)&binary_packet[22]) = in_cksum((unsigned short *)(&binary_packet[20]), packet_size - 20); 308 | 309 | /* send packet */ 310 | if (verbose > 2) printf("Sending packet to %s:%s\n", inet_ntoa(pcurrent_host_element->ip), icmp_type[pcurrent_host_element->pcurrent->type]); 311 | sendto(send_socket, &binary_packet, packet_size, 0, (struct sockaddr *)&sin, sizeof(sin)); 312 | close(send_socket); 313 | 314 | // if (debug > 2) printf("pcurrent: %x, pcurrentnext, %x, first: %x, firstnext: %x, last: %x\n", (unsigned int)pcurrent_host_element, (unsigned int)pcurrent_host_element->pnext, (unsigned int)pfirst_host_element, (unsigned int)pfirst_host_element->pnext, (unsigned int)plast_host_element); 315 | 316 | // Increment number of times this icmp test has been done 317 | pcurrent_host_element->pcurrent->send_count++; 318 | 319 | // Delete from list if unless we're going to scan it again 320 | if (pcurrent_host_element->pcurrent->send_count >= tries) { 321 | deleteIcmpTest(pcurrent_host_element, pcurrent_host_element->pcurrent); 322 | } 323 | 324 | // If we just sent the last packet, record this fact 325 | //if(pcurrent_host_element == plast_host_element) { 326 | // scan_complete = 1; 327 | //} 328 | 329 | // Move onto the next host 330 | //pcurrent_host_element = pcurrent_host_element->pnext; 331 | 332 | //After sending a packet ALWAYS return its size - even if it's the last packet 333 | return packet_size; 334 | 335 | /* 336 | * From RFC 792: 337 | * 338 | * Echo 339 | * ---- 340 | * 341 | * 0 1 2 3 342 | * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 343 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 344 | * | Type | Code | Checksum | 345 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 346 | * | Identifier | Sequence Number | 347 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 348 | * | Data ... 349 | * +-+-+-+-+- 350 | * 351 | * Timestamp or Timestamp Reply Message 352 | * ------------------------------------ 353 | * 354 | * 0 1 2 3 355 | * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 356 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 357 | * | Type | Code | Checksum | 358 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 359 | * | Identifier | Sequence Number | 360 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 | * | Originate Timestamp | 362 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 363 | * | Receive Timestamp | 364 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 | * | Transmit Timestamp | 366 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 367 | * 368 | * Information Request or Information Reply Message 369 | * ------------------------------------------------ 370 | * 371 | * 0 1 2 3 372 | * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 373 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 374 | * | Type | Code | Checksum | 375 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 376 | * | Identifier | Sequence Number | 377 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 378 | * 379 | * Address Mask Request (RFC 950) 380 | * ------------------------------ 381 | * 382 | * 0 1 2 3 383 | * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 384 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 385 | * | Type | Code | Checksum | 386 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 387 | * | Identifier | Sequence Number | 388 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 389 | * | Address Mask | 390 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 391 | * 392 | * Router Solicitation (RFC 1256) 393 | * ------------------------------ 394 | * 395 | * 0 1 2 3 396 | * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 397 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 398 | * | Type | Code | Checksum | 399 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 400 | * | Reserved (must be 0) | 401 | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 402 | * 403 | */ 404 | } 405 | 406 | void IcmpScanner::noMoreRetries(in_addr ip, unsigned char type, unsigned char code) { 407 | if (debug > 2) printf("noMoreRetries: Searching for %s:%hhu/%hhu. Just sent to ", inet_ntoa(ip), type, code); 408 | if (debug > 2) printf("%s:%hhu/%hhu. \n", inet_ntoa(pcurrent_host_element->ip), pcurrent_host_element->pcurrent->type, pcurrent_host_element->pcurrent->code); 409 | 410 | struct host_element *h; 411 | int more_hosts = 1; 412 | int found_icmp_test = 0; 413 | int icmp_tests_tried = 0; 414 | int searching_for_host = 1; 415 | 416 | // if pcurrent_host_element is null, we're nearing the end of 417 | // our scan and there are no port elements left in the list to 418 | // remove. Our work is done. Just return. 419 | if (!pcurrent_host_element) { 420 | return; 421 | } 422 | 423 | h = pcurrent_host_element; 424 | 425 | // search for ip in hostlist 426 | while (more_hosts and !found_icmp_test and searching_for_host) { 427 | // TODO when i write the printf as 1 line i get the same IP twice! 428 | if (debug > 2) printf("Comparing candidate %s with target ip ", inet_ntoa(h->ip)); 429 | if (debug > 2) printf("%s\n", inet_ntoa(ip)); 430 | 431 | // if this is the right host 432 | if (h->ip.s_addr == ip.s_addr) { 433 | searching_for_host = 0; 434 | // search for port in portlist 435 | if (debug > 2) printf("Found host\n"); 436 | struct icmp_element *p; 437 | int more_icmp_tests = 1; 438 | 439 | p = h->pcurrent; 440 | 441 | while (more_icmp_tests and !found_icmp_test) { 442 | icmp_tests_tried++; 443 | if (debug > 2) printf("\tcomparing candidate type/code %hhu/%hhu with target type/code %hhu/%hhu\n", p->type, p->code, type, code); 444 | // if this is the right port 445 | if (p->type == type and p->code == code) { 446 | if (debug > 2) printf("Found type and code\n"); 447 | found_icmp_test = 1; 448 | p->send_count = tries; // make sure we don't send to this port again 449 | } else { 450 | p = p->pnext; 451 | if (p == h->pcurrent) { 452 | if (debug > 2) printf("STRANGE: have searched all the icmp types on this host\n"); 453 | more_icmp_tests = 0; 454 | } 455 | } 456 | } 457 | } 458 | 459 | // increment host pointer 460 | if (h == pcurrent_host_element->pnext) { 461 | more_hosts = 0; 462 | } else { 463 | h = h->pprev; 464 | } 465 | } 466 | if (debug > 2) printf("Search took %d steps\n", icmp_tests_tried); 467 | 468 | if (verbose and !found_icmp_test) { 469 | printf("STRANGE: Couldn't find %s:%hhu/%hhu in my icmp-type list!\n", inet_ntoa(ip), type, code); 470 | } 471 | } 472 | 473 | // adds an icmp type to each host in the host list 474 | int IcmpScanner::addIcmpTest(unsigned char type, unsigned char code) { 475 | icmp_test_count++; 476 | struct host_element *h = pcurrent_host_element; 477 | int first_time_round = 1; 478 | 479 | while ( first_time_round or h != pcurrent_host_element) { 480 | host_test_count++; 481 | first_time_round = 0; 482 | if (debug > 3) printf("IcmpScanner::addIcmpTest: Adding test type=%hhu, code=%hhu to ip %s (%u tests in total)\n", type, code, inet_ntoa(h->ip), icmp_test_count); 483 | struct icmp_element *i; 484 | i = (struct icmp_element *)malloc(sizeof(icmp_element)); 485 | i->type = type; 486 | i->code = code; 487 | i->send_count = 0; 488 | 489 | // if there are no icmp tests already 490 | if(!(h->pcurrent)) { 491 | // the hosts current icmp test is this new one 492 | h->pcurrent = i; 493 | 494 | // the next icmp test after this one is this one 495 | i->pprev = i; 496 | 497 | // the previous icmp test after this one is this one 498 | i->pnext = i; 499 | 500 | // otherwise add our element after the current one 501 | } else { 502 | // the next test after this new one is the one which follows the current one 503 | // (because we're sqeezing in netween current and current->next 504 | i->pnext = h->pcurrent->pnext; 505 | // printf("Setting pnext to %lx\n", (unsigned long int)h->pcurrent->pnext); 506 | 507 | // the test before this new one is the current one. 508 | i->pprev = h->pcurrent; 509 | // printf("Setting pprev to %lx\n", (unsigned long int)h->pcurrent); 510 | //dumpElement(i); 511 | 512 | // the pointers in the new element are now correct, but the 513 | // pointer if the current element and the one which follows it aren't 514 | 515 | h->pcurrent->pnext->pprev = i; 516 | h->pcurrent->pnext = i; 517 | } 518 | 519 | h = h->pnext; 520 | } 521 | //dumpIcmpList(); 522 | 523 | return 1; 524 | } 525 | 526 | void IcmpScanner::dumpElement(icmp_element *i) { 527 | printf("i ......... %lx\n", (unsigned long int)i); 528 | printf("i->pnext .. %lx\n", (unsigned long int)i->pnext); 529 | printf("i->pprev .. %lx\n", (unsigned long int)i->pprev); 530 | printf("i->type ... %d\n", i->type); 531 | printf("i->code ... %d\n", i->code); 532 | } 533 | 534 | void IcmpScanner::pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt) { 535 | int len = pkthdr->len; 536 | 537 | //printf("Packet received\n"); 538 | // static int packet_count = 0; 539 | struct iphdr* ip_hdr; /* to get IP protocol data. */ 540 | struct icmphdr* icmp_hdr; /* to get ICMP protocol data. */ 541 | char src_ip[100], dst_ip[100]; 542 | int type, code; 543 | // int src_port, dst_port; 544 | 545 | /* strip off MAC header */ 546 | char ip_raw[1500]; 547 | memcpy(ip_raw, pkt + hw_head_len, len - hw_head_len); 548 | 549 | /* we're only interested in TCP packets. */ 550 | ip_hdr = (struct iphdr*)ip_raw; /* the captured data is an IP packet. */ 551 | /* lets get the src and dst addresses - translate from */ 552 | /* network-byte-order binary data. */ 553 | inet_ntop(AF_INET, &ip_hdr->saddr, src_ip, sizeof(src_ip)); 554 | inet_ntop(AF_INET, &ip_hdr->daddr, dst_ip, sizeof(dst_ip)); 555 | switch (ip_hdr->protocol) { 556 | case IPPROTO_ICMP: 557 | /* lets get the port numbers - the payload of the IP packet is TCP. */ 558 | /* NOTE: in IP, the ihl (IP Header Length) field contains the number */ 559 | /* of 4-octet chunks composing the IP packet's header. */ 560 | icmp_hdr = (struct icmphdr*)(ip_raw + ip_hdr->ihl * 4); 561 | type = icmp_hdr->type; /* ports are in network byte order. */ 562 | code = icmp_hdr->code; 563 | 564 | /* if it's a reply that's not ours, then do nothing */ 565 | if (type == 0 || type == 14 || type == 16 || type == 18) { 566 | /* Recalc syncookie to determine if it's a response to one of our probes */ 567 | int current_syncookie = syncookie(ip_hdr->daddr, ip_hdr->saddr, getpid(), getpid()); 568 | if(ntohs(icmp_hdr->un.echo.id) != (unsigned short int)(current_syncookie % 65536) and ntohs(icmp_hdr->un.echo.sequence) != (unsigned short int)(current_syncookie >> 16)) { 569 | break; 570 | } 571 | } else { 572 | // Only report replies - not error messages. 573 | // This avoids seeing dest unreachable errors when ping scanning. 574 | break; 575 | } 576 | 577 | /* TODO Ignore this packet if we've seen a similar one before */ 578 | 579 | /* Add to the count of open ports / ping responses / ... */ 580 | positive_response_count++; 581 | 582 | printf("%s:%d/%d [%s] ", src_ip, type, code, icmp_type[type]); 583 | /* dest unreach */ 584 | if ((code == 3) && (type == 3)) { 585 | printf("\t[PORT_UNREACH]\t"); 586 | struct iphdr* ip_hdr_embedded; 587 | ip_hdr_embedded = (struct iphdr*)(ip_raw + ip_hdr->ihl * 4 + 8); 588 | char src_ip_embedded[100], dst_ip_embedded[100]; 589 | inet_ntop(AF_INET, &ip_hdr_embedded->saddr, src_ip_embedded, sizeof(src_ip_embedded)); 590 | inet_ntop(AF_INET, &ip_hdr_embedded->daddr, dst_ip_embedded, sizeof(dst_ip_embedded)); 591 | struct udphdr* udp_hdr_embedded = (struct udphdr*)(ip_raw + ip_hdr->ihl * 4 + 8 + ip_hdr_embedded->ihl * 4); 592 | printf("(port %d)", ntohs(udp_hdr_embedded->dest)); 593 | } 594 | 595 | /* Print out packet length */ 596 | printf("Len=%d ", ntohs(ip_hdr->tot_len)); 597 | 598 | /* Print out interesting IP options */ 599 | printf("TTL=%d ", ip_hdr->ttl); 600 | printf("IPID=%d ", ntohs(ip_hdr->id)); 601 | 602 | /* reply */ 603 | if (type == 0 || type == 14 || type == 16 || type == 18) { 604 | printf("ID=%d SEQ=%d ", ntohs(icmp_hdr->un.echo.id), ntohs(icmp_hdr->un.echo.sequence)); 605 | } 606 | 607 | // needed for noMoreRetries call 608 | struct in_addr ip; 609 | ip.s_addr = ip_hdr->saddr; 610 | 611 | if (type == 0) { 612 | noMoreRetries(ip, 8, 0); 613 | } 614 | 615 | if (type == 16) { 616 | noMoreRetries(ip, 15, 0); 617 | } 618 | 619 | /* timestamp reply */ 620 | if (type == 14) { 621 | int endianness = 1; // endianness is correct 622 | 623 | time_t orig = ntohl(*(unsigned int *)(ip_raw + ip_hdr->ihl * 4 + 8)); 624 | time_t recv = ntohl(*(unsigned int *)(ip_raw + ip_hdr->ihl * 4 + 12)); 625 | time_t xmit = ntohl(*(unsigned int *)(ip_raw + ip_hdr->ihl * 4 + 16)); 626 | 627 | // RFC 792 states that if the system cannot fill the Timestamp fields with 628 | // the seconds since midnight UTC, any value may be used, but the high bit 629 | // should be set to indicate that this has been done. 630 | // 631 | // std there means "standard" on the next line: 632 | unsigned int std = 1 ^ ((unsigned int)xmit >> 31); // 1 xor (high bit of xmit) 633 | 634 | printf("orig=0x%08x recv=0x%08x xmit=0x%08x", (unsigned int)orig, (unsigned int)recv, (unsigned int)xmit); 635 | 636 | // All timestamps should be standard and be less than 86400000 (24*60*60*1000) 637 | // If not server implementation might be broken, but still trying to tell us 638 | // the time 639 | if (!(std && (unsigned int)xmit < 86400000)) { 640 | 641 | // If a standard value is illegal, assume the endianness is messed up 642 | if (((unsigned int) xmit > 86400000) && std) { 643 | endianness = 0; 644 | xmit = ntohl(xmit); 645 | std = 1 ^ ((unsigned int)xmit >> 31); 646 | } 647 | 648 | // if a nonstandard value is legal when endianness is reversed assume 649 | // endianness was wrong initially 650 | if ((htonl(xmit) & 2147483647) < 86400000) { 651 | endianness = 0; 652 | xmit = ntohl(xmit); 653 | std = 1 ^ ((unsigned int)xmit >> 31); 654 | } 655 | 656 | // Check if we've fixed the problem 657 | if (std && (unsigned int)xmit < 86400000) { 658 | } 659 | } 660 | 661 | printf(" std=%u end=%d", std, endianness); 662 | 663 | if (std) { 664 | unsigned int msecs = xmit & 2147483647; // AND with 01111...111 to mask off top bit 665 | unsigned int hours = msecs / 3600000; 666 | msecs = msecs % 3600000; 667 | unsigned int mins = msecs / 60000; 668 | msecs = msecs % 60000; 669 | unsigned int secs = msecs / 1000; 670 | msecs = msecs % 1000; 671 | printf(" xmit-time=%02d:%02d:%02d.%03d delta=%0.3f", hours, mins, secs, msecs, ((float)xmit - orig) / 1000); 672 | } 673 | noMoreRetries(ip, 13, 0); 674 | } 675 | 676 | /* address mask reply */ 677 | if (type == 18) { 678 | printf("MASK=%s", inet_ntoa(*(in_addr *)(ip_raw + ip_hdr->ihl * 4 + 8))); 679 | noMoreRetries(ip, 17, 0); 680 | } 681 | 682 | printf("\n"); 683 | // noMoreRetries(ip, (unsigned char)type, (unsigned char)code); 684 | 685 | break; 686 | default: 687 | printf("protocol in IP packet (0x%x) is not ICMP\n", ip_hdr->protocol); 688 | return; 689 | } 690 | } 691 | 692 | int IcmpScanner::getIcmpProbeType() { 693 | return(icmp_probe_type); 694 | } 695 | 696 | void IcmpScanner::setIcmpProbeType(int new_probe_type) { 697 | icmp_probe_type = new_probe_type; 698 | } 699 | 700 | IcmpScanner::~IcmpScanner() { 701 | if (debug > 2) printf("IcmpScanner::~IcmpScanner: Called\n"); 702 | host_element *h; 703 | int done = 0; 704 | while (!done) { 705 | h = pcurrent_host_element; 706 | if (h) { 707 | // deleteIcmpTest will return 1 when all ports have been deleted. 708 | // it updates h->pcurrent_port after each deletion 709 | while (! deleteIcmpTest(h, h->pcurrent)) {} 710 | } else { 711 | done = 1; 712 | } 713 | 714 | // deleteHost will return 1 when all hosts have been deleted. 715 | // it updates pcurrent_host_element after each deletion 716 | //if (deleteHost(h)) { 717 | // done = 1; 718 | //} 719 | } 720 | } 721 | 722 | void IcmpScanner::deleteAllHosts() { 723 | host_element *h; 724 | int done = 0; 725 | while (!done) { 726 | h = pcurrent_host_element; 727 | if (h) { 728 | // deleteIcmpTest will return 1 when all ports have been deleted. 729 | // it updates h->pcurrent_port after each deletion 730 | while (! deleteIcmpTest(h, h->pcurrent)) {} 731 | } else { 732 | done = 1; 733 | } 734 | 735 | // deleteHost will return 1 when all hosts have been deleted. 736 | // it updates pcurrent_host_element after each deletion 737 | //if (deleteHost(h)) { 738 | // done = 1; 739 | //} 740 | } 741 | } 742 | 743 | // Remove a port from a host's portlist (linked list) 744 | // return 0 if port was deleted and there are more ports left 745 | // return 1 if port was deleted and there are no ports left (i.e. it's now safe to delete host element) 746 | int IcmpScanner::deleteIcmpTest(host_element *h, icmp_element *i) { 747 | if (debug > 2) printf("IcmpScanner::deleteIcmpTest: Deleting element %s:%d/%d\n", inet_ntoa(h->ip), i->type, i->code); 748 | // dumpIcmpList(); 749 | // do nothing if we were passed a null pointer 750 | if(!i) { 751 | #ifdef DEBUG 752 | printf("DEBUG WARNING: IcmpScanner::deleteIcmpTest was passed a null icmp_element\n"); 753 | #endif 754 | return 1; 755 | } 756 | 757 | // if this is the last element, set all global pointers to 0 758 | if (i->pnext == i and i->pprev == i) { 759 | if (debug > 2) printf("IcmpScanner::deleteIcmpTest: There are no more ICMP elements after this\n"); 760 | h->pcurrent = 0; 761 | #ifdef DEBUG 762 | memset(i, 'I', sizeof(i)); 763 | #endif 764 | free(i); 765 | deleteHost(h); 766 | 767 | // TODO update counter 768 | return 1; 769 | 770 | // not the last element. make sure global pointers will still be valid. 771 | } else { 772 | // if host is current_host, move current_host on 773 | if (i == h->pcurrent) { 774 | if (debug > 2) printf("IcmpScanner::deleteIcmpTest called on current element\n"); 775 | h->pcurrent = i->pnext; 776 | } 777 | 778 | // if host is first_host, move current_host on 779 | //if (i == h->pfirst) { 780 | // if (debug > 2) printf("IcmpScanner::deleteIcmpTest called on first element\n"); 781 | // h->pfirst = i->pnext; 782 | //} 783 | 784 | // if host is last_host, move current_host on 785 | //if (i == h->plast) { 786 | // if (debug > 2) printf("IcmpScanner::deleteIcmpTest called on last element\n"); 787 | // h->plast = i->pprev; 788 | //} 789 | } 790 | 791 | // join previous host to next host 792 | i->pprev->pnext = i->pnext; 793 | 794 | // join next host to previous host 795 | i->pnext->pprev = i->pprev; 796 | 797 | // free (TODO need to free port elements to really!) 798 | //printf("free1\n"); 799 | #ifdef DEBUG 800 | memset(i, 'I', sizeof(i)); 801 | #endif 802 | free(i); 803 | 804 | host_test_count--; 805 | 806 | // dumpIcmpList(); 807 | // return success status 808 | return 0; 809 | } 810 | 811 | void IcmpScanner::dumpIcmpList() { 812 | int done = 0; 813 | struct host_element *h = pfirst_host_element->pnext; 814 | dumpHostList(); 815 | while (!done) { 816 | printf("--- Start of icmplist dump for %s ---\n", inet_ntoa(h->ip)); 817 | struct icmp_element *i; 818 | i = h->pcurrent->pnext; 819 | printf("Current icmp test addr: %lx\n", (unsigned long int)h->pcurrent); 820 | while(i != h->pcurrent) { 821 | printf("\ttype=%d, code=%d, send_count=%d ptr addr=%lx prev=%lx next=%lx", i->type, i->code, i->send_count, (unsigned long int)i, (unsigned long int)i->pprev, (unsigned long int)i->pnext); 822 | if (i == h->pcurrent) { 823 | printf(" <- current"); 824 | } 825 | printf("\n"); 826 | i = i->pnext; 827 | } 828 | printf("\ttype=%d, code=%d, send_count=%d ptr addr=%lx prev=%lx next=%lx", i->type, i->code, i->send_count, (unsigned long int)i, (unsigned long int)i->pprev, (unsigned long int)i->pnext); 829 | if (i == h->pcurrent) { 830 | printf(" <- current"); 831 | } 832 | printf("\n"); 833 | printf("--- End of icmplist dump ---\n"); 834 | 835 | // h++ 836 | if (h == pfirst_host_element) { 837 | done = 1; 838 | } else { 839 | h = h->pnext; 840 | } 841 | } 842 | } 843 | -------------------------------------------------------------------------------- /scanner-icmp.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #ifndef __SCANNERICMP__ 29 | #define __SCANNERICMP__ 30 | 31 | #include "yapscan.h" 32 | #include "scanner.h" 33 | 34 | struct icmp_element { 35 | struct icmp_element *pnext; 36 | struct icmp_element *pprev; 37 | unsigned char type; 38 | unsigned char code; 39 | unsigned int send_count; // count retries 40 | }; 41 | 42 | struct send_icmp { 43 | struct iphdr ip; 44 | struct icmphdr icmp; 45 | }; 46 | 47 | struct send_icmp_timestamp { 48 | struct iphdr ip; 49 | struct icmphdr icmp; 50 | int originate_ts; 51 | int receive_ts; 52 | int transmit_ts; 53 | }; 54 | 55 | extern const char *icmp_type[]; 56 | 57 | class IcmpScanner : public Scanner { 58 | public: 59 | IcmpScanner(char *device); 60 | IcmpScanner(); 61 | ~IcmpScanner(); 62 | char* getPcapFilter(); 63 | int sendPacket(); 64 | void setPcapFilter(); 65 | void pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt); 66 | int getIcmpProbeType(); 67 | void setIcmpProbeType(int new_probe_type); 68 | int addIcmpTest(unsigned char type, unsigned char code); 69 | void noMoreRetries(in_addr ip, unsigned char type, unsigned char code); 70 | int getPercentComplete(); 71 | int getRemainingScanTime(); 72 | int deleteIcmpTest(host_element *h, icmp_element *i); 73 | void dumpIcmpList(); 74 | void dumpElement(icmp_element *i); 75 | void deleteAllHosts(); 76 | void resetCounters(); 77 | 78 | protected: 79 | int icmp_probe_type; 80 | int scan_complete; 81 | int icmp_test_count; 82 | int host_test_count; 83 | }; 84 | 85 | #endif // __SCANNERICMP__ 86 | -------------------------------------------------------------------------------- /scanner-port.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "yapscan.h" 29 | #include "scanner-port.h" 30 | 31 | /* 32 | * Constructor args: 33 | * 34 | * char *device - Device to listen of for returned packets 35 | * 36 | */ 37 | PortScanner::PortScanner(char *device) { 38 | if (debug > 2) printf("PortScanner: Constructing\n"); 39 | src_port = getFirstPID(); 40 | show_closed_ports = 0; 41 | resolve_service_names = 1; 42 | custom_source_port_flag = 0; 43 | resetCounters(); 44 | setDevice(device); 45 | } 46 | 47 | PortScanner::PortScanner() { 48 | if (debug > 2) printf("PortScanner: Constructing\n"); 49 | src_port = getFirstPID();; 50 | show_closed_ports = 0; 51 | resolve_service_names = 1; 52 | custom_source_port_flag = 0; 53 | resetCounters(); 54 | } 55 | 56 | void PortScanner::resetCounters() { 57 | host_port_count = 0; 58 | port_count = 0; 59 | } 60 | 61 | PortScanner::~PortScanner() { 62 | if (debug > 2) printf("PortScanner::~PortScanner: Called\n"); 63 | host_element *h; 64 | int done = 0; 65 | while (!done) { 66 | h = pcurrent_host_element; 67 | if (h) { 68 | // deletePort will return 1 when all ports have been deleted. 69 | // it updates h->pcurrent_port after each deletion 70 | // it deletes h when all ports have been removed 71 | while (! deletePort(h, h->pcurrent_port)) {} 72 | } else { 73 | done = 1; 74 | } 75 | 76 | // deleteHost will return 1 when all hosts have been deleted. 77 | // it updates pcurrent_host_element after each deletion 78 | // if (deleteHost(h)) { 79 | // done = 1; 80 | // } 81 | } 82 | } 83 | 84 | void PortScanner::deleteAllHosts() { 85 | host_element *h; 86 | int done = 0; 87 | while (!done) { 88 | h = pcurrent_host_element; 89 | if (h) { 90 | // deletePort will return 1 when all ports have been deleted. 91 | // it updates h->pcurrent_port after each deletion 92 | // it deletes h when all ports have been removed 93 | while (! deletePort(h, h->pcurrent_port)) {} 94 | } else { 95 | done = 1; 96 | } 97 | } 98 | } 99 | 100 | // Remove a port from a host's portlist (linked list) 101 | // return 0 if port was deleted and there are more ports left 102 | // return 1 if last port was deleted and the host along with it 103 | int PortScanner::deletePort(host_element *h, port_element *p) { 104 | if (debug > 2) printf("Scanner::deletePort: Deleting port element %s:%d\n", inet_ntoa(h->ip), p->port); 105 | //printf("Scanner::deletePort: Deleting port element %s:%d\n", inet_ntoa(h->ip), p->port); 106 | //printf("Scanner::deletePort: Deleting port element %s:%d\n", inet_ntoa(h->ip), p->port); 107 | 108 | // dumpPortList(); 109 | // do nothing if we were passed a null pointer 110 | if(!p or !h) { 111 | #ifdef DEBUG 112 | if (!p) printf("DEBUG: PortScanner::deletePort: Called with null port pointer\n"); 113 | if (!h) printf("DEBUG: PortScanner::deletePort: Called with null host pointer\n"); 114 | #endif 115 | return 1; 116 | } 117 | 118 | // if this is the last element, set all global pointers to 0 119 | if (p->pnext == p and p->pprev == p) { 120 | if (debug > 2) printf("Scanner::deletePort: There are no more port elements after this\n"); 121 | h->pfirst_port = 0; 122 | h->plast_port = 0; 123 | h->pcurrent_port = 0; 124 | free(p); 125 | deleteHost(h); 126 | 127 | // update port count 128 | host_port_count--; 129 | 130 | return 1; 131 | 132 | // not the last element. make sure global pointers will still be valid. 133 | } else { 134 | // NB: The following conditions are all independent (e.g. current could = last) 135 | 136 | // if host is current_host, move current_host on 137 | #ifdef DEBUG 138 | if (debug > 3) printf("Checking p (%lx) against h->current_port (%lx), h->pfirst_port (%lx) and h->plast_port (%lx)\n", (unsigned long int)p, (unsigned long int)h->pcurrent_port, (unsigned long int)h->pfirst_port, (unsigned long int)h->plast_port); 139 | #endif 140 | if (p == h->pcurrent_port) { 141 | if (debug > 2) printf("Scanner::deletePort called on current element\n"); 142 | h->pcurrent_port = p->pnext; 143 | } 144 | 145 | // if host is first_host, move current_host on 146 | if (p == h->pfirst_port) { 147 | if (debug > 2) printf("Scanner::deletePort called on first element\n"); 148 | h->pfirst_port = p->pnext; 149 | } 150 | 151 | // if host is last_host, move current_host on 152 | if (p == h->plast_port) { 153 | if (debug > 2) printf("Scanner::deletePort called on last element\n"); 154 | h->plast_port = p->pprev; 155 | } 156 | } 157 | 158 | // join previous host to next host 159 | p->pprev->pnext = p->pnext; 160 | 161 | // join next host to previous host 162 | p->pnext->pprev = p->pprev; 163 | 164 | #ifdef DEBUG 165 | memset(p, 'P', sizeof(p)); 166 | #endif 167 | free(p); 168 | 169 | // update port count 170 | host_port_count--; 171 | 172 | // return success status 173 | return 0; 174 | } 175 | 176 | void PortScanner::setResolveServiceNames(int onoff) { 177 | if (onoff) { 178 | resolve_service_names = 1; 179 | } else { 180 | resolve_service_names = 0; 181 | } 182 | } 183 | 184 | 185 | void PortScanner::setShowClosedPorts(int newval) { 186 | show_closed_ports = newval; 187 | } 188 | 189 | // Read port names from a file - not used yet TODO 190 | void PortScanner::loadPortNamesFromFile(char *filename) { 191 | FILE *inputfd; 192 | char line[MAXLINE + 1]; 193 | char servicename[MAXPORTNAMELENGTH + 1]; 194 | unsigned short int port; 195 | char proto[4]; 196 | 197 | /* nmap */ 198 | if (!strcmp(filename, "-")) { 199 | inputfd = stdin; 200 | } else { 201 | inputfd = fopen(filename, "r"); 202 | if (!inputfd) { 203 | printf("ERROR: Failed to open port name input file %s for reading\n", filename); 204 | exit(1); 205 | } 206 | } 207 | 208 | while (fgets(line, MAXLINE, inputfd)) { 209 | printf("Read line: %s\n", line); 210 | int matched = sscanf(line, "%30s %hu/%3s", servicename, &port, proto); 211 | if(matched == 3) { 212 | printf("desc=%s, port=%d, proto=%s\n", servicename, port, proto); 213 | } 214 | //for (cp = line; !isspace((unsigned char)*cp) && *cp != '\0'; cp++) 215 | // ; 216 | //*cp = '\0'; 217 | //addPort(atoi(line)); 218 | } 219 | if (inputfd != stdin) 220 | fclose(inputfd); 221 | } 222 | 223 | int PortScanner::getShowClosedPorts() { 224 | return show_closed_ports; 225 | } 226 | /* 227 | * adds a port to be scanned 228 | * 229 | * returns: 230 | * 1: if port was added 231 | * 0: if not 232 | * 233 | */ 234 | int PortScanner::addPort(int port) { 235 | if (port <= 0 || port >65535) { 236 | return 0; 237 | } 238 | 239 | port_count++; 240 | int done = 0; 241 | if (!pfirst_host_element) { 242 | printf("ERROR001: PortScanner::addPort called while hostlist was empty. It's a bug, sorry!\n"); 243 | exit(1); 244 | } 245 | struct host_element *h = pfirst_host_element->pnext; 246 | 247 | // add this port the portlist of every host 248 | while (!done) { 249 | //printf("PortScanner::addPort: Adding port %d to ip %x\n", port, h->ip); 250 | host_port_count++; 251 | struct port_element *p; 252 | p = (struct port_element *)malloc(sizeof(port_element)); 253 | p->port = port; 254 | p->send_count = 0; 255 | p->status = 1; // assume all ports are open until we find they're closed. 256 | 257 | if (debug > 4) printf("Scanner::addPort: Adding port %d. There are now %d ports\n", port, getHostPortCount()); 258 | 259 | if(!(h->pfirst_port)) { 260 | h->pfirst_port = p; 261 | } 262 | 263 | if(!(h->plast_port)) { 264 | h->plast_port = p; 265 | } 266 | 267 | p->pprev = h->plast_port; 268 | h->plast_port->pnext = p; 269 | 270 | p->pnext = h->pfirst_port; 271 | h->pfirst_port->pprev = p; 272 | 273 | h->plast_port = p; 274 | 275 | if(!h->pcurrent_port) { 276 | h->pcurrent_port = h->pfirst_port; 277 | } 278 | 279 | if (h == pfirst_host_element) { 280 | done = 1; 281 | } else { 282 | h = h->pnext; 283 | } 284 | } 285 | 286 | return 1; 287 | } 288 | 289 | // populates portlist by reading in a file of ports 290 | void PortScanner::addPortsFromFile(char *filename) { 291 | FILE *inputfd; 292 | char line[MAXLINE + 1]; 293 | char *cp; 294 | 295 | /* nmap */ 296 | if (!strcmp(filename, "-")) { 297 | inputfd = stdin; 298 | } else { 299 | inputfd = fopen(filename, "r"); 300 | if (!inputfd) { 301 | printf("ERROR: Failed to open port input file %s for reading\n", filename); 302 | exit(1); 303 | } 304 | } 305 | 306 | while (fgets(line, MAXLINE, inputfd)) { 307 | for (cp = line; !isspace((unsigned char)*cp) && *cp != '\0'; cp++) 308 | ; 309 | *cp = '\0'; 310 | addPort(atoi(line)); 311 | } 312 | 313 | if (inputfd != stdin) fclose(inputfd); 314 | } 315 | 316 | void PortScanner::dumpPortList() { 317 | int done = 0; 318 | if (!pfirst_host_element) { 319 | printf("ERROR002: PortScanner::dumpPortList called while hostlist was empty. It's a bug, sorry!\n"); 320 | exit(1); 321 | } 322 | struct host_element *h = pfirst_host_element->pnext; 323 | dumpHostList(); 324 | printf("--- Start of portlist dump ---\n"); 325 | while (!done) { 326 | printf("\tPortlist dump for %s:\n", inet_ntoa(h->ip)); 327 | struct port_element *pp; 328 | pp = h->pfirst_port; 329 | // printf("Current port addr: %lx\n", (unsigned long int)h->pcurrent_port); 330 | while(pp != h->plast_port) { 331 | printf("\t\tport=%d, send_count=%d ptr addr=%lx", pp->port, pp->send_count, (unsigned long int)pp); 332 | if (pp == h->pcurrent_port) { 333 | printf(" <- current_port"); 334 | } 335 | if (pp == h->pfirst_port) { 336 | printf(" <- first_port"); 337 | } 338 | if (pp == h->plast_port) { 339 | printf(" <- last_port"); 340 | } 341 | printf("\n"); 342 | pp = pp->pnext; 343 | } 344 | printf("\t\tport=%d, send_count=%d ptr addr=%lx", pp->port, pp->send_count, (unsigned long int)pp); 345 | if (pp == h->pcurrent_port) { 346 | printf(" <- current_port"); 347 | } 348 | if (pp == h->pfirst_port) { 349 | printf(" <- first_port"); 350 | } 351 | if (pp == h->plast_port) { 352 | printf(" <- last_port"); 353 | } 354 | printf("\n"); 355 | //printf("--- End of portlist dump ---\n"); 356 | 357 | // h++ 358 | if (h == pfirst_host_element) { 359 | done = 1; 360 | } else { 361 | h = h->pnext; 362 | } 363 | } 364 | printf("--- End of portlist dump ---\n"); 365 | } 366 | 367 | // Calculate most conservative esitmate of scan progress 368 | int PortScanner::getPercentComplete() { 369 | if (debug > 2) printf("PortScanner::getPercentComplete: Called\n"); 370 | return int(100 * packets_sent / (getPortCount() * getHostCount() * tries)); 371 | } 372 | 373 | // Calculate the max time the rest of the scan could take 374 | int PortScanner::getRemainingScanTime() { 375 | if (debug > 2) printf("PortScanner::getRemainingScanTime: Called\n"); 376 | int bytes_per_packet = int(total_bytes_sent / packets_sent); 377 | return int(1 + getRTT().tv_sec + getRTT().tv_usec / 1000000 + (getPortCount() * getHostCount() * tries - packets_sent) * bytes_per_packet * 8 / getBandwidthMax()); 378 | } 379 | 380 | int PortScanner::getHostPortCount() { 381 | return host_port_count; 382 | } 383 | 384 | int PortScanner::getPortCount() { 385 | return port_count; 386 | } 387 | 388 | void PortScanner::setSourcePort(int newport) { 389 | src_port = newport; 390 | } 391 | 392 | int PortScanner::getNextSourcePort() { 393 | if (custom_source_port_flag) { 394 | return custom_source_port; 395 | } else { 396 | src_port = src_port % 65535 + 1; 397 | return src_port; 398 | } 399 | } 400 | 401 | void PortScanner::setCustomSourcePort(int port) { 402 | custom_source_port_flag = 1; 403 | custom_source_port = port; 404 | } 405 | -------------------------------------------------------------------------------- /scanner-port.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // This tool may be used for legal purposes only. Users take full responsibility 25 | // for any actions performed using this tool. If these terms are not acceptable to 26 | // you, then do not use this tool. 27 | // 28 | // You are encouraged to send comments, improvements or suggestions to 29 | // me at yapscan@pentestmonkey.net 30 | // 31 | 32 | #ifndef __SCANNERPORT__ 33 | #define __SCANNERPORT__ 34 | 35 | #include "yapscan.h" 36 | #include "scanner.h" 37 | 38 | struct port_element { 39 | struct port_element *pnext; 40 | struct port_element *pprev; 41 | unsigned short int port; 42 | unsigned int send_count; // count retries 43 | unsigned char status; // open, closed, filtered 44 | struct timeval last_probe_time_tv; // udp only 45 | }; 46 | 47 | class PortScanner : public Scanner { 48 | public: 49 | PortScanner(char *device); 50 | PortScanner(); 51 | ~PortScanner(); 52 | void setResolveServiceNames(int onoff); 53 | char* getPcapFilter(); 54 | void setShowClosedPorts(int newval); 55 | void loadPortNamesFromFile(char *filename); 56 | int getShowClosedPorts(); 57 | int addPort(int port); 58 | void addPortsFromFile(char *filename); 59 | void dumpPortList(); 60 | int getHostPortCount(); 61 | void setSourcePort(int newport); 62 | int getNextSourcePort(); 63 | int deletePort(host_element *h, port_element *p); 64 | int getPercentComplete(); 65 | int getRemainingScanTime(); 66 | int getPortCount(); 67 | void setCustomSourcePort(int port); 68 | void deleteAllHosts(); 69 | void resetCounters(); 70 | 71 | protected: 72 | int icmp_probe_type; 73 | int src_port; 74 | int port_count; 75 | int host_port_count; 76 | int resolve_service_names; 77 | int show_closed_ports; 78 | int custom_source_port_flag; 79 | int custom_source_port; 80 | //struct port_element *pfirst_port_element; 81 | //struct port_element *plast_port_element; 82 | //struct port_element *pcurrent_port_element; 83 | }; 84 | 85 | #endif // __SCANNERPORT__ 86 | -------------------------------------------------------------------------------- /scanner-tcp.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "yapscan.h" 29 | #include "scanner-tcp.h" 30 | 31 | struct pseudo_hdr_tcp 32 | { 33 | unsigned int source_address; 34 | unsigned int dest_address; 35 | unsigned char placeholder; 36 | unsigned char protocol; 37 | unsigned short tcp_length; 38 | struct tcphdr tcp; 39 | } pseudo_hdr_tcp; 40 | 41 | /* 42 | * Constructor args: 43 | * 44 | * char *device - Device to listen of for returned packets 45 | * 46 | */ 47 | TcpScanner::TcpScanner(char *device) { 48 | if (debug > 2) printf("TcpScanner: Constructing\n"); 49 | setDevice(device); 50 | init(); 51 | } 52 | 53 | void TcpScanner::init() { 54 | src_port = getFirstPID(); 55 | port_count = 0; 56 | resolve_service_names = 1; 57 | 58 | /* craft template packet */ 59 | template_packet.ip.ihl = 5; 60 | template_packet.ip.version = 4; 61 | template_packet.ip.tos = 0; 62 | template_packet.ip.tot_len = htons(sizeof(template_packet)); 63 | template_packet.ip.frag_off = 0; 64 | template_packet.ip.ttl = getTTL(); // TODO need to update template after change TTL 65 | template_packet.ip.protocol = IPPROTO_TCP; 66 | template_packet.ip.check = 0; 67 | template_packet.tcp.ack_seq = 0; 68 | template_packet.tcp.res1 = 0; 69 | template_packet.tcp.doff = 5; 70 | template_packet.tcp.fin = 0; // All TCP flags off by default 71 | template_packet.tcp.syn = 0; 72 | template_packet.tcp.rst = 0; 73 | template_packet.tcp.psh = 0; 74 | template_packet.tcp.ack = 0; 75 | template_packet.tcp.urg = 0; 76 | template_packet.tcp.res2 = 0; 77 | // template_packet.tcp.ece = 0; 78 | // template_packet.tcp.cwr = 0; 79 | template_packet.tcp.window = htons(512); 80 | template_packet.tcp.check = 0; 81 | template_packet.tcp.urg_ptr = 0; 82 | 83 | syn_flag = 0; 84 | rst_flag = 0; 85 | fin_flag = 0; 86 | psh_flag = 0; 87 | ack_flag = 0; 88 | urg_flag = 0; 89 | ece_flag = 0; 90 | cwr_flag = 0; 91 | } 92 | 93 | TcpScanner::TcpScanner() { 94 | if (debug > 2) printf("TcpScanner: Constructing\n"); 95 | init(); 96 | } 97 | 98 | void TcpScanner::setResolveServiceNames(int onoff) { 99 | if (onoff) { 100 | resolve_service_names = 1; 101 | } else { 102 | resolve_service_names = 0; 103 | } 104 | } 105 | 106 | void TcpScanner::setPcapFilter() { 107 | snprintf(pfilter, PCAP_FILTER_LEN, "tcp and dst host %s", src_ip_str); 108 | } 109 | 110 | void TcpScanner::setTcpFlag(int flag, int state) { 111 | switch(flag) { 112 | case 'N': 113 | rst_flag = 0; 114 | fin_flag = 0; 115 | psh_flag = 0; 116 | ack_flag = 0; 117 | urg_flag = 0; 118 | ece_flag = 0; 119 | cwr_flag = 0; 120 | break; 121 | case 'F': 122 | fin_flag = 1; 123 | break; 124 | case 'X': 125 | rst_flag = 1; 126 | fin_flag = 1; 127 | psh_flag = 1; 128 | ack_flag = 1; 129 | urg_flag = 1; 130 | ece_flag = 1; 131 | cwr_flag = 1; 132 | break; 133 | case 'A': 134 | ack_flag = 1; 135 | break; 136 | case 'S': 137 | syn_flag = 1; 138 | break; 139 | default: 140 | printf("ERROR: TcpScanner::setTcpFlag was passed a dodgy flag. Shouldn't happen.\n"); 141 | exit(1); 142 | break; 143 | } 144 | } 145 | 146 | // TODO 147 | // - Return 0 ONLY when there is no packet to send (not on the last packet) 148 | // - Make a hardcoded template packet to prevent having to craft it each time 149 | int TcpScanner::sendPacket() { 150 | if (debug > 3) printf("TcpScanner::sendPacket: Called\n"); 151 | // dumpPortList(); 152 | 153 | // TODO findNextScannablePort(); // Updates pcurrent_host_element 154 | // First check if there's anything left to scan. Return 0 if not. 155 | // 156 | // This involves moving onto the next host/port and checking if we've found 157 | // something that can be scanned. It's a bit untidy, but it's important that 158 | // this func can be called even if nothing needs scanning. 159 | 160 | #ifdef DEBUG 161 | if (!pcurrent_host_element) { 162 | printf("DEBUG WARNING: TcpScanner::sendPacket called with pcurrent_host_element = null\n"); 163 | } 164 | #endif 165 | 166 | // If all host elements have been deleted, we're done. 167 | if (!pcurrent_host_element) return 0; 168 | 169 | #ifdef DEBUG 170 | if (!pcurrent_host_element->pcurrent_port) { 171 | printf("DEBUG WARNING: TcpScanner::sendPacket called with pcurrent_host_element->pcurrent_port = null\n"); 172 | } 173 | #endif 174 | // Note the current port element 175 | // We need to note this so we can tell we've been completely round the port list 176 | struct port_element *pstart_port_element = pcurrent_host_element->pcurrent_port; 177 | 178 | // Increment the port pointer on this host 179 | pcurrent_host_element->pcurrent_port = pcurrent_host_element->pcurrent_port->pnext; 180 | int more_ports = 0; 181 | 182 | // Move onto next host 183 | pcurrent_host_element = pcurrent_host_element->pnext; 184 | 185 | // optimisation to avoid too much pointer defrerencing. Hardly worth it. 186 | struct port_element *pcurhost_curport = pcurrent_host_element->pcurrent_port; 187 | 188 | while (!more_ports and pcurhost_curport != pstart_port_element) { 189 | // can we send to the current port in this portlist? 190 | if (pcurhost_curport->send_count < tries) { 191 | // we can send to this 192 | more_ports = 1; 193 | } else { 194 | // we can't send. increment the port pointer on this host 195 | pcurrent_host_element->pcurrent_port = pcurhost_curport->pnext; 196 | 197 | // change to next host 198 | pcurrent_host_element = pcurrent_host_element->pnext; 199 | pcurhost_curport = pcurrent_host_element->pcurrent_port; 200 | } 201 | } 202 | 203 | // Return 0 if there is nothing left to scan 204 | if (!(more_ports or pcurhost_curport->send_count < tries)) { 205 | return 0; 206 | } 207 | 208 | /* vars for sending */ 209 | struct sockaddr_in sin; 210 | int send_socket; 211 | 212 | // Make a new packet based on the template packet 213 | struct send_tcp packet; 214 | memcpy(&packet, &template_packet, sizeof(packet)); 215 | 216 | // Fill in dynamic fields in new packet 217 | memcpy(&packet.ip.saddr, &src_ip, sizeof(src_ip)); 218 | packet.tcp.source = htons(getNextSourcePort()); 219 | packet.ip.daddr = pcurrent_host_element->ip.s_addr; 220 | packet.tcp.dest = htons(pcurrent_host_element->pcurrent_port->port); 221 | packet.tcp.seq = htonl(syncookie(packet.ip.saddr, packet.ip.daddr, packet.tcp.source, packet.tcp.dest)); 222 | packet.tcp.fin = fin_flag; 223 | packet.tcp.syn = syn_flag; 224 | packet.tcp.rst = rst_flag; 225 | packet.tcp.psh = psh_flag; 226 | packet.tcp.ack = ack_flag; 227 | packet.tcp.urg = urg_flag; 228 | packet.tcp.res2 = ece_flag; 229 | // packet.tcp.ece = ece_flag; 230 | // packet.tcp.cwr = cwr_flag; 231 | packet.ip.ttl = getTTL(); 232 | 233 | // Now open the raw socket for sending 234 | sin.sin_family = AF_INET; 235 | sin.sin_port = packet.tcp.source; 236 | sin.sin_addr.s_addr = packet.ip.daddr; 237 | send_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); 238 | 239 | int options; 240 | options = O_NONBLOCK | fcntl(send_socket, F_GETFL); 241 | if(fcntl(send_socket, F_SETFL, options) < 0) { 242 | perror("FCNTL"); 243 | exit(1); 244 | } 245 | 246 | int one = 1; 247 | int *oneptr = &one; 248 | 249 | // TODO Note what these socket options actually do 250 | if (setsockopt(send_socket, IPPROTO_IP, IP_HDRINCL, oneptr, sizeof(one)) == -1) { 251 | printf("setsockopt: set IP_HDRINCL failed\n"); 252 | } 253 | 254 | if (setsockopt(send_socket, SOL_SOCKET, SO_BROADCAST, oneptr, sizeof(one)) == -1) { 255 | printf("libnet_open_raw_sock: set SO_BROADCAST failed\n"); 256 | } 257 | 258 | // From synhose.c by knight 259 | pseudo_hdr_tcp.source_address = packet.ip.saddr; 260 | pseudo_hdr_tcp.dest_address = packet.ip.daddr; 261 | pseudo_hdr_tcp.placeholder = 0; 262 | pseudo_hdr_tcp.protocol = IPPROTO_TCP; 263 | pseudo_hdr_tcp.tcp_length = htons(sizeof(packet.tcp)); 264 | 265 | // recalc checksum 266 | packet.ip.check = 0; 267 | packet.tcp.check = 0; 268 | packet.ip.check = in_cksum((unsigned short *)&packet.ip, sizeof(packet.ip)); 269 | memcpy((char *)&pseudo_hdr_tcp.tcp, (char *)&packet.tcp, sizeof(pseudo_hdr_tcp.tcp)); 270 | packet.tcp.check = in_cksum((unsigned short *)&pseudo_hdr_tcp, sizeof(pseudo_hdr_tcp)); 271 | 272 | // send packet 273 | if (verbose > 1) printf("Sending packet to %s:%d\n", inet_ntoa(pcurrent_host_element->ip), pcurrent_host_element->pcurrent_port->port); 274 | sendto(send_socket, &packet, sizeof(packet), 0, (struct sockaddr *)&sin, sizeof(sin)); 275 | close(send_socket); 276 | 277 | // Increment number of times this port has been scanned 278 | pcurrent_host_element->pcurrent_port->send_count++; 279 | 280 | // Delete from list if unless we're going to scan it again 281 | // TODO This is elegant, but REALLY hurts performance. 282 | //if (pcurrent_host_element->pcurrent_port->send_count >= tries) { 283 | // deletePort(pcurrent_host_element, pcurrent_host_element->pcurrent_port); 284 | //} 285 | 286 | // Return the length of the packet we sent 287 | return sizeof(packet); 288 | } 289 | 290 | void TcpScanner::sendAck(__u32 src_ip, __u32 dest_ip, int src_port, int dest_port, __u32 seq_no, __u32 ack_no) { 291 | if (debug > 3) printf("TcpScanner::sendSynAck: Called\n"); 292 | 293 | /* vars for sending */ 294 | struct sockaddr_in sin; 295 | struct send_tcp packet; 296 | int send_socket; 297 | 298 | // Make a new packet based on the template packet 299 | memcpy(&packet, &template_packet, sizeof(packet)); 300 | 301 | // Fill in dynamic fields in new packet 302 | packet.ip.saddr = htonl(src_ip); 303 | packet.ip.daddr = htonl(dest_ip); 304 | packet.tcp.source = htons(src_port); 305 | packet.tcp.dest = htons(dest_port); 306 | packet.tcp.seq = htonl(seq_no); 307 | packet.tcp.ack_seq = htonl(ack_no); 308 | packet.tcp.syn = 0; 309 | packet.tcp.ack = 1; 310 | 311 | /* Now open the raw socket for sending */ 312 | sin.sin_family = AF_INET; 313 | sin.sin_port = packet.tcp.source; 314 | sin.sin_addr.s_addr = packet.ip.daddr; 315 | send_socket = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); 316 | if(send_socket < 0) { 317 | perror("send socket cannot be open. Are you root?"); 318 | exit(1); 319 | } 320 | 321 | int options; 322 | options = O_NONBLOCK | fcntl(send_socket, F_GETFL); 323 | if(fcntl(send_socket, F_SETFL, options) < 0) { 324 | perror("FCNTL"); 325 | exit(1); 326 | } 327 | 328 | int one = 1; 329 | int *oneptr = &one; 330 | 331 | if (setsockopt(send_socket, IPPROTO_IP, IP_HDRINCL, oneptr, sizeof(one)) == -1) { 332 | printf("setsockopt: set IP_HDRINCL failed\n"); 333 | } 334 | 335 | if (setsockopt(send_socket, SOL_SOCKET, SO_BROADCAST, oneptr, sizeof(one)) == -1) { 336 | printf("libnet_open_raw_sock: set SO_BROADCAST failed\n"); 337 | } 338 | 339 | if(send_socket < 0) 340 | { 341 | perror("send socket cannot be open. Are you root?"); 342 | exit(1); 343 | } 344 | 345 | /* From synhose.c by knight */ 346 | pseudo_hdr_tcp.source_address = packet.ip.saddr; 347 | pseudo_hdr_tcp.dest_address = packet.ip.daddr; 348 | pseudo_hdr_tcp.placeholder = 0; 349 | pseudo_hdr_tcp.protocol = IPPROTO_TCP; 350 | pseudo_hdr_tcp.tcp_length = htons(20); 351 | /* end of sending setup */ 352 | 353 | /* recalc checksum */ 354 | packet.ip.check = 0; 355 | packet.tcp.check = 0; 356 | packet.ip.check = in_cksum((unsigned short *)&packet.ip, 20); 357 | // memcpy((char *)&packet.tcp, (char *)&pseudo_hdr_tcp.tcp, 20); 358 | memcpy((char *)&pseudo_hdr_tcp.tcp, (char *)&packet.tcp, 20); 359 | packet.tcp.check = in_cksum((unsigned short *)&pseudo_hdr_tcp, 32); 360 | 361 | /* send packet */ 362 | // if (verbose) printf("Sending packet to %s:%d\n", inet_ntoa(pcurrent_host_element->ip), pcurrent_port_element->port); 363 | src_ip = ntohl(src_ip); // dirty hack so ips are printed properly 364 | dest_ip = ntohl(dest_ip); 365 | printf("\tReplying with ACK from %s:%d to %s:%d SEQ=%x, ACK=%x\n", inet_ntoa(*(in_addr *)&src_ip), src_port, inet_ntoa(*(in_addr *)&dest_ip), dest_port, seq_no, ack_no); 366 | sendto(send_socket, &packet, sizeof(packet), 0, (struct sockaddr *)&sin, sizeof(sin)); 367 | close(send_socket); 368 | } 369 | 370 | void TcpScanner::noMoreRetries(in_addr ip, unsigned short int port) { 371 | if (debug > 2) printf("noMoreRetries: Searching for %s:%d. Just sent to ", inet_ntoa(ip), port); 372 | if (debug > 2) printf("%s:%d. \n", inet_ntoa(pcurrent_host_element->ip), pcurrent_host_element->pcurrent_port->port); 373 | // dumpPortList(); 374 | 375 | struct host_element *h; 376 | int more_hosts = 1; 377 | int found_port = 0; 378 | int ports_tried = 0; 379 | 380 | // if pcurrent_host_element is null, we're nearing the end of 381 | // our scan and there are no port elements left in the list to 382 | // remove. Our work is done. Just return. 383 | if (!pcurrent_host_element) { 384 | return; 385 | } 386 | 387 | h = pcurrent_host_element; 388 | 389 | // search for ip in hostlist 390 | while (more_hosts and !found_port) { 391 | // if (debug > 3) printf("comparing candidate %s with target ip %s\n", inet_ntoa(*(in_addr *)(&h->ip.s_addr)), inet_ntoa(ip)); 392 | // // TODO why are the IPs always the same on the XX line??!?!?! 393 | #ifdef DEBUG 394 | if (debug > 3) printf("host cmp: %x vs %x\n", h->ip.s_addr, ip.s_addr); 395 | if (debug > 3) printf("XX comparing candidate %s with target ip %s\n", inet_ntoa(h->ip), inet_ntoa(ip)); 396 | #endif 397 | 398 | // if this is the right host 399 | if (h->ip.s_addr == ip.s_addr) { 400 | if (debug > 3) printf("Found host\n"); 401 | struct port_element *p; 402 | int more_ports = 1; 403 | 404 | p = h->pcurrent_port; 405 | 406 | // search for port in hostlist of this port 407 | while (more_ports and !found_port) { 408 | ports_tried++; 409 | if (debug > 3) printf("\tcomparing candidate port %d with target port %d\n", p->port, port); 410 | 411 | // if this is the right port 412 | if (p->port == port) { 413 | if (debug > 3) printf("Found port\n"); 414 | found_port = 1; 415 | 416 | // deletePort might free() it's first arg 417 | // so set h to a value that won't get clobbered 418 | // TODO what if we've only got 1 host and pprev = pnext? 419 | h = h->pprev; 420 | deletePort(h->pnext, p); // TODO does this work? 421 | } else { 422 | p = p->pprev; 423 | if (p == h->pcurrent_port) { 424 | if (debug > 3) printf("STRANGE: have searched all the ports on this host\n"); 425 | more_ports = 0; 426 | } 427 | } 428 | } 429 | } 430 | 431 | // increment host pointer 432 | if (pcurrent_host_element and more_hosts) { // check incase we just deleted the last host 433 | // only increment host if we haven't already 434 | // Is this the last host we need to check? 435 | if (h == pcurrent_host_element->pnext) { 436 | more_hosts = 0; 437 | } else { 438 | h = h->pprev; 439 | } 440 | } 441 | } 442 | if (debug > 2) printf("Search took %d steps\n", ports_tried); 443 | 444 | if (!found_port and verbose) { 445 | printf("STRANGE: Couldn't find %s:%d in my port list!\n", inet_ntoa(ip), port); 446 | } 447 | } 448 | 449 | void TcpScanner::pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt) { 450 | if (debug > 3) printf("TcpScanner::pcapCallback: Called\n"); 451 | int len = pkthdr->len; 452 | 453 | // static int packet_count = 0; 454 | struct iphdr* ip_hdr; /* to get IP protocol data. */ 455 | struct tcphdr* tcp_hdr; /* to get TCP protocol data. */ 456 | // struct icmphdr* icmp_hdr; /* to get ICMP protocol data. */ 457 | char src_ip[100], dst_ip[100]; 458 | // int type, code; 459 | int src_port, dst_port; 460 | 461 | /* strip off MAC header */ 462 | char ip_raw[1500]; 463 | // printf("pcap callback called with len %d\n", hw_head_len); 464 | // TODO This should work for ppp links when len=0 but doesn't 465 | // TODO isn't there a min(a,b) function? 466 | int mcpylen; // min(1500, len - hw_head_len 467 | if (len - hw_head_len > 1500) { 468 | mcpylen = 1500; 469 | } else { 470 | mcpylen = len - hw_head_len; 471 | } 472 | memcpy(ip_raw, pkt + hw_head_len, mcpylen); 473 | 474 | /* we're only interested in TCP packets. */ 475 | ip_hdr = (struct iphdr*)ip_raw; /* the captured data is an IP packet. */ 476 | /* lets get the src and dst addresses - translate from */ 477 | /* network-byte-order binary data. */ 478 | inet_ntop(AF_INET, &ip_hdr->saddr, src_ip, sizeof(src_ip)); 479 | inet_ntop(AF_INET, &ip_hdr->daddr, dst_ip, sizeof(dst_ip)); 480 | switch (ip_hdr->protocol) { 481 | case IPPROTO_TCP: 482 | /* lets get the port numbers - the payload of the IP packet is TCP. */ 483 | /* NOTE: in IP, the ihl (IP Header Length) field contains the number */ 484 | /* of 4-octet chunks composing the IP packet's header. */ 485 | tcp_hdr = (struct tcphdr*)(ip_raw + ip_hdr->ihl * 4); 486 | src_port = ntohs(tcp_hdr->source); /* ports are in network byte order. */ 487 | dst_port = ntohs(tcp_hdr->dest); 488 | 489 | // printf("PACKET: [%d] src %s:%d, dst %s:%d\n", len, src_ip, src_port, dst_ip, dst_port); 490 | if( (int)syncookie(ip_hdr->daddr, ip_hdr->saddr, tcp_hdr->dest, tcp_hdr->source) == (int)ntohl(tcp_hdr->ack_seq) - 1 or (int)syncookie(ip_hdr->daddr, ip_hdr->saddr, tcp_hdr->dest, tcp_hdr->source) == (int)ntohl(tcp_hdr->ack_seq)) { 491 | if(getShowClosedPorts() or !tcp_hdr->rst) { 492 | printf("%s:%d\t", src_ip, src_port); 493 | 494 | if(resolve_service_names) { 495 | struct servent *serv; 496 | serv = getservbyport(ntohs(src_port), "tcp"); 497 | if (serv) { 498 | printf("%s\t", serv->s_name); 499 | } else { 500 | printf("unknown\t"); 501 | } 502 | } 503 | 504 | /* Print out packet length */ 505 | printf("Len=%d ", ntohs(ip_hdr->tot_len)); 506 | 507 | /* Print out interesting IP options */ 508 | printf("TTL=%d ", ip_hdr->ttl); 509 | // if (tcp_hdr->doff ^ 4) printf("DF "); //TODO this doesn't work 510 | printf("IPID=%d ", ntohs(ip_hdr->id)); 511 | 512 | /* Print out interesting TCP options */ 513 | printf("FLAGS="); 514 | tcp_hdr->syn ? printf("S") : printf("_"); 515 | tcp_hdr->ack ? printf("A") : printf("_"); 516 | tcp_hdr->rst ? printf("R") : printf("_"); 517 | tcp_hdr->fin ? printf("F") : printf("_"); 518 | tcp_hdr->psh ? printf("P") : printf("_"); 519 | tcp_hdr->urg ? printf("U") : printf("_"); 520 | tcp_hdr->res2 ? printf("E") : printf("_"); 521 | tcp_hdr->res2 ? printf("C") : printf("_"); 522 | printf(" "); 523 | printf("SEQ=0x%08x ", ntohl(tcp_hdr->seq)); 524 | printf("ACK=0x%08x ", ntohl(tcp_hdr->ack_seq)); 525 | printf("WIN=%d", ntohs(tcp_hdr->window)); 526 | // MSS TODO 527 | // Other TCP options TODO 528 | /* printf("Incomming ACK was %08x\n", ntohl(tcp_hdr->ack_seq)); 529 | printf("Outgoing syn was therefore %08x\n", ntohl(tcp_hdr->ack_seq) - 1); 530 | printf("Syncookie would be %08x\n", syncookie(ip_hdr->daddr, ip_hdr->saddr, tcp_hdr->dest, tcp_hdr->source));*/ 531 | /* print out any data on the packet */ 532 | // printf("headers=%d, header_len=%d, total_len=%d, tcp_hdr->doff=%d\n", ip_hdr->ihl * 4 + tcp_hdr->doff * 4, ip_hdr->ihl * 4, ntohs(ip_hdr->tot_len), tcp_hdr->doff * 4); 533 | if (ip_hdr->ihl * 4 + tcp_hdr->doff * 4 < ntohs(ip_hdr->tot_len)) { 534 | printf(" DATA=\""); 535 | // for(int p = (int)ip_hdr + ip_hdr->ihl * 4 + tcp_hdr->doff * 4; p <= (int)ip_hdr + ntohs(ip_hdr->tot_len); p++) { 536 | for(char *p = (char *)ip_hdr + ip_hdr->ihl * 4 + tcp_hdr->doff * 4; p <= (char *)ip_hdr + ntohs(ip_hdr->tot_len); p++) { 537 | printf("%c", *p); 538 | } 539 | printf("\""); 540 | } 541 | printf("\n"); 542 | positive_response_count++; 543 | } 544 | 545 | struct in_addr ip; 546 | ip.s_addr = ip_hdr->saddr; 547 | noMoreRetries(ip, src_port); 548 | } else { 549 | if (debug > 3) printf("TcpScanner::pcapCallback: Packet didn't have a valid syncookie\n"); 550 | } 551 | 552 | break; 553 | default: 554 | printf("TcpScanner::pcapCallback: protocol in IP packet (0x%x) is not TCP\n", ip_hdr->protocol); 555 | return; 556 | } 557 | } 558 | 559 | TcpScanner::~TcpScanner() { 560 | if (debug > 2) printf("TcpScanner: Destructing\n"); 561 | } 562 | 563 | -------------------------------------------------------------------------------- /scanner-tcp.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #ifndef __SCANNERTCP__ 29 | #define __SCANNERTCP__ 30 | 31 | #include "yapscan.h" 32 | #include "scanner-port.h" 33 | 34 | struct send_tcp 35 | { 36 | struct iphdr ip; 37 | struct tcphdr tcp; 38 | }; 39 | 40 | class TcpScanner : public PortScanner { 41 | public: 42 | TcpScanner(char *device); 43 | TcpScanner(); 44 | void init(); 45 | ~TcpScanner(); 46 | void setResolveServiceNames(int onoff); 47 | char* getPcapFilter(); 48 | void updateCompletionTime(void); 49 | int sendPacket(); 50 | void setPcapFilter(); 51 | void sendAck(__u32 src_ip, __u32 dest_ip, int src_port, int dest_port, __u32 seq_no, __u32 ack_no); 52 | void noMoreRetries(in_addr ip, unsigned short int port); 53 | void pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt); 54 | void setTcpFlag(int, int); 55 | 56 | protected: 57 | int icmp_probe_type; 58 | int src_port; 59 | int port_count; 60 | int resolve_service_names; 61 | int show_closed_ports; 62 | int syn_flag; 63 | int ack_flag; 64 | int urg_flag; 65 | int fin_flag; 66 | int rst_flag; 67 | int psh_flag; 68 | int ece_flag; 69 | int cwr_flag; 70 | struct send_tcp template_packet; 71 | }; 72 | 73 | #endif // __SCANNERTCP__ 74 | -------------------------------------------------------------------------------- /scanner-udp.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "scanner-udp.h" 29 | 30 | /* 31 | * Constructor args: 32 | * 33 | * char *device - Device to listen of for returned packets 34 | * 35 | */ 36 | UdpScanner::UdpScanner(char *device) { 37 | if (debug > 2) printf("UdpScanner: Constructing\n"); 38 | src_port = getFirstPID(); 39 | port_count = 0; 40 | show_closed_ports = 0; 41 | setDevice(device); 42 | } 43 | 44 | UdpScanner::UdpScanner() { 45 | if (debug > 2) printf("UdpScanner: Constructing\n"); 46 | src_port = getFirstPID(); 47 | port_count = 0; 48 | show_closed_ports = 0; 49 | } 50 | 51 | void UdpScanner::setPcapFilter() { 52 | snprintf(pfilter, PCAP_FILTER_LEN, "icmp and dst host %s", src_ip_str); 53 | } 54 | 55 | // TODO 56 | void UdpScanner::setPortClosed(int port) { 57 | //struct port_element *p; 58 | //p = pcurrent_port_element->pnext; 59 | //int first_port = pcurrent_port_element->port; 60 | 61 | // TODO: This is really inefficient. Search list backwards, not forwards. 62 | // printf("Initial port: %d, Target port: %d\n", first_port, port); 63 | //while(p->port != port) { 64 | // printf("Current port: %d, Target port: %d\n", p->port, port); 65 | // p = p->pnext; 66 | //} 67 | 68 | //p->status = 0; 69 | } 70 | 71 | void UdpScanner::dumpPortListOpen() { 72 | return; // TODO 73 | printf("--- Start of portlist dump ---\n"); 74 | struct port_element *pp; 75 | //pp = pfirst_port_element; 76 | //while(pp != plast_port_element) { 77 | // if (pp->status) { 78 | // printf("\t%d\t%d\n", pp->port, pp->status); 79 | // } 80 | // pp = pp->pnext; 81 | //} 82 | printf("\t%d\n", pp->port); 83 | printf("--- End of portlist dump ---\n"); 84 | } 85 | 86 | int UdpScanner::sendPacket() { 87 | if (debug > 2) printf("UdpScanner::sendPacket: Called\n"); 88 | 89 | 90 | 91 | 92 | // TODO this "finding" code is used by both scanner-tcp and scanner-udp. move to scanner-port 93 | // First check if there's anything left to scan. Return 0 if not. 94 | // 95 | // This involves moving onto the next host/port and checking if we've found 96 | // something that can be scanned. It's a bit untidy, but it's important that 97 | // this func can be called even if nothing needs scanning. 98 | 99 | // Note the current port element 100 | // We need to note this so we can tell we've been completely round the port list 101 | struct port_element *pstart_port_element = pcurrent_host_element->pcurrent_port; 102 | 103 | // Increment the port pointer on this host 104 | pcurrent_host_element->pcurrent_port = pcurrent_host_element->pcurrent_port->pnext; 105 | int more_ports = 0; 106 | 107 | // Move onto next host 108 | pcurrent_host_element = pcurrent_host_element->pnext; 109 | 110 | // optimisation to avoid too much pointer defrerencing. Hardly worth it. 111 | struct port_element *pcurhost_curport = pcurrent_host_element->pcurrent_port; 112 | 113 | while (!more_ports and pcurhost_curport != pstart_port_element) { 114 | // can we send to the current port in this portlist? 115 | if (pcurhost_curport->send_count < tries) { 116 | // we can send to this 117 | more_ports = 1; 118 | } else { 119 | // we can't send. increment the port pointer on this host 120 | pcurrent_host_element->pcurrent_port = pcurhost_curport->pnext; 121 | 122 | // change to next host 123 | pcurrent_host_element = pcurrent_host_element->pnext; 124 | pcurhost_curport = pcurrent_host_element->pcurrent_port; 125 | } 126 | } 127 | 128 | // Return 0 if there is nothing left to scan 129 | if (!(more_ports or pcurhost_curport->send_count < tries)) { 130 | return 0; 131 | } 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | /* vars for sending */ 141 | struct sockaddr_in sin; 142 | struct send_udp send_udp; 143 | struct pseudo_hdr_udp pseudo_hdr_udp; 144 | int send_socket; 145 | 146 | /* craft packet */ 147 | send_udp.ip.ihl = 5; 148 | send_udp.ip.version = 4; 149 | send_udp.ip.tos = 0; 150 | send_udp.ip.tot_len = htons(sizeof(send_udp)); 151 | send_udp.ip.frag_off = 0; 152 | send_udp.ip.ttl = getTTL(); 153 | send_udp.ip.protocol = IPPROTO_UDP; 154 | send_udp.ip.check = 0; 155 | memcpy(&send_udp.ip.saddr, &src_ip, sizeof(src_ip)); 156 | 157 | // send_udp.udp.source = htons(src_port); 158 | send_udp.udp.source = htons(getNextSourcePort()); 159 | send_udp.udp.len = htons(sizeof(send_udp.udp)); // 8 is min length 160 | send_udp.udp.check = 0; 161 | 162 | send_udp.ip.daddr = pcurrent_host_element->ip.s_addr; 163 | // printf("saddr: %s\n", ipaddr_to_str(&send_icmp.ip.saddr)); 164 | send_udp.udp.dest = htons(pcurrent_host_element->pcurrent_port->port); 165 | 166 | /* Now open the raw socket for sending */ 167 | sin.sin_family = AF_INET; 168 | sin.sin_port = send_udp.udp.source; 169 | sin.sin_addr.s_addr = send_udp.ip.daddr; 170 | send_socket = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW); 171 | if(send_socket < 0) 172 | { 173 | perror("send socket cannot be open. Are you root?"); 174 | exit(1); 175 | } 176 | 177 | int options; 178 | options = O_NONBLOCK | fcntl(send_socket, F_GETFL); 179 | if(fcntl(send_socket, F_SETFL, options) < 0) { 180 | perror("FCNTL"); 181 | exit(1); 182 | } 183 | 184 | int one = 1; 185 | int *oneptr = &one; 186 | 187 | if (setsockopt(send_socket, IPPROTO_IP, IP_HDRINCL, oneptr, sizeof(one)) == -1) { 188 | printf("setsockopt: set IP_HDRINCL failed\n"); 189 | } 190 | 191 | if (setsockopt(send_socket, SOL_SOCKET, SO_BROADCAST, oneptr, sizeof(one)) == -1) 192 | { 193 | printf("libnet_open_raw_sock: set SO_BROADCAST failed\n"); 194 | } 195 | 196 | if(send_socket < 0) 197 | { 198 | perror("send socket cannot be open. Are you root?"); 199 | exit(1); 200 | } 201 | 202 | /* From synhose.c by knight */ 203 | pseudo_hdr_udp.source_address = send_udp.ip.saddr; 204 | pseudo_hdr_udp.dest_address = send_udp.ip.daddr; 205 | pseudo_hdr_udp.placeholder = 0; 206 | pseudo_hdr_udp.protocol = IPPROTO_UDP; 207 | pseudo_hdr_udp.tcp_length = send_udp.udp.len; 208 | /* end of sending setup */ 209 | 210 | /* recalc checksum */ 211 | send_udp.ip.check = 0; 212 | send_udp.udp.check = 0; 213 | send_udp.ip.check = in_cksum((unsigned short *)&send_udp.ip, sizeof(send_udp.ip)); 214 | memcpy((char *)&pseudo_hdr_udp.udp, (char *)&send_udp.udp, sizeof(send_udp.udp)); 215 | send_udp.udp.check = in_cksum((unsigned short *)&pseudo_hdr_udp, sizeof(pseudo_hdr_udp)); 216 | 217 | /* send packet */ 218 | if (verbose) printf("Sending packet to %s:%d\n", inet_ntoa(pcurrent_host_element->ip), pcurrent_host_element->pcurrent_port->port); 219 | sendto(send_socket, &send_udp, sizeof(send_udp), 0, (struct sockaddr *)&sin, sizeof(sin)); 220 | close(send_socket); 221 | 222 | pcurrent_host_element->pcurrent_port->send_count++; 223 | return sizeof(send_udp); 224 | } 225 | 226 | // TODO implement "syncookie" identification of packets so we can run multiple scans at the same time 227 | void UdpScanner::pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt) { 228 | int len = pkthdr->len; 229 | 230 | // static int packet_count = 0; 231 | struct iphdr* ip_hdr; /* to get IP protocol data. */ 232 | struct udphdr* udp_hdr; /* to get UDP protocol data. */ 233 | struct icmphdr* icmp_hdr; /* to get ICMP protocol data. */ 234 | char src_ip[100], dst_ip[100]; 235 | int type, code; 236 | int src_port, dst_port; 237 | 238 | /* strip off MAC header */ 239 | char ip_raw[1500]; 240 | // printf("pcap callback called with len %d\n", hw_head_len); 241 | // TODO This should work for ppp links when len=0 but doesn't 242 | // TODO isn't there a min(a,b) function? 243 | int mcpylen; // min(1500, len - hw_head_len 244 | if (len - hw_head_len > 1500) { 245 | mcpylen = 1500; 246 | } else { 247 | mcpylen = len - hw_head_len; 248 | } 249 | memcpy(ip_raw, pkt + hw_head_len, mcpylen); 250 | 251 | /* we're only interested in UDP packets. */ 252 | ip_hdr = (struct iphdr*)ip_raw; /* the captured data is an IP packet. */ 253 | /* lets get the src and dst addresses - translate from */ 254 | /* network-byte-order binary data. */ 255 | inet_ntop(AF_INET, &ip_hdr->saddr, src_ip, sizeof(src_ip)); 256 | inet_ntop(AF_INET, &ip_hdr->daddr, dst_ip, sizeof(dst_ip)); 257 | switch (ip_hdr->protocol) { 258 | case IPPROTO_UDP: 259 | /* lets get the port numbers - the payload of the IP packet is UDP. */ 260 | /* NOTE: in IP, the ihl (IP Header Length) field contains the number */ 261 | /* of 4-octet chunks composing the IP packet's header. */ 262 | udp_hdr = (struct udphdr*)(ip_raw + ip_hdr->ihl * 4); 263 | src_port = ntohs(udp_hdr->source); /* ports are in network byte order. */ 264 | dst_port = ntohs(udp_hdr->dest); 265 | 266 | // printf("PACKET: [%d] src %s:%d, dst %s:%d\n", len, src_ip, src_port, dst_ip, dst_port); 267 | break; 268 | 269 | case IPPROTO_ICMP: 270 | icmp_hdr = (struct icmphdr*)(ip_raw + ip_hdr->ihl * 4); 271 | type = icmp_hdr->type; 272 | code = icmp_hdr->code; 273 | 274 | printf("%s:%d/%d [%s]", src_ip, type, code, icmp_type[type]); 275 | /* dest unreach */ 276 | if ((code == 3) && (type == 3)) { 277 | printf(" [PORT_UNREACH]"); 278 | struct iphdr* ip_hdr_embedded; 279 | ip_hdr_embedded = (struct iphdr*)(ip_raw + ip_hdr->ihl * 4 + 8); 280 | char src_ip_embedded[100], dst_ip_embedded[100]; 281 | inet_ntop(AF_INET, &ip_hdr_embedded->saddr, src_ip_embedded, sizeof(src_ip_embedded)); 282 | inet_ntop(AF_INET, &ip_hdr_embedded->daddr, dst_ip_embedded, sizeof(dst_ip_embedded)); 283 | 284 | struct udphdr* udp_hdr_embedded = (struct udphdr*)(ip_raw + ip_hdr->ihl * 4 + 8 + ip_hdr_embedded->ihl * 4); 285 | printf(" (port %d)", ntohs(udp_hdr_embedded->dest)); 286 | this->setPortClosed(ntohs(udp_hdr_embedded->dest)); 287 | positive_response_count++; 288 | } 289 | printf("\n"); 290 | 291 | break; 292 | 293 | default: 294 | printf("protocol in IP packet (0x%x) is not UDP or ICMP\n", ip_hdr->protocol); 295 | return; 296 | } 297 | } 298 | 299 | UdpScanner::~UdpScanner() { 300 | if (debug > 2) printf("UdpScanner: Destructing\n"); 301 | } 302 | -------------------------------------------------------------------------------- /scanner-udp.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #ifndef __SCANNERUDP__ 29 | #define __SCANNERUDP__ 30 | 31 | #include "yapscan.h" 32 | #include "scanner-port.h" 33 | #include "scanner-icmp.h" // for icmp type/code names 34 | 35 | struct send_udp 36 | { 37 | struct iphdr ip; 38 | struct udphdr udp; 39 | }; 40 | 41 | struct pseudo_hdr_udp 42 | { 43 | unsigned int source_address; 44 | unsigned int dest_address; 45 | unsigned char placeholder; 46 | unsigned char protocol; 47 | unsigned short tcp_length; 48 | struct udphdr udp; 49 | }; 50 | 51 | class UdpScanner : public PortScanner { 52 | public: 53 | UdpScanner(char *device); 54 | UdpScanner(); 55 | ~UdpScanner(); 56 | char* getPcapFilter(); 57 | // void setShowClosedPorts(int newval); 58 | void setPortClosed(int port); 59 | void dumpPortListOpen(); 60 | int sendPacket(); 61 | void setPcapFilter(); 62 | void pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt); 63 | 64 | protected: 65 | int icmp_probe_type; 66 | int src_port; 67 | int port_count; 68 | int show_closed_ports; 69 | //struct port_element *pfirst_port_element; 70 | //struct port_element *plast_port_element; 71 | //struct port_element *pcurrent_port_element; 72 | }; 73 | #endif // __SCANNERUDP__ 74 | -------------------------------------------------------------------------------- /scanner.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "scanner.h" 29 | #include 30 | 31 | Scanner::Scanner() { 32 | // default settings 33 | port_count = 0; 34 | debug = 0; 35 | verbose = 0; 36 | host_count = 0; 37 | positive_response_count = 0; 38 | device[0] = '\0'; 39 | pfirst_host_element = 0; 40 | plast_host_element = 0; 41 | pcurrent_host_element = 0; 42 | packets_sent = 0; 43 | tries = 1; 44 | ttl = 64; 45 | src_ip_str[0] = '\0'; 46 | name_resolution = 1; 47 | scanning_chunk = 0; 48 | 49 | // Make STDIN non-blocking. Need to do this for the "read" in updateCompletionTime(). 50 | int options = O_NONBLOCK | fcntl(1, F_GETFL); 51 | if(fcntl(1, F_SETFL, options) < 0) { 52 | perror("FCNTL"); 53 | exit(1); 54 | } 55 | 56 | } 57 | 58 | void Scanner::scanningChunk(int yesorno) { 59 | if (yesorno) { 60 | scanning_chunk = 1; 61 | } else { 62 | scanning_chunk = 0; 63 | } 64 | } 65 | 66 | // get rid of one of the warning messages from -Weffc++ 67 | Scanner::Scanner(const Scanner&) { 68 | printf("ERROR: Scanner::Scanner(const Scanner&) not implemented yet\n"); 69 | exit(1); 70 | } 71 | 72 | Scanner::~Scanner() { 73 | if (debug > 2) printf("Scanner: Destructing\n"); 74 | while (pcurrent_host_element != 0) { 75 | deleteHost(pcurrent_host_element); 76 | } 77 | } 78 | 79 | void Scanner::setNameResolution(int flag) { 80 | name_resolution = flag; 81 | } 82 | 83 | int Scanner::getTTL() { 84 | return ttl; 85 | } 86 | 87 | void Scanner::setTTL(int newttl) { 88 | ttl = newttl; 89 | } 90 | 91 | // This is rubbish. Think harder. 92 | char* Scanner::getPcapFilter() { 93 | return(pfilter); 94 | } 95 | 96 | // How does this work? Need it to get -Weffc++ working 97 | //Scanner* operator=(const Scanner&) { 98 | // printf("ERROR: Scanner* operator=(const Scanner&) not implmented yet\n"); 99 | // exit(1); 100 | //} 101 | 102 | void Scanner::setDebugLevel(int level) { 103 | debug = level; 104 | } 105 | 106 | int Scanner::getDebugLevel() { 107 | return debug; 108 | } 109 | 110 | void Scanner::setVerboseLevel(int level) { 111 | verbose = level; 112 | } 113 | 114 | int Scanner::getVerboseLevel() { 115 | return verbose; 116 | } 117 | 118 | // read value of positive_response 119 | int Scanner::getPositiveResponseCount() { 120 | return positive_response_count; 121 | } 122 | 123 | // set value of hw_head_len (Hardware Header Length - e.g. 14 for ethernet) 124 | void Scanner::setHwHeadLen(int len) { 125 | hw_head_len = len; 126 | } 127 | 128 | // read value of hw_head_len 129 | int Scanner::getHwHeadLen() { 130 | return hw_head_len; 131 | } 132 | 133 | // 134 | // detect the correct offset for start of IP packet 135 | // in captured packets. e.g. 14 for ethernet. 136 | // 137 | // Taken from SynScan Daemon 3.0-pre7 by MadMax & psychoid/tCl 138 | // 139 | int Scanner::setHwHeadLenAuto(void) { 140 | int datalink; 141 | datalink = pcap_datalink(sniffer); 142 | switch (datalink) 143 | { 144 | case DLT_EN10MB: 145 | setHwHeadLen(14); 146 | break; 147 | case DLT_NULL: 148 | case DLT_PPP: 149 | setHwHeadLen(4); 150 | break; 151 | case DLT_SLIP: 152 | setHwHeadLen(16); //apparently this works for ppp0 interface set up by pptp-linux/network-manager-pptp (debian). auto-detect fails. -H 16 153 | break; 154 | case DLT_RAW: 155 | setHwHeadLen(0); 156 | break; 157 | case DLT_SLIP_BSDOS: 158 | case DLT_PPP_BSDOS: 159 | setHwHeadLen(24); 160 | break; 161 | case DLT_ATM_RFC1483: 162 | setHwHeadLen(8); 163 | break; 164 | case DLT_IEEE802: 165 | setHwHeadLen(22); 166 | break; 167 | default: 168 | fprintf (stderr, "unknown datalink type (%d)", datalink); 169 | return (0); 170 | } 171 | return(1); 172 | } 173 | 174 | // 175 | // Process any packets we've received since the last recv call 176 | // 177 | void Scanner::recvPackets() { 178 | if (debug > 3) printf("Scanner::recvPackets: Called\n"); 179 | while(pcap_dispatch(sniffer, 0, recv_packets, (u_char *)this)) { 180 | pcap_dispatch(sniffer, 0, recv_packets, (u_char*)this); 181 | } 182 | while(pcap_dispatch(sniffer, 0, recv_packets, (u_char *)this)) { 183 | pcap_dispatch(sniffer, 0, recv_packets, (u_char *)this); 184 | } 185 | } 186 | 187 | // 188 | // startScan scans the entire hostlist and returns when the scan 189 | // is complete. Basically it does: 190 | // 191 | // while (there are packets to send) { 192 | // send a packet 193 | // update estimated completion time (if user pressed enter) 194 | // wait a bit, so we don't execeed bandwidth_max 195 | // recv packets 196 | // } 197 | // 198 | void Scanner::startScan() { 199 | if (debug > 2) printf("Scanner::startScan called\n"); 200 | struct timeval starttime_tv; 201 | gettimeofday(&starttime_tv, NULL); 202 | 203 | int bytes_sent = 1; 204 | total_bytes_sent = 0; 205 | packets_sent = 0; 206 | 207 | while(bytes_sent) { 208 | // Send packet 209 | bytes_sent = sendPacket(); 210 | 211 | // Recalculate bandwidth 212 | total_bytes_sent += bytes_sent; 213 | if (bytes_sent) packets_sent++; 214 | struct timeval runtime_tv; 215 | struct timeval timenow_tv; 216 | gettimeofday(&timenow_tv, NULL); 217 | timeval_subtract(&runtime_tv, &timenow_tv, &starttime_tv); 218 | float runtime_sec = runtime_tv.tv_sec + (float)runtime_tv.tv_usec / 1000000; 219 | unsigned int total_bytes_sent_max = (unsigned int)floorf((bandwidth_max * runtime_sec) / 8); 220 | 221 | // Update user with estimated completion time 222 | updateCompletionTime(); 223 | 224 | // If we've sent too many packets, wait for a bit 225 | if (total_bytes_sent_max < total_bytes_sent) { 226 | int total_bytes_sent_diff = total_bytes_sent - total_bytes_sent_max; 227 | float wait_time_sec = (float)total_bytes_sent_diff / (float)bandwidth_max; 228 | 229 | struct timeval interpacket_tv; 230 | interpacket_tv.tv_sec = (int)floorf(wait_time_sec); 231 | interpacket_tv.tv_usec = (int)(1000000 * (wait_time_sec - floorf(wait_time_sec))); 232 | select(0, NULL, NULL, NULL, &interpacket_tv); 233 | } 234 | 235 | recvPackets(); 236 | } 237 | 238 | struct timeval runtime_tv; 239 | struct timeval timenow_tv; 240 | gettimeofday(&timenow_tv, NULL); 241 | timeval_subtract(&runtime_tv, &timenow_tv, &starttime_tv); 242 | float runtime_sec = runtime_tv.tv_sec + (float)runtime_tv.tv_usec / 1000000; 243 | float bandwidth = 8 * (float)total_bytes_sent / runtime_sec; 244 | 245 | /* wait for round trip time so we get all replies */ 246 | select(0, NULL, NULL, NULL, &rtt_tv); 247 | 248 | recvPackets(); 249 | 250 | timeval now; 251 | struct tm *tm; 252 | char ascii_time[256]; 253 | gettimeofday(&now, NULL); 254 | tm = gmtime(&now.tv_sec); 255 | strftime(ascii_time, sizeof(ascii_time), "%F %T %z", tm); 256 | printf("####### Scan completed at %s #########\n", ascii_time); 257 | 258 | printf("%d positive results.\n\n%d packets (%d bytes) sent in %.2f secs.\nScan rate was: %.0f bits/sec | %.0f bytes/sec | %.0f packets/sec.\n", getPositiveResponseCount(), packets_sent, total_bytes_sent, runtime_sec, bandwidth, bandwidth / 8, packets_sent / runtime_sec); 259 | if (verbose) printf("%u packets received by pcap filter. %u packets dropped by kernel.\n", getPcapPacketsProcessed(), getPcapPacketsDropped()); 260 | if (unsigned int dropped_packets = getPcapPacketsDropped()) { 261 | printf("WARNING: Kernel dropped %u packets. Results may have been missed. Try reducing scan speed.\n", dropped_packets); 262 | } 263 | } 264 | 265 | // Prints an updated completion time if the user has pressed Enter. 266 | void Scanner::updateCompletionTime(void) { 267 | char buf[100]; 268 | int c = read(1, buf, 99); 269 | if (c >= 1) { 270 | printf("[%d%% complete] Scanning of this chunk will complete in less than %dm %ds.\n", getPercentComplete(), getRemainingScanTime() / 60, getRemainingScanTime() % 60); 271 | } 272 | } 273 | 274 | // 275 | // RTT is only used to determine how long to wait for 276 | // outstanding replies after the last probe has been sent. 277 | // 278 | // Might as well set it high (e.g. 1 sec) as we only wait 279 | // for RTT once during execution. 280 | // 281 | void Scanner::setRTT(struct timeval *newrtt) { 282 | rtt_tv = *newrtt; 283 | } 284 | 285 | timeval Scanner::getRTT() { 286 | return rtt_tv; 287 | } 288 | 289 | // returns number of hosts in hostlist 290 | unsigned int Scanner::getHostCount() { 291 | return(host_count); 292 | } 293 | 294 | // set no of tries scanner will make 295 | void Scanner::setTries(unsigned int newtries) { 296 | tries = newtries; 297 | } 298 | 299 | // return no of tries scanner will make 300 | int Scanner::getTries() { 301 | return tries; 302 | } 303 | 304 | // populates hostlist by reading in a file of ips 305 | // filename is the file to read from 306 | // start_pos is the line number to start reading from (numbered from 1) 307 | // host_hosts is the maximum number of hosts to read before returning 308 | // 309 | // returns 0 is all hosts were added; 310 | // returns a count of the the number of hosts added if they weren't all added 311 | int Scanner::addHostsFromFile(char *filename, unsigned int start_pos, unsigned int max_hosts) { 312 | FILE *inputfd; 313 | char line[MAXLINE + 1]; 314 | char *cp; 315 | unsigned int pos = 0; 316 | unsigned int hosts_added = 0; 317 | 318 | /* nmap */ 319 | if (!strcmp(filename, "-")) { 320 | inputfd = stdin; 321 | } else { 322 | inputfd = fopen(filename, "r"); 323 | if (!inputfd) { 324 | printf("ERROR: Failed to open host input file %s for reading\n", filename); 325 | exit(1); 326 | } 327 | } 328 | 329 | while (fgets(line, MAXLINE, inputfd)) { 330 | pos++; 331 | if (inputfd == stdin or pos >= start_pos) { 332 | for (cp = line; !isspace((unsigned char)*cp) && *cp != '\0'; cp++) 333 | ; 334 | *cp = '\0'; 335 | addHost(line); 336 | hosts_added++; 337 | } 338 | if (pos >= start_pos + max_hosts) { 339 | return hosts_added; 340 | } 341 | } 342 | 343 | if (inputfd != stdin) 344 | fclose(inputfd); 345 | 346 | return 0; 347 | } 348 | 349 | // delete an element from the linked list of all hosts 350 | // return 0 if host was deleted 351 | // return 1 if host was deleted and there are no more hosts 352 | int Scanner::deleteHost(struct host_element *h) { 353 | if (!h) { 354 | #ifdef DEBUG 355 | printf("DEBUG WARNING: Scanner::deleteHost was called with a null host_element\n"); 356 | #endif 357 | return(1); 358 | } 359 | 360 | if (debug > 2) printf("Scanner::deleteHost: Deleting host element %s\n", inet_ntoa(pcurrent_host_element->ip)); 361 | 362 | // if this is the last element, set all global pointers to 0 363 | if (h->pnext == h and h->pprev == h) { 364 | if (debug > 2) printf("Scanner::deleteHost: There are no more host elements after this\n"); 365 | pcurrent_host_element = 0; 366 | pfirst_host_element = 0; 367 | plast_host_element = 0; 368 | host_count--; 369 | return(1); 370 | 371 | // not the last element. make sure global pointers will still be valid. 372 | } else { 373 | // if host is current_host, move current_host on 374 | if (h == pcurrent_host_element) { 375 | if (debug > 2) printf("Scanner::deleteHost called on current element\n"); 376 | pcurrent_host_element = pcurrent_host_element->pnext; 377 | } 378 | 379 | // if host is first_host, move current_host on 380 | if (h == pfirst_host_element) { 381 | if (debug > 2) printf("Scanner::deleteHost called on first element\n"); 382 | pfirst_host_element = pfirst_host_element->pnext; 383 | } 384 | 385 | // if host is last_host, move current_host on 386 | if (h == plast_host_element) { 387 | if (debug > 2) printf("Scanner::deleteHost called on last element\n"); 388 | plast_host_element = plast_host_element->pprev; 389 | } 390 | } 391 | 392 | // join previous host to next host 393 | h->pprev->pnext = h->pnext; 394 | 395 | // join next host to previous host 396 | h->pnext->pprev = h->pprev; 397 | #ifdef DEBUG 398 | memset(h, 'H', sizeof(h)); 399 | #endif 400 | free(h); 401 | 402 | host_count--; 403 | // return success status 404 | return 0; 405 | } 406 | 407 | int Scanner::addHost(char *newhost) { 408 | return addHost(newhost, 0, 0); 409 | } 410 | 411 | // 412 | // Adds an IP address to the hostlist. 413 | // 414 | // newhost is a string containing an IP, host or IP range. If it's and IP range: 415 | // start_pos is the number of hosts to skip in the range 416 | // host_count is the number of hosts to add 417 | // 418 | // returns number of hosts added if not all could be added 419 | // returns 0 if all hosts were added 420 | // returns -1 if host could not be added 421 | // 422 | int Scanner::addHost(char *newhost, unsigned int start_pos, unsigned int max_hosts) { 423 | // printf("Addhost called with: %s, %u, %u\n", newhost, start_pos, max_hosts); 424 | struct in_addr ip; 425 | int resolved = 0; 426 | 427 | // If we were passed an IP then parse it as such 428 | if(!resolved and inet_aton(newhost, &ip)) { 429 | resolved = 1; 430 | } 431 | 432 | // otherwise check if we were passed a name we can resolve 433 | struct hostent *phostent; 434 | if(!resolved and name_resolution and (phostent = gethostbyname(newhost)) != 0) { 435 | ip = *(struct in_addr *)phostent->h_addr; 436 | resolved = 1; 437 | } 438 | 439 | if (resolved) { 440 | struct host_element *h; 441 | h = (struct host_element *)malloc(sizeof(host_element)); 442 | h->pfirst_port = 0; 443 | h->plast_port = 0; 444 | h->pcurrent = 0; 445 | h->pcurrent_port = 0; 446 | h->rtt_tv.tv_sec = 0; // rtt is unset to 447 | h->rtt_tv.tv_usec = 0; // start with 448 | h->inter_packet_interval_us = inter_packet_interval_us; // first approximation 449 | h->next_probe_time_tv.tv_sec = 0; // next probe is 450 | h->next_probe_time_tv.tv_usec = 0; // overdue 451 | 452 | host_count++; 453 | if (debug > 1) printf("Scanner::addHost: Adding host %s. There are now %d hosts\n", newhost, host_count); 454 | h->ip = ip; 455 | if(!pfirst_host_element) { 456 | pfirst_host_element = h; 457 | } 458 | 459 | if(!plast_host_element) { 460 | plast_host_element = h; 461 | } 462 | 463 | h->pnext = pfirst_host_element; 464 | plast_host_element->pnext = h; 465 | 466 | h->pprev = plast_host_element; 467 | pfirst_host_element->pprev = h; 468 | 469 | plast_host_element = h; 470 | 471 | if(!pcurrent_host_element) { 472 | pcurrent_host_element = pfirst_host_element; 473 | } 474 | 475 | if (debug > 1) printf("Scanner::addHost: Added host %s\n", inet_ntoa(h->ip)); 476 | 477 | return 0; 478 | } 479 | 480 | // We only reach this part of the code if we haven't been passed a 481 | // single resolvable host (i.e. a hostname or IP address). 482 | // 483 | // We have been passed a IP range. It could be in one of the following 484 | // formats 485 | // 1.2.3.0-63 486 | // 1.2.3.4-2.3.4.5 487 | // 1.2.3.64/26 488 | 489 | int processed_range = 0; 490 | unsigned int pos = 0; 491 | unsigned int hosts_added = 0; 492 | 493 | ////////////////////////////////////////////////////////////////// 494 | //////// Were we passed an ip range like 1.2.3.64-127? /////////// 495 | ////////////////////////////////////////////////////////////////// 496 | 497 | // ip ranges will have exactly one '-' in last octet, e.g. the 498 | // following are ok: 499 | // - 1.2.3.4-6 500 | // - 1.2.3.0-255 501 | // - 1.2.3.1-1 502 | // 503 | // but the following aren't: 504 | // - 1.2.3-4.5 505 | // - 1.2.3-4.5-6 506 | 507 | char ip_range[32]; 508 | char *cp; 509 | char *cp2; 510 | char *cp3; 511 | int start_range; 512 | int end_range; 513 | 514 | strncpy(ip_range, newhost, sizeof(ip_range)); 515 | // check that we have numbers and dots followed by a - 516 | for (cp = ip_range; (*cp >= '0' && *cp <= '9') || *cp == '.'; cp++); 517 | 518 | if (*cp == '-') { 519 | 520 | *cp = '\0'; 521 | cp++; 522 | 523 | // check the second part of the range is a number 524 | // for (cp2 = cp; *cp2 >= '0' && *cp2 <= '9' && *cp2 != '\0'; cp2++); 525 | for (cp2 = cp; *cp2 >= '0' && *cp2 <= '9'; cp2++); 526 | 527 | if (*cp2 == '\0') { 528 | end_range = atoi(cp); 529 | 530 | // check if first part of range is a valid ip (e.g. "1.2.3.4" in "1.2.3.4-6"; 531 | if (inet_aton(ip_range, &ip)) { 532 | cp--; cp--; 533 | for (cp3 = cp; *cp3 >= '0' && *cp3 <= '9' && cp3 > ip_range; cp3--); 534 | if (*cp3 == '.') { 535 | cp3++; 536 | start_range = atoi(cp3); 537 | 538 | // change string to end in a ".0" 539 | *cp3 = '0'; 540 | cp3++; 541 | *cp3 = '\0'; 542 | 543 | if(inet_aton(ip_range, &ip)) { 544 | for (int i = start_range; i <= end_range; i++) { 545 | //printf("adding: %x + %d = %x\n", ip, i, ntohl(ntohl(*(int *)&ip) + i)); 546 | int ip_dec = ntohl(ntohl(*(int *)&ip) + i); 547 | char *ip_string = inet_ntoa(*(struct in_addr *)&ip_dec); 548 | //printf("ip: %s\n", ip_string); 549 | pos++; 550 | if (pos >= start_pos + max_hosts) { 551 | return hosts_added; 552 | } 553 | if (pos >= start_pos) { 554 | hosts_added++; 555 | addHost(ip_string); 556 | } 557 | } 558 | processed_range = 1; 559 | } else { 560 | printf("STRANGE: %s should be an IP but isn't. This code should never be reached.\n", ip_range); 561 | //goto badrange; 562 | } 563 | } 564 | } 565 | } 566 | } 567 | 568 | if (processed_range) return 0; 569 | 570 | ////////////////////////////////////////////////////////////////// 571 | //////// Were we passed an ip range like 1.2.3.64-127? /////////// 572 | ////////////////////////////////////////////////////////////////// 573 | 574 | // TODO doesn't work for /32 ranges yet 575 | // maybe we were passed a range in a different format 576 | // following are ok: 577 | // - 1.2.3.4-1.2.3.6 578 | // - 1.2.3.0-1.2.4.255 579 | // 580 | // but the following aren't: 581 | // - 1.2.3.0-4.255 582 | // - 1.2.3.0-255.255.255 583 | 584 | char *pend_ip = cp; 585 | 586 | strncpy(ip_range, newhost, sizeof(ip_range)); 587 | // check that we have numbers and dots followed by a - 588 | for (cp = ip_range; (*cp >= '0' && *cp <= '9') || *cp == '.'; cp++); 589 | 590 | if (*cp == '-') { 591 | 592 | *cp = '\0'; 593 | cp++; 594 | 595 | // check the second part of the range is an IP 596 | for (cp2 = cp; (*cp2 >= '0' && *cp2 <= '9') || *cp2 == '.'; cp2++); 597 | 598 | if (*cp2 == '\0') { 599 | pend_ip = cp; 600 | 601 | // check if first part of range is a valid ip (e.g. "1.2.3.4" in "1.2.3.4-6"; 602 | struct in_addr ip_start; 603 | struct in_addr ip_end; 604 | //printf("start string: %s\n", ip_range); 605 | //printf("end string : %s\n", pend_ip); 606 | if (inet_aton(ip_range, &ip_start) and inet_aton(pend_ip, &ip_end)) { 607 | unsigned int ip_start_dec = ntohl(*(int *)&ip_start); 608 | unsigned int ip_end_dec = ntohl(*(int *)&ip_end); 609 | 610 | //printf("start: %u, %08x\n", ip_start_dec, ip_start_dec); 611 | //printf("end: %u, %08x\n", ip_end_dec, ip_end_dec); 612 | 613 | // check for backwards range; 614 | if (ip_end_dec < ip_start_dec) { 615 | printf("WARNING: Backwards IP range given. Reversing.\n"); 616 | int temp; 617 | temp = ip_end_dec; 618 | ip_end_dec = ip_start_dec; 619 | ip_start_dec = temp; 620 | } 621 | 622 | for (unsigned int ip_dec = ip_start_dec; ip_dec <= ip_end_dec; ip_dec++) { 623 | //printf("ip_dec: %d\n", ip_dec); 624 | int ip_dec_byteswap = ntohl(ip_dec); 625 | char *ip_string = inet_ntoa(*(struct in_addr *)&ip_dec_byteswap); 626 | //printf("ip: %s\n", ip_string); 627 | pos++; 628 | if (pos >= start_pos + max_hosts) { 629 | return hosts_added; 630 | } 631 | if (pos >= start_pos) { 632 | hosts_added++; 633 | addHost(ip_string); 634 | } 635 | } 636 | 637 | processed_range = 1; 638 | } 639 | } 640 | } 641 | 642 | if (processed_range) return 0; 643 | 644 | ///////////////////////////////////////////////////////// 645 | // Check if we were passed a range is slash notation //// 646 | ///////////////////////////////////////////////////////// 647 | 648 | strncpy(ip_range, newhost, sizeof(ip_range)); 649 | char *netmask_ptr; 650 | if ((netmask_ptr = index(ip_range,'/'))) { 651 | *netmask_ptr = '\0'; 652 | netmask_ptr++; 653 | int netmask_bits = atol(netmask_ptr); 654 | if (netmask_bits > 0 and netmask_bits <=32) { 655 | struct in_addr ip; 656 | struct hostent *phostent; 657 | if(!inet_aton(ip_range, &ip)) { 658 | if(name_resolution and (phostent = gethostbyname(ip_range)) != 0) { 659 | ip = *(struct in_addr *)phostent->h_addr; 660 | resolved = 1; 661 | } 662 | } else { 663 | resolved = 1; 664 | } 665 | 666 | if (resolved) { 667 | unsigned int ip_dec = ntohl(*(int *)&ip); 668 | int hostmask = 0xffffffff >> netmask_bits; 669 | int netmask = 0xffffffff ^ hostmask; 670 | if (!scanning_chunk and ip_dec & hostmask) { 671 | printf("WARNING: Network address wasn't used to specify range to be scanned\n"); 672 | } 673 | ip_dec = ip_dec & netmask; 674 | hostmask++; 675 | for (int next_ip_dec = ip_dec; hostmask; next_ip_dec++) { 676 | int next_ip_dec_byteswap = ntohl(next_ip_dec); 677 | char *ip_string = inet_ntoa(*(struct in_addr *)&next_ip_dec_byteswap); 678 | pos++; 679 | if (pos >= start_pos + max_hosts) { 680 | return hosts_added; 681 | } 682 | if (pos >= start_pos) { 683 | hosts_added++; 684 | addHost(ip_string); 685 | } 686 | hostmask--; 687 | } 688 | 689 | processed_range = 1; 690 | } 691 | } 692 | } else { 693 | goto badrange; 694 | } 695 | 696 | if (processed_range) return 0; 697 | 698 | badrange: 699 | printf("WARNING: Failed to resolve %s\n", newhost); 700 | return -1; 701 | } 702 | 703 | // prints out the entire hostlist. For debugging use. 704 | void Scanner::dumpHostList() { 705 | if (debug > 2) printf("Scanner::dumpHostList: Called\n"); 706 | printf("Current Host Pointer: %lx\n", (unsigned long int)pcurrent_host_element); 707 | printf("--- Start of hostlist dump ---\n"); 708 | struct host_element *ph; 709 | ph = pfirst_host_element; 710 | while(ph != plast_host_element) { 711 | printf("\t%s (pointer addr: %lx)", inet_ntoa(ph->ip), (unsigned long int)ph); 712 | if (ph == pcurrent_host_element) { 713 | printf(" <- current_host"); 714 | } 715 | printf("\n"); 716 | ph = ph->pnext; 717 | } 718 | 719 | // print out last host element - careful incase we're dumping an empty list 720 | if (ph) { 721 | printf("\t%s (pointer addr: %lx)", inet_ntoa(ph->ip), (unsigned long int)ph); 722 | if (ph == pcurrent_host_element) { 723 | printf(" <- current_host"); 724 | } 725 | printf("\n"); 726 | } 727 | printf("--- End of hostlist dump ---\n"); 728 | if (debug > 2) printf("Scanner::dumpHostList: End of hostlist dump\n"); 729 | } 730 | 731 | // alias for setDevice - see below 732 | void Scanner::setInterface(char *newdevice) { 733 | setDevice(newdevice); 734 | } 735 | 736 | // 737 | // Set interface on which pcap will listen for replies. 738 | // 739 | // This could be counter-intuitive if you are expecting packets 740 | // to be SENT from this interface. All sending is handled by 741 | // the routing table, not by code in the scanner. 742 | // 743 | // From the interface we can automatically determine the 744 | // source address. Once this is done, we're in a position 745 | // to set up the pcap filter. 746 | // 747 | void Scanner::setDevice(char *newdevice) { 748 | strncpy(device, newdevice, sizeof(device)); 749 | if (verbose) printf("Scanner::SetDevice: Device set to %s\n", device); 750 | 751 | struct ifreq ifr; 752 | strncpy(ifr.ifr_name,device, sizeof(ifr.ifr_name)); 753 | 754 | /* from arptool.c */ 755 | // Setting up the sockets, interface, and getting data. 756 | int ret; 757 | int fd; 758 | //struct sockaddr_in sin; 759 | char hwaddr[ETH_ALEN]; 760 | fd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP)); 761 | if (fd==-1) { 762 | perror("Socket: "); exit (1); 763 | } 764 | 765 | // Determine HW Addr. 766 | ret = ioctl(fd,SIOCGIFHWADDR,&ifr); 767 | if (ret==-1) { 768 | printf("ERROR: Can't find HW address for interface %s: %s\n", device, strerror(errno)); 769 | exit(1); 770 | } 771 | memcpy(hwaddr,ifr.ifr_hwaddr.sa_data,ETH_ALEN); 772 | setSrcMAC(hwaddr_to_str((unsigned char *)hwaddr)); 773 | 774 | initSrcIP(); 775 | setPcapFilter(); 776 | 777 | // 778 | // Set up sniffer 779 | // 780 | 781 | int snaplen = 1500; 782 | int promisc = 0x100; // what is 0x100? 783 | int to_ms = 1000; // timeout in milliseconds 784 | char errbuf[1000]; // store returned error - what length is best? 785 | struct bpf_program fcode; 786 | int optimize = 0; 787 | bpf_u_int32 netmask, localnet; 788 | 789 | // Set netmask. we need this for pcap_compile 790 | pcap_lookupnet(device, &localnet, &netmask, errbuf); 791 | 792 | // Create a sniffer 793 | sniffer = pcap_open_live(device, snaplen, promisc, to_ms, errbuf); // TODO why *? 794 | 795 | if (!sniffer) { 796 | printf("ERROR: Failed to start sniffer on %s: %s\n", device, errbuf); 797 | exit(1); 798 | } 799 | 800 | // Make sniffer behave like a non-blocking recv 801 | // Don't do this when using pcap_loop or it will busy-wait 802 | pcap_setnonblock(sniffer, 1, errbuf); 803 | 804 | // compile the filter. set fcode. we need this for pcap_setfilter 805 | pcap_compile(sniffer, &fcode, getPcapFilter(), optimize, netmask); 806 | 807 | // set the filter on the sniffer 808 | pcap_setfilter(sniffer, &fcode); 809 | } 810 | 811 | // initialises src_ip_str if need be 812 | void Scanner::initSrcIP(void) { 813 | if (!strlen(src_ip_str)) { 814 | if (!strlen(getDevice())) { 815 | printf("ERROR: getSrcIPBin called, but device hasn't been set yet\n"); 816 | exit(1); 817 | } 818 | 819 | struct ifreq ifr; 820 | strncpy(ifr.ifr_name,getDevice(), sizeof(ifr.ifr_name)); 821 | 822 | /* from arptool.c */ 823 | // Setting up the sockets, interface, and getting data. 824 | int ret; 825 | int fd; 826 | fd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP)); 827 | if (fd==-1) { 828 | perror("Socket: "); exit (1); 829 | } 830 | struct sockaddr_in sin; 831 | // Determine IP Addr. 832 | ret = ioctl(fd,SIOCGIFADDR,&ifr); 833 | if (ret==-1) { 834 | printf("ERROR: Can't get IP address for interface %s: %s\n", device, strerror(errno)); 835 | exit (1); 836 | } 837 | memcpy(&sin,&ifr.ifr_addr,sizeof(struct sockaddr_in)); 838 | setSrcIP(ipaddr_to_str((unsigned char *)&sin.sin_addr.s_addr)); 839 | } 840 | } 841 | 842 | // 843 | // return name of device (interface) that pcap is configured to 844 | // listen on for replies. 845 | // 846 | char* Scanner::getDevice() { 847 | return(device); 848 | } 849 | 850 | // 851 | // set source ip for probes 852 | // 853 | void Scanner::setSrcIP(char *new_src_ip_str) { 854 | // if we weren't passed an IP, try resolving 855 | if(!inet_aton(new_src_ip_str, &src_ip)) { 856 | struct hostent *phostent; 857 | if(name_resolution and (phostent = gethostbyname(new_src_ip_str)) != 0) { 858 | // printf("Successfully resolved %s to %s\n", newhost, inet_ntoa(*(struct in_addr *)phostent->h_addr_list[0])); 859 | src_ip = *(struct in_addr *)phostent->h_addr; 860 | } else { 861 | printf("ERROR: Unable to resolve source ip %s\n", new_src_ip_str); 862 | exit(1); 863 | } 864 | } 865 | strncpy(src_ip_str, inet_ntoa(src_ip), sizeof(src_ip_str)); 866 | if (verbose) printf("Scanner::SetSrcIP: Source IP set to %s\n", src_ip_str); 867 | setPcapFilter(); 868 | } 869 | 870 | // 871 | // set source MAC. There is no point to doing this 872 | // no code uses it (yet). 873 | // 874 | void Scanner::setSrcMAC(char *new_src_mac_str) { 875 | strncpy(src_mac_str, new_src_mac_str, sizeof(src_mac_str)); 876 | if (verbose) printf("Scanner::SetSrcMAC: Source MAC set to %s\n", src_mac_str); 877 | } 878 | 879 | // 880 | // return source ip used no the probes we're sending. 881 | // 882 | char* Scanner::getSourceAddress() { 883 | return(src_ip_str); 884 | } 885 | 886 | // 887 | // set the maximum bandwidth we can use in bits per second 888 | // 889 | void Scanner::setBandwidthMax(unsigned int new_bandwidth_max) { 890 | bandwidth_max = new_bandwidth_max; 891 | // printf("about to do division: %d / %d\n", packet_size, bandwidth_max); 892 | inter_packet_interval_us = int(packet_size / bandwidth_max) * 1000000; 893 | } 894 | 895 | // 896 | // returns max bandwidth we can use in bits per second 897 | // 898 | unsigned int Scanner::getBandwidthMax() { 899 | return(bandwidth_max); 900 | } 901 | 902 | // Return number of packets processed by pcap filter 903 | unsigned int Scanner::getPcapPacketsProcessed() { 904 | struct pcap_stat ps_stats; 905 | pcap_stats(sniffer, &ps_stats); 906 | if ((pcap_stats(sniffer, &ps_stats)) < 0) { 907 | printf("WARNING: Couldn't get pcap stats: %s", pcap_geterr(sniffer)); 908 | } 909 | return(ps_stats.ps_recv); 910 | } 911 | 912 | // Return number of packets processed by kernel during sniffing 913 | unsigned int Scanner::getPcapPacketsDropped() { 914 | struct pcap_stat ps_stats; 915 | pcap_stats(sniffer, &ps_stats); 916 | if ((pcap_stats(sniffer, &ps_stats)) < 0) { 917 | printf("WARNING: Couldn't get pcap stats: %s", pcap_geterr(sniffer)); 918 | } 919 | return(ps_stats.ps_drop); 920 | } 921 | 922 | -------------------------------------------------------------------------------- /scanner.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // This tool may be used for legal purposes only. Users take full responsibility 25 | // for any actions performed using this tool. If these terms are not acceptable to 26 | // you, then do not use this tool. 27 | // 28 | // You are encouraged to send comments, improvements or suggestions to 29 | // me at yapscan@pentestmonkey.net 30 | // 31 | 32 | #ifndef __SCANNER__ 33 | #define __SCANNER__ 34 | #include "yapscan.h" 35 | 36 | struct host_element { 37 | struct in_addr ip; 38 | struct port_element *pcurrent_port; 39 | struct port_element *pfirst_port; 40 | struct port_element *plast_port; 41 | struct icmp_element *pcurrent; 42 | struct host_element *pnext; 43 | struct host_element *pprev; 44 | struct timeval rtt_tv; // udp only 45 | int inter_packet_interval_us; // udp only. microseconds between packets 46 | struct timeval next_probe_time_tv; // udp only 47 | }; 48 | 49 | class Scanner { 50 | public: 51 | Scanner(); 52 | Scanner(const Scanner&); 53 | ~Scanner(); 54 | 55 | Scanner* operator=(const Scanner&); 56 | int getPositiveResponseCount(); 57 | void setHwHeadLen(int len); 58 | int getHwHeadLen(); 59 | void setDebugLevel(int level); 60 | int getDebugLevel(); 61 | void setVerboseLevel(int level); 62 | int getVerboseLevel(); 63 | int setHwHeadLenAuto(void); 64 | void recvPackets(); 65 | void startScan(); 66 | void setRTT(struct timeval *newrtt); 67 | unsigned int getHostCount(); 68 | void setTries(unsigned int newtries); 69 | int getTries(); 70 | timeval getRTT(); 71 | int addHostsFromFile(char *filename, unsigned int start, unsigned int count); 72 | int addHost(char *newhost, unsigned int start, unsigned int count); 73 | int addHost(char *newhost); 74 | int deleteHost(host_element *h); 75 | void dumpHostList(); 76 | void scanningChunk(int yesorno); 77 | void setInterface(char *newdevice); 78 | void setDevice(char *newdevice); 79 | char* getDevice(); 80 | void setSrcIP(char *new_src_ip_str); 81 | void setSrcMAC(char *new_src_mac_str); 82 | char* getSourceAddress(); 83 | void setBandwidthMax(unsigned int new_bandwidth_max); 84 | unsigned int getBandwidthMax(); 85 | char* getPcapFilter(); 86 | void initSrcIP(void); 87 | int getTTL(); 88 | void setTTL(int); 89 | void updateCompletionTime(void); 90 | void setNameResolution(int flag); 91 | unsigned int getPcapPacketsProcessed(void); 92 | unsigned int getPcapPacketsDropped(void); 93 | 94 | // Virtuals 95 | 96 | /* 97 | * Set pcap filter that matches responses to our probes. 98 | * 99 | * This MUST be overridden by the inheriting class for the 100 | * scanner to work. 101 | */ 102 | virtual void setPcapFilter() = 0; 103 | 104 | /* 105 | * Sends a packet 106 | * 107 | * Returns: 108 | * 1: if there are still more packets to send 109 | * 0: if there are no more packets to send 110 | * 111 | * This MUST be overridden by the inheriting class for the 112 | * scanner to work. 113 | */ 114 | virtual int sendPacket() = 0; 115 | 116 | /* 117 | * Process incomming packets 118 | * 119 | * This MUST be overridden by the inheriting class for the 120 | * scanner to work. 121 | */ 122 | virtual void pcapCallback(Scanner *s, const struct pcap_pkthdr *pkthdr, const u_char *pkt) = 0; 123 | 124 | // inheriting class must know how to calculate its esitmated completion time 125 | virtual int getPercentComplete() = 0; 126 | virtual int getRemainingScanTime() = 0; 127 | 128 | protected: 129 | char device[10]; 130 | int port_count; 131 | int host_count; 132 | unsigned int bandwidth_max; 133 | char src_ip_str[16]; 134 | int hw_head_len; 135 | in_addr src_ip; 136 | char src_mac_str[19]; 137 | char pcap_filter_str[1000]; 138 | unsigned int tries; 139 | 140 | struct host_element *plast_host_element; 141 | struct host_element *pfirst_host_element; 142 | struct host_element *pcurrent_host_element; 143 | pcap_t *sniffer; 144 | int packet_size; 145 | int packets_sent; 146 | int inter_packet_interval_us; 147 | int debug; 148 | int verbose; 149 | struct timeval rtt_tv; 150 | int positive_response_count; 151 | char pfilter[PCAP_FILTER_LEN]; 152 | int ttl; 153 | unsigned int total_bytes_sent; 154 | int name_resolution; 155 | int scanning_chunk; 156 | }; 157 | 158 | #endif // __SCANNER__ 159 | -------------------------------------------------------------------------------- /utils.cpp: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at yapscan@pentestmonkey.net 26 | // 27 | 28 | #include "yapscan.h" 29 | #include "scanner.h" 30 | 31 | // Subtract the `struct timeval' values X and Y, 32 | // storing the result in RESULT. 33 | // Return 1 if the difference is negative, otherwise 0. 34 | // http://www.delorie.com/gnu/docs/glibc/libc_428.html 35 | int 36 | timeval_subtract ( struct timeval *result, struct timeval *x, struct timeval *y ) 37 | { 38 | // Perform the carry for the later subtraction by updating y. 39 | if (x->tv_usec < y->tv_usec) { 40 | int nsec = (y->tv_usec - x->tv_usec) / 1000000 + 1; 41 | y->tv_usec -= 1000000 * nsec; 42 | y->tv_sec += nsec; 43 | } 44 | 45 | if (x->tv_usec - y->tv_usec > 1000000) { 46 | int nsec = (x->tv_usec - y->tv_usec) / 1000000; 47 | y->tv_usec += 1000000 * nsec; 48 | y->tv_sec -= nsec; 49 | } 50 | 51 | // Compute the time remaining to wait. 52 | // tv_usec is certainly positive. 53 | result->tv_sec = x->tv_sec - y->tv_sec; 54 | result->tv_usec = x->tv_usec - y->tv_usec; 55 | 56 | // Return 1 if result is negative. 57 | return x->tv_sec < y->tv_sec; 58 | } 59 | 60 | // Return md5(pid . src_ip . dest_ip . src_port . dest_port) 61 | // All are represented as 4 byte quantities in NETWORK byte order 62 | #ifndef HAVE_LIBCRYPTO 63 | int 64 | syncookie (int src_ip, int dest_ip, int src_port, int dest_port) { 65 | char pstring[20]; 66 | md5_state_t mymd5; 67 | md5_byte_t pmd5sum[16]; 68 | unsigned char *p; 69 | p = (unsigned char *)pstring; 70 | int pid = getpid(); 71 | 72 | memcpy(p, &src_ip, 4); 73 | p += 4; 74 | memcpy(p, &dest_ip, 4); 75 | p += 4; 76 | memcpy(p, &src_port, 4); 77 | p += 4; 78 | memcpy(p, &dest_port, 4); 79 | p += 4; 80 | memcpy(p, &pid, 4); 81 | 82 | md5_init(&mymd5); 83 | md5_append(&mymd5, (md5_byte_t *)pstring, sizeof(pstring)); 84 | md5_finish(&mymd5, pmd5sum); 85 | 86 | return *(long int *)pmd5sum; 87 | } 88 | #endif // HAVE_LIBCRYPTO 89 | 90 | #ifdef HAVE_LIBCRYPTO 91 | int 92 | syncookie (int src_ip, int dest_ip, int src_port, int dest_port) { 93 | char pstring[20]; 94 | MD5state_st mymd5; 95 | unsigned char pmd5sum[16]; 96 | unsigned char *p; 97 | p = (unsigned char *)pstring; 98 | int pid = getpid(); 99 | 100 | memcpy(p, &src_ip, 4); 101 | p += 4; 102 | memcpy(p, &dest_ip, 4); 103 | p += 4; 104 | memcpy(p, &src_port, 4); 105 | p += 4; 106 | memcpy(p, &dest_port, 4); 107 | p += 4; 108 | memcpy(p, &pid, 4); 109 | 110 | MD5_Init(&mymd5); 111 | MD5_Update(&mymd5, (void *)pstring, sizeof(pstring)); 112 | MD5_Final(pmd5sum, &mymd5); 113 | 114 | return *(long int *)pmd5sum; 115 | } 116 | #endif // HAVE_LIBCRYPTO 117 | 118 | // Useful functions from arptool.c v0.1 by Cristiano Lincoln Mattos 119 | char* 120 | hwaddr_to_str (unsigned char * str) { 121 | static char tmp[20]; 122 | sprintf(tmp,"%02X:%02X:%02X:%02X:%02X:%02X",str[0],str[1],str[2],str[3],str[4],str[5]); 123 | return tmp; 124 | } 125 | 126 | char* 127 | ipaddr_to_str (unsigned char * str) { 128 | static char tmp[20]; 129 | sprintf(tmp,"%d.%d.%d.%d",str[0],str[1],str[2],str[3]); 130 | return tmp; 131 | } 132 | 133 | unsigned short 134 | in_cksum(unsigned short *ptr, int nbytes) 135 | { 136 | register long sum; /* assumes long == 32 bits */ 137 | u_short oddbyte; 138 | register u_short answer; /* assumes u_short == 16 bits */ 139 | 140 | /* 141 | * Our algorithm is simple, using a 32-bit accumulator (sum), 142 | * we add sequential 16-bit words to it, and at the end, fold back 143 | * all the carry bits from the top 16 bits into the lower 16 bits. 144 | */ 145 | 146 | sum = 0; 147 | while (nbytes > 1) { 148 | sum += *ptr++; 149 | nbytes -= 2; 150 | } 151 | 152 | /* mop up an odd byte, if necessary */ 153 | if (nbytes == 1) { 154 | oddbyte = 0; /* make sure top half is zero */ 155 | *((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */ 156 | sum += oddbyte; 157 | } 158 | 159 | /* 160 | * Add back carry outs from top 16 bits to low 16 bits. 161 | */ 162 | 163 | sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */ 164 | sum += (sum >> 16); /* add carry */ 165 | answer = ~sum; /* ones-complement, then truncate to 16 bits */ 166 | 167 | return(answer); 168 | 169 | } /* end in_cksm() */ 170 | 171 | /* 172 | * I wanted to be able to use class functions as pcap callback functions. 173 | * 174 | * pcap insists that the callback is void (*), so I couldn't. This little helper 175 | * function keeps pcap happy by being of the correct type, then simply passes 176 | * the arguments onto the corresponding class function. 177 | * 178 | * To achieve this the u_char * argument to pcap dispatch MUST be the scanner object. 179 | */ 180 | void 181 | recv_packets(u_char *u, const struct pcap_pkthdr *pkthdr, const u_char *pkt) { 182 | Scanner *s; 183 | s = (Scanner *)u; 184 | 185 | s->pcapCallback(s, pkthdr, pkt); 186 | return; 187 | } 188 | 189 | unsigned short int 190 | getFirstPID(void) { 191 | return ((getpid() * time(NULL)) + 1024) % 65535; 192 | } 193 | -------------------------------------------------------------------------------- /yapscan.h: -------------------------------------------------------------------------------- 1 | // yapscan - Yet Another Port Scanner 2 | // Copyright (C) 2006 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // This tool may be used for legal purposes only. Users take full responsibility 25 | // for any actions performed using this tool. If these terms are not acceptable to 26 | // you, then do not use this tool. 27 | // 28 | // You are encouraged to send comments, improvements or suggestions to 29 | // me at yapscan@pentestmonkey.net 30 | // 31 | 32 | #include // ifreq 33 | #include // printf 34 | #include // strncpy 35 | #include // sockaddr_in 36 | #include // ETH_ALEN 37 | #include //exit 38 | #include // SOIGC 39 | #include // ioctl 40 | #include 41 | #include // iphdr 42 | #include // icmphdr 43 | // #include // tcphdr 44 | // #include // udphdr 45 | #include 46 | #include 47 | #include 48 | #include //O_NONBLK 49 | #include //isspace 50 | #include //floor 51 | #include //gethostbyname 52 | #include //getservbyport 53 | #include // tcgetattr, tcsetattr (for turn off tty echo) 54 | #include // gmtime on debian 55 | 56 | #ifdef HAVE_LIBCRYPTO 57 | # include 58 | # else 59 | # include "md5.h" 60 | #endif 61 | 62 | /* prototypes */ 63 | char * hwaddr_to_str (unsigned char * str); 64 | char * ipaddr_to_str (unsigned char * str); 65 | pcap_t *mypcap_init(char *filter, char *device); 66 | void recv_packets(u_char *u, const struct pcap_pkthdr *pkthdr, const u_char *pkt); 67 | unsigned short in_cksum(unsigned short *ptr, int nbytes); 68 | int timeval_subtract ( struct timeval *result, struct timeval *x, struct timeval *y); 69 | int syncookie (int src_ip, int dest_ip, int src_port, int dest_port); 70 | unsigned short int getFirstPID(void); 71 | 72 | #define MAXLINE 100 73 | #define PCAP_FILTER_LEN 1000 74 | #define MAXDEVICENAMELENGTH 20 75 | #define MAXFILENAMELENGTH 300 76 | #define MAXHOSTNAMELENGTH 50 77 | #define MAXPORT 65535 78 | #define MAXPORTNAMELENGTH 30 79 | 80 | --------------------------------------------------------------------------------