【转】 linux port scan

2023-05-16

https://www.binarytides.com/tcp-syn-portscan-in-c-with-linux-sockets/

Port Scanning searches for open ports on a remote system. The basic logic for a portscanner would be to connect to the port we want to check. If the socket gives a valid connection without any error then the port is open , closed otherwise (or inaccessible, or filtered).

This basic technique is called TCP Connect Port Scanning in which we use something like a loop to connect to ports one by one and check for valid connections on the socket.

But this technique has many drawbacks :

It is slow since it establishes a complete 3 way TCP handshake. It waits for the connect() function to return.
It is detectable. It leaves more logs on the remote system and on any firewall that is running.

TCP-Syn Port scanning is a technique which intends to cure these two problems. The mechanism behind it is the handshaking which takes place while establishing a connection. It sends syn packets and waits for an syn+ack reply. If such a reply is received then the port is open otherwise keep waiting till timeout and report the port as closed. Quite simple! In the TCP connect technique the connect() function sends a ack after receiving syn+ack and this establishes a complete connection. But in Syn scanning the complete connection is not made.

This results in :

Faster scans - Partial TCP handshake is done. Only 2 packets exchanged , syn and syn+ack.
Incomplete connections so less detectable. But modern firewalls are smart enough to log all syn activites. So this technique is more or less detectable to same extent as TCP connect port scanning.

TCP Connect Port Scan looks like :

You -> Send Syn packet -> Host:port
Host -> send syn/ack packet -> You
You -> send ack packet -> Host

... and connection is established

TCP-Syn Port scan looks like

You -> send syn packet ->Host:port
Host -> send syn/ack or rst packet or nothing depending on the port status -> You

... stop and analyse the reply the host send :
If syn+ack reply then port open.
Closed/filtered otherwise.

Results are almost as accurate as that of TCP connection and the scan is much faster.

So the process is :

Send a Syn packet to a port A
Wait for a reply of Syn+Ack till timeout.
Syn+Ack reply means the port is open , Rst packet means port is closed , and otherwise it might be inaccessible or in a filtered state.

Tools

We shall code a TCP-Syn Port scanner on Linux using sockets and posix thread api.
The tools we need are :

Linux system with gcc and posix libraries installed
Wireshark for analysing the packets (Optional : for better understanding).

Program Logic

Take a hostname to scan.
Start a sniffer thread shall sniff all incoming packets and pick up those which are from hostname and are syn+ack packets.
start sending syn packets to ports in a loop. This needs raw sockets
If the sniffer thread receives a syn/ack packet from the host then get the source port of the packet and report the packet as open.
Keep looping as long as you have nothing else to do.
Quit the program if someone is calling you.

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
/
TCP Syn port scanner code in C with Linux Sockets :)
/

include<stdio.h> //printf

include<string.h> //memset

include<stdlib.h> //for exit(0);

include<sys/socket.h>

include<errno.h> //For errno - the error number

include<pthread.h>

include<netdb.h> //hostend

include<arpa/inet.h>

include<netinet/tcp.h> //Provides declarations for tcp header

include<netinet/ip.h> //Provides declarations for ip header

void * receive_ack( void ptr );
void process_packet(unsigned char , int);
unsigned short csum(unsigned short * , int );
char * hostname_to_ip(char * );
int get_local_ip (char *);

struct pseudo_header //needed for checksum calculation
{
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;

struct tcphdr tcp;

};

struct in_addr dest_ip;

int main(int argc, char *argv[])
{
//Create a raw socket
int s = socket (AF_INET, SOCK_RAW , IPPROTO_TCP);
if(s < 0)
{
printf ("Error creating socket. Error number : %d . Error message : %s \n" , errno , strerror(errno));
exit(0);
}
else
{
printf("Socket created.\n");
}

//Datagram to represent the packet
char datagram[4096];    
 
//IP header
struct iphdr *iph = (struct iphdr *) datagram;
 
//TCP header
struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip));
 
struct sockaddr_in  dest;
struct pseudo_header psh;
 
char *target = argv[1];
 
if(argc < 2)
{
    printf("Please specify a hostname \n");
    exit(1);
}
 
if( inet_addr( target ) != -1)
{
    dest_ip.s_addr = inet_addr( target );
}
else
{
    char *ip = hostname_to_ip(target);
    if(ip != NULL)
    {
        printf("%s resolved to %s \n" , target , ip);
        //Convert domain name to IP
        dest_ip.s_addr = inet_addr( hostname_to_ip(target) );
    }
    else
    {
        printf("Unable to resolve hostname : %s" , target);
        exit(1);
    }
}
 
int source_port = 43591;
char source_ip[20];
get_local_ip( source_ip );
 
printf("Local source IP is %s \n" , source_ip);
 
memset (datagram, 0, 4096); /* zero out the buffer */
 
//Fill in the IP Header
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr);
iph->id = htons (54321); //Id of this packet
iph->frag_off = htons(16384);
iph->ttl = 64;
iph->protocol = IPPROTO_TCP;
iph->check = 0;      //Set to 0 before calculating checksum
iph->saddr = inet_addr ( source_ip );    //Spoof the source ip address
iph->daddr = dest_ip.s_addr;
 
iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
 
//TCP Header
tcph->source = htons ( source_port );
tcph->dest = htons (80);
tcph->seq = htonl(1105024978);
tcph->ack_seq = 0;
tcph->doff = sizeof(struct tcphdr) / 4;      //Size of tcp header
tcph->fin=0;
tcph->syn=1;
tcph->rst=0;
tcph->psh=0;
tcph->ack=0;
tcph->urg=0;
tcph->window = htons ( 14600 );  // maximum allowed window size
tcph->check = 0; //if you set a checksum to zero, your kernel's IP stack should fill in the correct checksum during transmission
tcph->urg_ptr = 0;
 
//IP_HDRINCL to tell the kernel that headers are included in the packet
int one = 1;
const int *val = &one;
 
if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0)
{
    printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno));
    exit(0);
}
 
printf("Starting sniffer thread...\n");
char *message1 = "Thread 1";
int  iret1;
pthread_t sniffer_thread;

if( pthread_create( &sniffer_thread , NULL ,  receive_ack , (void*) message1) < 0)
{
    printf ("Could not create sniffer thread. Error number : %d . Error message : %s \n" , errno , strerror(errno));
    exit(0);
}

printf("Starting to send syn packets\n");
 
int port;
dest.sin_family = AF_INET;
dest.sin_addr.s_addr = dest_ip.s_addr;
for(port = 1 ; port < 100 ; port++)
{
    tcph->dest = htons ( port );
    tcph->check = 0; // if you set a checksum to zero, your kernel's IP stack should fill in the correct checksum during transmission
     
    psh.source_address = inet_addr( source_ip );
    psh.dest_address = dest.sin_addr.s_addr;
    psh.placeholder = 0;
    psh.protocol = IPPROTO_TCP;
    psh.tcp_length = htons( sizeof(struct tcphdr) );
     
    memcpy(&psh.tcp , tcph , sizeof (struct tcphdr));
     
    tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header));
     
    //Send the packet
    if ( sendto (s, datagram , sizeof(struct iphdr) + sizeof(struct tcphdr) , 0 , (struct sockaddr *) &dest, sizeof (dest)) < 0)
    {
        printf ("Error sending syn packet. Error number : %d . Error message : %s \n" , errno , strerror(errno));
        exit(0);
    }
}
 
pthread_join( sniffer_thread , NULL);
printf("%d" , iret1);
 
return 0;

}

/
Method to sniff incoming packets and look for Ack replies
/
void * receive_ack( void *ptr )
{
//Start the sniffer thing
start_sniffer();
}

int start_sniffer()
{
int sock_raw;

int saddr_size , data_size;
struct sockaddr saddr;
 
unsigned char *buffer = (unsigned char *)malloc(65536); //Its Big!
 
printf("Sniffer initialising...\n");
fflush(stdout);
 
//Create a raw socket that shall sniff
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
 
if(sock_raw < 0)
{
    printf("Socket Error\n");
    fflush(stdout);
    return 1;
}
 
saddr_size = sizeof saddr;
 
while(1)
{
    //Receive a packet
    data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
     
    if(data_size <0 )
    {
        printf("Recvfrom error , failed to get packets\n");
        fflush(stdout);
        return 1;
    }
     
    //Now process the packet
    process_packet(buffer , data_size);
}
 
close(sock_raw);
printf("Sniffer finished.");
fflush(stdout);
return 0;

}

void process_packet(unsigned char* buffer, int size)
{
//Get the IP Header part of this packet
struct iphdr iph = (struct iphdr)buffer;
struct sockaddr_in source,dest;
unsigned short iphdrlen;

if(iph->protocol == 6)
{
    struct iphdr *iph = (struct iphdr *)buffer;
    iphdrlen = iph->ihl*4;
 
    struct tcphdr *tcph=(struct tcphdr*)(buffer + iphdrlen);
         
    memset(&source, 0, sizeof(source));
    source.sin_addr.s_addr = iph->saddr;
 
    memset(&dest, 0, sizeof(dest));
    dest.sin_addr.s_addr = iph->daddr;
     
    if(tcph->syn == 1 && tcph->ack == 1 && source.sin_addr.s_addr == dest_ip.s_addr )
    {
        printf("Port %d open \n" , ntohs(tcph->source));
        fflush(stdout);
    }
}

}

/
Checksums - IP and TCP
/
unsigned short csum(unsigned short *ptr,int nbytes)
{
register long sum;
unsigned short oddbyte;
register short answer;

sum=0;
while(nbytes>1) {
    sum+=*ptr++;
    nbytes-=2;
}
if(nbytes==1) {
    oddbyte=0;
    *((u_char*)&oddbyte)=*(u_char*)ptr;
    sum+=oddbyte;
}

sum = (sum>>16)+(sum & 0xffff);
sum = sum + (sum>>16);
answer=(short)~sum;
 
return(answer);

}

/
Get ip from domain name
/
char* hostname_to_ip(char * hostname)
{
struct hostent *he;
struct in_addr **addr_list;
int i;

if ( (he = gethostbyname( hostname ) ) == NULL) 
{
    // get the host info
    herror("gethostbyname");
    return NULL;
}

addr_list = (struct in_addr **) he->h_addr_list;
 
for(i = 0; addr_list[i] != NULL; i++) 
{
    //Return the first one;
    return inet_ntoa(*addr_list[i]) ;
}
 
return NULL;

}

/
Get source IP of system , like 192.168.0.6 or 192.168.1.2
/

int get_local_ip ( char * buffer)
{
int sock = socket ( AF_INET, SOCK_DGRAM, 0);

const char* kGoogleDnsIp = "8.8.8.8";
int dns_port = 53;

struct sockaddr_in serv;

memset( &serv, 0, sizeof(serv) );
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = inet_addr(kGoogleDnsIp);
serv.sin_port = htons( dns_port );

int err = connect( sock , (const struct sockaddr*) &serv , sizeof(serv) );

struct sockaddr_in name;
socklen_t namelen = sizeof(name);
err = getsockname(sock, (struct sockaddr*) &name, &namelen);

const char *p = inet_ntop(AF_INET, &name.sin_addr, buffer, 100);

close(sock);

}
Compile and Run

1
$ gcc syn_portscan.c -lpthread -o syn_portscan
-lpthread option is needed to link the posix thread libraries.

Now Run

1
2
3
4
5
6
7
8
9
$ sudo ./syn_portscan www.google.com
Socket created.
www.google.com resolved to 74.125.235.16
Local source IP is 192.168.0.6
Starting sniffer thread...
Starting to send syn packets
Sniffer initialising...
Port 53 open
Port 80 open
Note :

For the program to run correctly the local ip and the hostname ip should be resolved correctly. Wireshark should also show the TCP Syn packets as "Good" and not bogus or something.
The get_local_ip method is used to find the local ip of the machine which is filled in the source ip of packets. For example : 192.168.1.2 if you are on a LAN or 172.x.x.x if you are directly connected to internet. The local source ip value will show this.
The hostname_to_ip function resolves a domain name to its ip address. It uses the gethostbyname method.

Last Updated On : 9th February 2013

转载于:https://www.cnblogs.com/Dennis-mi/articles/8492023.html

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)