Iii. Advanced UDP Scanning Technology
Most of the UDP-implemented scans are performed in combination with ICMP, which is mentioned in ICMP. Another special feature is UDP feedback. For example, if SQL SERVER sends 'x02' or 'x03' to port 1434, it can detect the connection port.
The following Program is an example of TCP detection. Of course, it is not perfect because it does not receive any portion, and WIN2000 is actually a selective SNIFFER, you can use other SNIFFER methods to achieve the same purpose. You can also change the following program to send only IP packets and use the ICMP feature for detection.
# Include
# Include
# Include
# Define SOURCE_PORT 7234
# Define MAX_RECEIVEBYTE 255
Typedef struct ip_hdr // defines the IP Header
{
Unsigned char h_verlen; // 4-bit header length, 4-bit IP version number
Unsigned char tos; // an 8-bit service type TOS
Unsigned short total_len; // The total length of 16 bits (in bytes)
Unsigned short ident; // 16-bit ID
Unsigned short frag_and_flags; // 3-Bit Flag
Unsigned char ttl; // 8-bit TTL
Unsigned char proto; // 8-bit protocol (TCP, UDP, or other)
Unsigned short checksum; // 16-bit IP header checksum
Unsigned int sourceIP; // 32-bit source IP address
Unsigned int destIP; // 32-bit destination IP address
} IPHEADER;
Typedef struct tsd_hdr // defines the TCP pseudo Header
{
Unsigned long saddr; // Source Address
Unsigned long daddr; // Destination Address
Char mbz;
Char ptcl; // protocol type
Unsigned short tcpl; // TCP Length
} PSDHEADER;
Typedef struct tcp_hdr // defines the TCP Header
{
USHORT th_sport; // 16-bit Source Port
USHORT th_dport; // 16-bit destination port
Unsigned int th_seq; // 32-bit serial number
Unsigned int th_ack; // 32-bit confirmation number
Unsigned char th_lenres; // 4-bit header length/6-bit reserved words
Unsigned char th_flag; // 6-digit flag
USHORT th_win; // 16-bit window size
USHORT th_sum; // 16-bit checksum
USHORT th_urp; // 16-bit emergency data offset
} TCPHEADER;
// CheckSum: The subfunction used to calculate the CheckSum.
USHORT checksum (USHORT * buffer, int size)
{
Unsigned long cksum = 0;
While (size> 1)
{
Cksum + = * buffer ++;
Size-= sizeof (USHORT );
}
If (size)
{
Cksum + = * (UCHAR *) buffer;
}
Cksum = (cksum> 16) + (cksum & 0 xffff );
Cksum + = (cksum> 16 );
Return (USHORT )(~ Cksum );
}
Void usage ()
{
Printf ("************************************* *****
");
Printf ("TCPPing
");
Printf ("Written by Refdom
");
Printf ("Email: refdom@263.net
");
Printf ("Useage: TCPPing.exe Target_ip Target_port
");
Printf ("************************************* ******
");
}
Int main (int argc, char * argv [])
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
Char szSendBuf [60] = {0 };
BOOL flag;
Int rect, nTimeOver;
Usage ();
If (argc! = 3)
{Return false ;}
If (WSAStartup (MAKEWORD (2, 2), & WSAData )! = 0)
{
Printf ("WSAStartup Error!
");
Return false;
}
If (sock = WSASocket (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED) = INVALID_SOCKET)
{
Printf ("Socket Setup Error!
");
Return false;
}
Flag = true;
If (setsockopt (sock, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof (flag) = SOCKET_ERROR)
{
Printf ("setsockopt IP_HDRINCL error!
");
Return false;
}
Ntimeover= 1000;
If (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & nTimeOver, sizeof (nTimeOver) = SOCKET_ERROR)
{
Printf ("setsockopt SO_SNDTIMEO error!
");
Return false;
}
Addr_in.sin_family = AF_INET;
Addr_in.sin_port = htons (atoi (argv [2]);
Addr_in.sin_addr.S_un.S_addr = inet_addr (argv [1]);
//
//
// Fill in the IP Header
IpHeader. h_verlen = (4 <4 sizeof (ipHeader)/sizeof (unsigned long ));
// IpHeader. tos = 0;
IpHeader. total_len = htons (sizeof (ipHeader) + sizeof (tcpHeader ));
IpHeader. ident = 1;
IpHeader. frag_and_flags = 0;
IpHeader. ttl = 128;
IpHeader. proto = IPPROTO_TCP;
IpHeader. checksum = 0;
IpHeader. sourceIP = inet_addr ("local address ");
IpHeader. destIP = inet_addr (argv [1]);
// Fill the TCP Header
TcpHeader. th_dport = htons (atoi (argv [2]);
TcpHeader. th_sport = htons (SOURCE_PORT); // source port number
TcpHeader. th_seq = htonl (0x12345678 );
TcpHeader. th_ack = 0;
TcpHeader. th_lenres = (sizeof (tcpHeader)/4 <4 0 );
TcpHeader. th_flag = 2; // modify here to implement different flag detection, 2 is SYN, 1 is FIN, 16 is ACK detection, etc.
TcpHeader. th_win = htons (512 );
TcpHeader. th_urp = 0;
TcpHeader. th_sum = 0;
PsdHeader. saddr = ipHeader. sourceIP;
PsdHeader. daddr = ipHeader. destIP;
PsdHeader. mbz = 0;
PsdHeader. ptcl = IPPROTO_TCP;
PsdHeader. tcpl = htons (sizeof (tcpHeader ));
// Calculate the checksum
Memcpy (szSendBuf, & psdHeader, sizeof (psdHeader ));
Memcpy (szSendBuf + sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader ));
TcpHeader. th_sum = checksum (USHORT *) szSendBuf, sizeof (psdHeader) + sizeof (tcpHeader ));
Memcpy (szSendBuf, & ipHeader, sizeof (ipHeader ));
Memcpy (szSendBuf + sizeof (ipHeader), & tcpHeader, sizeof (tcpHeader ));
Memset (szSendBuf + sizeof (ipHeader) + sizeof (tcpHeader), 0, 4 );
IpHeader. checksum = checksum (USHORT *) szSendBuf, sizeof (ipHeader) + sizeof (tcpHeader ));
Memcpy (szSendBuf, & ipHeader, sizeof (ipHeader ));
Rect = sendto (sock, szSendBuf, sizeof (ipHeader) + sizeof (tcpHeader ),
0, (struct sockaddr *) & addr_in, sizeof (addr_in ));
If (rect = SOCKET_ERROR)
{
Printf ("send error! : % D
", WSAGetLastError ());
Return false;
}
Else
Printf ("send OK!
");
Closesocket (sock );
WSACleanup ();
Return 0;
}