Advanced scanning technology and principles (3)

Iii. Advanced UDP Scanning Technology

Most of the UDP-implemented scans are performed in combination with ICMP, which is mentioned in ICMP. Another special feature is UDP feedback. For example, if SQL SERVER sends 'x02' or 'x03' to port 1434, it can detect the connection port.

The following Program is an example of TCP detection. Of course, it is not perfect because it does not receive any portion, and WIN2000 is actually a selective SNIFFER, you can use other SNIFFER methods to achieve the same purpose. You can also change the following program to send only IP packets and use the ICMP feature for detection.

# Include

# Include

# Include 　　

# Define SOURCE_PORT 7234

# Define MAX_RECEIVEBYTE 255

Typedef struct ip_hdr // defines the IP Header

{

Unsigned char h_verlen; // 4-bit header length, 4-bit IP version number

Unsigned char tos; // an 8-bit service type TOS

Unsigned short total_len; // The total length of 16 bits (in bytes)

Unsigned short ident; // 16-bit ID

Unsigned short frag_and_flags; // 3-Bit Flag

Unsigned char ttl; // 8-bit TTL

Unsigned char proto; // 8-bit protocol (TCP, UDP, or other)

Unsigned short checksum; // 16-bit IP header checksum

Unsigned int sourceIP; // 32-bit source IP address

Unsigned int destIP; // 32-bit destination IP address

} IPHEADER;

Typedef struct tsd_hdr // defines the TCP pseudo Header

{

Unsigned long saddr; // Source Address

Unsigned long daddr; // Destination Address

Char mbz;

Char ptcl; // protocol type

Unsigned short tcpl; // TCP Length

} PSDHEADER;

Typedef struct tcp_hdr // defines the TCP Header

{

USHORT th_sport; // 16-bit Source Port

USHORT th_dport; // 16-bit destination port

Unsigned int th_seq; // 32-bit serial number

Unsigned int th_ack; // 32-bit confirmation number

Unsigned char th_lenres; // 4-bit header length/6-bit reserved words

Unsigned char th_flag; // 6-digit flag

USHORT th_win; // 16-bit window size

USHORT th_sum; // 16-bit checksum

USHORT th_urp; // 16-bit emergency data offset

} TCPHEADER;

// CheckSum: The subfunction used to calculate the CheckSum.

USHORT checksum (USHORT * buffer, int size)

{

Unsigned long cksum = 0;

While (size> 1)

{

Cksum + = * buffer ++;

Size-= sizeof (USHORT );

}

If (size)

{

Cksum + = * (UCHAR *) buffer;

}

Cksum = (cksum> 16) + (cksum & 0 xffff );

Cksum + = (cksum> 16 );

Return (USHORT )(~ Cksum );

}

Void usage ()

{

Printf ("************************************* *****

");

Printf ("TCPPing

");

Printf ("Written by Refdom

");

Printf ("Email: refdom@263.net

");

Printf ("Useage: TCPPing.exe Target_ip Target_port

");

Printf ("************************************* ******

");

}

Int main (int argc, char * argv [])

{

WSADATA WSAData;

SOCKET sock;

SOCKADDR_IN addr_in;

IPHEADER ipHeader;

TCPHEADER tcpHeader;

PSDHEADER psdHeader;

Char szSendBuf [60] = {0 };

BOOL flag;

Int rect, nTimeOver;

Usage ();

If (argc! = 3)

{Return false ;}

If (WSAStartup (MAKEWORD (2, 2), & WSAData )! = 0)

{

Printf ("WSAStartup Error!

");

Return false;

}

If (sock = WSASocket (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED) = INVALID_SOCKET)

{

Printf ("Socket Setup Error!

");

Return false;

}

Flag = true;

If (setsockopt (sock, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof (flag) = SOCKET_ERROR)

{

Printf ("setsockopt IP_HDRINCL error!

");

Return false;

}

Ntimeover= 1000;

If (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, (char *) & nTimeOver, sizeof (nTimeOver) = SOCKET_ERROR)

{

Printf ("setsockopt SO_SNDTIMEO error!

");

Return false;

}

Addr_in.sin_family = AF_INET;

Addr_in.sin_port = htons (atoi (argv [2]);

Addr_in.sin_addr.S_un.S_addr = inet_addr (argv [1]);

//

//

// Fill in the IP Header

IpHeader. h_verlen = (4 <4 sizeof (ipHeader)/sizeof (unsigned long ));

// IpHeader. tos = 0;

IpHeader. total_len = htons (sizeof (ipHeader) + sizeof (tcpHeader ));

IpHeader. ident = 1;

IpHeader. frag_and_flags = 0;

IpHeader. ttl = 128;

IpHeader. proto = IPPROTO_TCP;

IpHeader. checksum = 0;

IpHeader. sourceIP = inet_addr ("local address ");

IpHeader. destIP = inet_addr (argv [1]);

// Fill the TCP Header

TcpHeader. th_dport = htons (atoi (argv [2]);

TcpHeader. th_sport = htons (SOURCE_PORT); // source port number

TcpHeader. th_seq = htonl (0x12345678 );

TcpHeader. th_ack = 0;

TcpHeader. th_lenres = (sizeof (tcpHeader)/4 <4 0 );

TcpHeader. th_flag = 2; // modify here to implement different flag detection, 2 is SYN, 1 is FIN, 16 is ACK detection, etc.

TcpHeader. th_win = htons (512 );

TcpHeader. th_urp = 0;

TcpHeader. th_sum = 0;

PsdHeader. saddr = ipHeader. sourceIP;

PsdHeader. daddr = ipHeader. destIP;

PsdHeader. mbz = 0;

PsdHeader. ptcl = IPPROTO_TCP;

PsdHeader. tcpl = htons (sizeof (tcpHeader ));

// Calculate the checksum

Memcpy (szSendBuf, & psdHeader, sizeof (psdHeader ));

Memcpy (szSendBuf + sizeof (psdHeader), & tcpHeader, sizeof (tcpHeader ));

TcpHeader. th_sum = checksum (USHORT *) szSendBuf, sizeof (psdHeader) + sizeof (tcpHeader ));

Memcpy (szSendBuf, & ipHeader, sizeof (ipHeader ));

Memcpy (szSendBuf + sizeof (ipHeader), & tcpHeader, sizeof (tcpHeader ));

Memset (szSendBuf + sizeof (ipHeader) + sizeof (tcpHeader), 0, 4 );

IpHeader. checksum = checksum (USHORT *) szSendBuf, sizeof (ipHeader) + sizeof (tcpHeader ));

Memcpy (szSendBuf, & ipHeader, sizeof (ipHeader ));

Rect = sendto (sock, szSendBuf, sizeof (ipHeader) + sizeof (tcpHeader ),

0, (struct sockaddr *) & addr_in, sizeof (addr_in ));

If (rect = SOCKET_ERROR)

{

Printf ("send error! : % D

", WSAGetLastError ());

Return false;

}

Else

Printf ("send OK!

");

Closesocket (sock );

WSACleanup ();

Return 0;

}