Implementation of a simple Scanner

This is a long time ago code.

Network Scanning, scanners, these terms are certainly not unfamiliar to everyone, what necessary tools to step on. The scanning methods are diverse, and the purpose is also diverse. This cainiao will look for a brief introduction to the information:

1. Host survival scan technology

The purpose of a host scan is to determine whether the host on the target network is accessible. This is the initial stage of information collection, and its effect directly affects subsequent scanning. Ping is the original host survival scan technology. Using the icmp echo field, a request is sent. If a response is received, the host is alive.

Common traditional scanning methods include:

1. ICMP echo scan accuracy is relatively high. Send an ICMP echo request packet to the target host and wait for the reply packet, such as ping.

2. ICMP sweep scan: the word "sweep" takes a similar action as a machine gun scan. ICMP performs a scan in a scan mode, that is, a concurrency scan. ICMP echo request is used to detect multiple target hosts at a time. Generally, this probe package is sent in parallel to improve the detection efficiency and is suitable for a wide range of evaluations.

3. broadcast ICMP scan: broadcast-type ICMP scan, which utilizes some differences in the ICMP implementation of hosts, sets the destination address of the ICMP request packet as the broadcast address or network address, then, the system can detect hosts in the broadcast domain or the entire network. All surviving hosts in the subnet will respond. However, this situation is only applicable to Unix/Linux systems.

4. non-echo ICMP scan: Only ICMP query information types of icmp echo are available in ICMP protocol, and non-echo ICMP technology is also used in ICMP scan technology (not only can detect hosts, it can also detect network devices such as routes ). The ICMP service types are used (Timestamp and Timestamp Reply, information request and Information Reply, address mask request, and Address Mask Reply ).

 

2.Port Scanning Technology

After determining the active storage of the host, you should determine the status of the open channel of the host. The port is the channel opened on the host, 0-65535 is a well-known port, and the total number of ports is. A port is actually a channel mapped from the network layer to a process. Through this relationship, you can know what kind of communication is used by the process and what information can be obtained through the process, it provides powerful support for searching for backdoors and understanding the system status. Common popular port scanning technologies include:

(1) TCP scan:

Establish a complete or incomplete TCP connection with the target host using the three-way handshake process.

TCP connect () scan: there are six connection tags in the TCP Header: URG, ack, Psh, RST, Syn, and fin. Different combinations of these connections can be used to obtain different returned packets. For example, if a SYN packet is sent with a SYN position, and the SYN packet arrives at an open port, it returns SYN + ACK, to provide corresponding services. After receiving SYN + ACK, I return an ACK to the other party. This process is the famous three-way handshake. The scanning speed and accuracy are satisfactory.

Reverse-ident scan: This technology uses the IDENT protocol (rfc1413), TCP port 113. Many hosts run the Protocol to identify users of TCP connections.

The operating principle of identd is to find a specific TCP/IP connection and return the User Name of the process that owns the connection. It can also return other host information. However, this scan method is only valid after the TCP full connection, and many hosts actually close the IDENT service.

Tcp syn scan: Send a SYN packet to a specific port of the target host. If the port is not opened, the system will not return SYN + ACK. In this case, the system will send you an rst and stop the connection. Because the connection is not completely established, it is called semi-open scan. However, as SYN flood is widely used as a DDoS attack method, many firewalls filter Syn packets, so this method cannot always be used.

Other scanning methods include fin, null, and Xmas.

(2) UDP Scanning

Due to the popularity of firewall devices, TCP port management is becoming increasingly strict, so it is not easy to open, and communication monitoring is strict. In order to avoid such monitoring and achieve the purpose of evaluation, there is a secret scan. This scan method is characterized by the ICMP information returned when the UDP port is disabled, and does not contain any part of the standard TCP three-way handshake protocol, which is concealed, however, the packets used for this scan are easily discarded when they pass through the network, resulting in incorrect detection information.

However, UDP scanning has obvious defects, such as slow speed and low accuracy. The UDP scan method is relatively simple. The basic principle is: when you send a packet to the UDP port and the port is closed, the port will return an ICMP message, all judgments are based on this principle. If it is disabled, no information is sent.

Traceroute scan: tracert scans for high ports above 30000. (generally, it is considered that the utilization of high ports above 30000 of the host is very low, and such high ports will not be opened easily on any host. This is disabled by default ). If the peer port is closed, the ICMP message is returned. Based on the round-trip time, the number of hops and path information are calculated to learn about the delay. This is the tracerote principle, and also evolved from this principle to the UDP scanning technology.

When using UDP scanning, note that 1. UDP status and precision are relatively poor. Because UDP is not connection-oriented, the overall precision is relatively low. 2. UDP scanning speed is relatively slow. TCP scanning has a 1-second delay, which may take 2 seconds in UDP, this is because the ICMP protocol is implemented by different operating systems to avoid the peak speed limit during broadcast storms (because ICMP information is not transmitted load information, no one will take him to transmit valuable information. The operating system does not want too many ICMP packets during implementation. To avoid a broadcast storm, the operating system sets the peak rate for ICMP packets, with different operating systems having different rates.) using UDP as the basic protocol for scanning, this will have a great impact on precision and latency.

The current penetration testing process is very flexible for port scanning. At the black hat conference in, someone used a tool to detect which host in the network opened port 80, this technology is widely used on the Internet.

 

 

 

The code in this section implements the simplest method of TCP connect scanning. This scanning principle is not safe enough, to establish a connection with the scanned machine, you need to shake hands three times. When you scan the target machine, you also expose your machine information to the target machine, which is easily recorded by the firewall, the biggest drawback is that it takes a long time to send the message after three confirmation. Let's take a look at the Code:

# Include <stdio. h> # include <Winsock. h> # pragma comment (Lib, "ws2_32.lib") ushort checksum (ushort * buff, int size) {unsigned long cksum = 0; while (size> 1) {cksum + = * buff ++; size-= sizeof (ushort);} // It is an odd if (size) {cksum + = * (uchar *) Buff ;} // Add the 32-bit chsum high 16-bit and low 16-bit, and then obtain the reverse cksum = (cksum> 16) + (cksum & 0 xFFFF ); cksum + = (cksum> 16 );//??? Return (ushort )(~ Cksum);} typedef struct icmp_hdr {unsigned char icmp_type; // Message Type unsigned char icmp_code; // code unsigned short icmp_checksum; // checksum // The following is the echo header unsigned short icmp_id; // The ID used to uniquely identify the request, usually set as the process ID unsigned short icmp_sequence; // The serial number unsigned long icmp_timestamp; // timestamp} icmp_hdr, * picmp_hdr; int setTimeout (socket S, int ntime, bool brecv) {int ret =: setsockopt (S, sol_socket, brecv? So_rcvtimeo: so_sndtimeo, (char *) & ntime, sizeof (ntime); return ret! = Socket_error;} int computer (char szdestip [30]) // scan for host survival {wsadata; Word wversionrequested = makeword (); If (wsastartup (wversionrequested, & wsadata) {printf ("Winsock initialization failed. \ n "); exit (1);} socket Sraw =: socket (af_inet, sock_raw, ipproto_icmp); setTimeout (Sraw, 1000, true); sockaddr_in DEST; DeST. sin_family = af_inet; DeST. sin_port = htons (0); DeST. sin_addr.s_un.s_addr = inet_addr (szdestip); ch Ar buff [sizeof (icmp_hdr) + 32]; icmp_hdr * picmp = (icmp_hdr *) Buff; picmp-> icmp_type = 8; picmp-> icmp_code = 0; picmp-> icmp_id = (ushort): getcurrentprocessid (); picmp-> icmp_checksum = 0; picmp-> icmp_sequence = 0; memset (& buff [sizeof (icmp_hdr)], 'E', 32); ushort nseq = 0; char revbuf [1024]; sockaddr_in from; int nlen = sizeof (from); static int ncount = 0; int nret; /* If (ncount ++ = 4) {break;} */picmp-> icmp_checksum = 0; picmp-> icmp_time Stamp =: gettickcount (); picmp-> icmp_sequence = nseq ++; picmp-> icmp_checksum = checksum (ushort *) buff, sizeof (icmp_hdr) + 32 ); nret =: sendto (Sraw, buff, sizeof (icmp_hdr) + 32, 0, (sockaddr *) & DEST, sizeof (DEST); If (nret = socket_error) {printf ("sendto () failed: % d \ n",: wsagetlasterror (); Return-1;} nret =: recvfrom (Sraw, revbuf, 0, (sockaddr *) & from, & nlen); If (nret = socket_error) {printf ("% s host not alive! \ N ", szdestip); Return-1;} printf (" % s host survived! \ N ", szdestip); closesocket (nret); wsacleanup (); Return 0;} void port (char ADR [20]) // scan the active host port {int mysocket, m, N; int pcount = 0; struct sockaddr_in my_addr; wsadata; Word wversionrequested = makeword (1024); printf ("enter the port range to be scanned (for example, 1): "); scanf (" % d-% d ", & M, & N); If (wsastartup (wversionrequested, & wsadata) {printf (" Winsock initialization failed. \ n "); exit (1) ;}for (INT I = m; I <n; I ++) {If (mysocket = socket (F_inet, sock_stream, 0) = invalid_socket) Exit (1); my_addr.sin_family = af_inet; records = htons (I); records = inet_addr (ADR); If (connect (mysocket, (struct sockaddr *) & my_addr, sizeof (struct sockaddr) = socket_error) {printf ("port % d-close \ n", I); closesocket (mysocket );} else {pcount ++; printf ("port % d-open \ n", I) ;}} printf ("% d ports open on host-% s \ n ", pcount, ADR); closesocket (M Ysocket); wsacleanup ();} void change (int A, int B, int C, int D, char IP [20]) // ip conversion {char ipport [4] [4] = {'\ 0'}; char temp [2] = {'. ',' \ 0'}; ITOA (A, ipport [0], 10); ITOA (B, ipport [1], 10); ITOA (C, ipport [2], 10); ITOA (D, ipport [3], 10); strcat (IP, ipport [0]); strcat (IP, temp ); strcat (IP, ipport [1]); strcat (IP, temp); strcat (IP, ipport [2]); strcat (IP, temp); strcat (IP, ipport [3]);} void main () {int A [4], B [4]; loop1: printf ("Enter the starting IP Address :"); Scanf ("% d. % d. % d. % d ", & A [0], & A [1], & A [2], & A [3]); if (A [0]> 255 | A [1]> 255 | A [2]> 255 | A [3]> 255) {printf ("the start address entered is incorrect! Enter again! \ N "); goto loop1;} loop2: printf (" Enter the end IP Address: "); scanf (" % d. % d. % d. % d ", & B [0], & B [1], & B [2], & B [3]); if (B [0]> 255 | B [1]> 255 | B [2]> 255 | B [3]> 255) {printf ("incorrect input end! Enter again! \ N "); goto loop2;} while (! (A [0] = B [0] & A [1] = B [1] & A [2] = B [2] & A [3] = (B [3] + 1 ))) {char IP [20] = {'\ 0'}; Change (A [0], a [1], a [2], a [3], ip ); if (Computer (IP) = 0) {port (IP) ;}a [3] ++; if (a [3]> = 255) {A [3] = 0; A [2] ++;} if (a [2]> = 255) {A [2] = 0; A [1] ++;} if (a [1]> = 255) {A [1] = 0; A [0] ++ ;} if (A [0]> = 255) {printf ("address overflow! \ N "); break ;}}}

The code is very simple. People with a little socket programming basics can understand it. I just want to explain it more.