Preface
Windows systems open up a number of ports by default, which means that the host is running a service that everyone knows about, such as the TCP port 21-FTP service, the TCP port 80-http service, and some services that may have public vulnerabilities. So it can be said that every open port on the host can become an intrusion shortcut. Of course, there are many port scanning tools on the Internet, but we can not only know the use of other people's tools, one is that these tools are written by others when there is no back door, second, if only use other people's tools, and ultimately can only be a script boy, so we ourselves to write a practical port scanning tool.
first, the basic knowledge
1.1. Threads
a thread, sometimes called a lightweight process (lightweight PROCESS,LWP), is the smallest unit of program execution flow. A standard thread consists of a thread ID, a current instruction pointer (PC), a collection of registers, and a stack. In addition, the thread is an entity in the process, is the basic unit that is dispatched and dispatched by the system independently, the thread does not own the system resources, only has a bit of resources that are essential in the operation, but it can share all the resources owned by the process with other threads belonging to one process. One thread can create and revoke another thread, which can be executed concurrently between multiple threads in the same process. Because of the mutual constraints between threads, the thread is running in a discontinuous. Threads also have three basic states of readiness, blocking, and running. A ready state is a thread that has all of the conditions running, is logically capable of running, is waiting on a processing machine, and a running state is a thread-owning processor that is running; a blocking state is a thread waiting for an event, such as a semaphore, to be logically unenforceable. Each program has at least one thread, and if the program has only one thread, it is the program itself.
1.2. Multithreading
Multithreading (English: Multithreading) refers to the technique of implementing concurrent execution of multiple threads from software or hardware. Computers with multithreaded capabilities can perform more than one thread at the same time because of hardware support, thereby improving overall processing performance. Systems with this capability include symmetric multiprocessor, multi-core processors, and chip-level multiprocessing (Chip-level multithreading) or simultaneous multi-threaded (simultaneous multithreading) processors. In a program, these stand-alone program fragments are called "threads", and the concept of programming with it is called "Multithreading (Multithreading)". Computers with multithreaded capabilities can perform more than one thread at the same time because of hardware support, thereby improving overall processing performance.
1.3. Creating multi-threaded threads with the Windows API
here we introduce several functions
1.3.1, CreateThread () function
used to create a new thread
HANDLE CreateThread ( lpsecurity_attributes lpthreadattributes, DWORD dwstacksize, LP Thread_start_routine lpstartaddress, lpvoid lpparameter, DWORD dwcreationflags, Lpdword Lpthreadid);
The first parameter is a pointer to the structure of the security_attributes type. This parameter is ignored in Windows 98. In Windows NT, it is set to null.
The second parameter is the initial stack size for the new thread, and the default value is 0. In any case, Windows dynamically extends the size of the stack as needed.
The third parameter is the address that points to the thread function. There is no limit to the function name, but it must be declared in the following form:
DWORD WINAPI ThreadProc (PVOID pparam);
The fourth parameter is the one passed to the ThreadProc. This allows the main thread and slave threads to share data.
The fifth parameter is typically 0, but the flag create_suspended when the established thread does not execute immediately. The thread pauses until the call ResumeThread to resume thread execution.
The sixth parameter is a pointer to a value that accepts the thread ID.
Second, the preparation of actual combat
In the common port scanning mode, full port scanning is the simplest case, without any protocol, we only need to call the Connect () function to connect to each port of the server, if the connection port is successful, it means that the port is open, otherwise it is closed.
The most common feature of this technology is simplicity, and it does not require any permissions.
The code is as follows:
#include <stdio.h>#include<WinSock2.h>#pragmaComment (lib, "Ws2_32")#defineSTART 80//Start Port#defineEND 1024//terminating PortintMainintargcChar*argv[]) { inti; Wsadata ws; //WS used to store the data returned by the system about WinsockSOCKET sockfd; structsockaddr_in their_addr; if(ARGC! =2) {printf ("How to use: Scan.exe <ip>"); } WSAStartup (Makeword (2,2),&ws); Their_addr.sin_family= Af_inet;//sets the protocol family, af_inet represents the TCP/IP protocolTheir_addr.sin_addr. S_un. S_ADDR = inet_addr (argv[1]);//determine scan IP based on command line parameters for(i=start;i<=end;i++)//loop to establish socket after connection{SOCKFD= Socket (Af_inet,sock_stream,0); Their_addr.sin_port=htons (i); printf ("[+] scanning port%d \ n", i); if(Connect (SOCKFD,structsockaddr*) &their_addr,sizeof(structSOCKADDR)) = =socket_error) { Continue;//connection failure for next port scan} printf ("\n\t [+] port%d open! \ n", i); } closesocket (SOCKFD); WSACleanup (); return 0;}
Here we can take the I spring and autumn bbs.ichunqiu.com as an example to scan a bit.
Then we can find that the speed of the scan is very slow ah, so certainly not, so here we will use multithreading technology.
Of course we can also interface
Here we are using C # simple to write the interface version of the port scanning tool, the same principle, do not introduce
Python
Here I am using Python to write port scanning, step by step to bring everyone into the world of programming.
First, let's start with a basic framework.
' Start Scan ' if ' __main__ ' : Scan ()
Python reads parameters from the command line
We need to use the module sys
def scan (ip,port): #扫描函数 print'[+]the port is:'+Str (port)if__name__ = ='__main__': IP= sys.argv[1] #读取命令行的参数 Print'Start Scan'Print'Scan IP is%s'%IP forIinchRange1, -): Scan (ip,i) #调用scan函数
Is it easy for everyone to see?
How to implement the scan, like the appellate principle, so we call the built-in socket module
def scan (ip,port): Print'[+]scan port is:'+Str (port) Tcpscan=socket (af_inet,sock_stream) addr=(Ip,port)Try: Tcpscan.connect (addr) Print"[-]the Port"+ STR (port) +"open \ n"tcpscan.close () Except:passif__name__ = ='__main__': IP= sys.argv[1] Print'Start Scan'Print'Scan IP is%s'%IP forIinchRange the, -): Scan (ip,i)
There is no very simple, we are not in the tangle of speed. Multithreading technology Oh, the next article to explain.
Thank you for your reading, if you learn, please like (code word is not easy)! Welcome to the Garden friends to add!
Zusheng article first chain: http://bbs.ichunqiu.com/thread-7051-1-2.html
Finally, I wish you a happy Tanabata!
Say goodbye to the script boy "write the port scan Tool"