https://www.binarytides.com/tcp-syn-portscan-in-c-with-linux-sockets/
Port Scanning searches for open ports on a remote system. The basic logic for a portscanner would be to connect to the port we want to check. If the socket gives a valid connection without any error then the port is open , closed otherwise (or inaccessible, or filtered).
This basic technique is called TCP Connect Port Scanning in which we use something like a loop to connect to ports one by one and check for valid connections on the socket.
But this technique has many drawbacks :
It is slow since it establishes a complete 3 way TCP handshake. It waits for the connect() function to return.It is detectable. It leaves more logs on the remote system and on any firewall that is running.TCP-Syn Port scanning is a technique which intends to cure these two problems. The mechanism behind it is the handshaking which takes place while establishing a connection. It sends syn packets and waits for an syn+ack reply. If such a reply is received then the port is open otherwise keep waiting till timeout and report the port as closed. Quite simple! In the TCP connect technique the connect() function sends a ack after receiving syn+ack and this establishes a complete connection. But in Syn scanning the complete connection is not made.
This results in :
Faster scans - Partial TCP handshake is done. Only 2 packets exchanged , syn and syn+ack.Incomplete connections so less detectable. But modern firewalls are smart enough to log all syn activites. So this technique is more or less detectable to same extent as TCP connect port scanning.TCP Connect Port Scan looks like :
You -> Send Syn packet -> Host:port Host -> send syn/ack packet -> You You -> send ack packet -> Host
... and connection is established
TCP-Syn Port scan looks like
You -> send syn packet ->Host:port Host -> send syn/ack or rst packet or nothing depending on the port status -> You
... stop and analyse the reply the host send : If syn+ack reply then port open. Closed/filtered otherwise.
Results are almost as accurate as that of TCP connection and the scan is much faster.
So the process is :
Send a Syn packet to a port AWait for a reply of Syn+Ack till timeout.Syn+Ack reply means the port is open , Rst packet means port is closed , and otherwise it might be inaccessible or in a filtered state.Tools
We shall code a TCP-Syn Port scanner on Linux using sockets and posix thread api. The tools we need are :
Linux system with gcc and posix libraries installed
Wireshark for analysing the packets (Optional : for better understanding).
Program Logic
Take a hostname to scan.Start a sniffer thread shall sniff all incoming packets and pick up those which are from hostname and are syn+ack packets.start sending syn packets to ports in a loop. This needs raw socketsIf the sniffer thread receives a syn/ack packet from the host then get the source port of the packet and report the packet as open.Keep looping as long as you have nothing else to do.Quit the program if someone is calling you.Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 / TCP Syn port scanner code in C with Linux Sockets :)/
void * receive_ack( void ptr ); void process_packet(unsigned char , int); unsigned short csum(unsigned short * , int ); char * hostname_to_ip(char * ); int get_local_ip (char *);
struct pseudo_header //needed for checksum calculation { unsigned int source_address; unsigned int dest_address; unsigned char placeholder; unsigned char protocol; unsigned short tcp_length;
struct tcphdr tcp;};
struct in_addr dest_ip;
int main(int argc, char *argv[]) { //Create a raw socket int s = socket (AF_INET, SOCK_RAW , IPPROTO_TCP); if(s < 0) { printf ("Error creating socket. Error number : %d . Error message : %s \n" , errno , strerror(errno)); exit(0); } else { printf("Socket created.\n"); }
//Datagram to represent the packet char datagram[4096]; //IP header struct iphdr *iph = (struct iphdr *) datagram; //TCP header struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip)); struct sockaddr_in dest; struct pseudo_header psh; char *target = argv[1]; if(argc < 2) { printf("Please specify a hostname \n"); exit(1); } if( inet_addr( target ) != -1) { dest_ip.s_addr = inet_addr( target ); } else { char *ip = hostname_to_ip(target); if(ip != NULL) { printf("%s resolved to %s \n" , target , ip); //Convert domain name to IP dest_ip.s_addr = inet_addr( hostname_to_ip(target) ); } else { printf("Unable to resolve hostname : %s" , target); exit(1); } } int source_port = 43591; char source_ip[20]; get_local_ip( source_ip ); printf("Local source IP is %s \n" , source_ip); memset (datagram, 0, 4096); /* zero out the buffer */ //Fill in the IP Header iph->ihl = 5; iph->version = 4; iph->tos = 0; iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr); iph->id = htons (54321); //Id of this packet iph->frag_off = htons(16384); iph->ttl = 64; iph->protocol = IPPROTO_TCP; iph->check = 0; //Set to 0 before calculating checksum iph->saddr = inet_addr ( source_ip ); //Spoof the source ip address iph->daddr = dest_ip.s_addr; iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1); //TCP Header tcph->source = htons ( source_port ); tcph->dest = htons (80); tcph->seq = htonl(1105024978); tcph->ack_seq = 0; tcph->doff = sizeof(struct tcphdr) / 4; //Size of tcp header tcph->fin=0; tcph->syn=1; tcph->rst=0; tcph->psh=0; tcph->ack=0; tcph->urg=0; tcph->window = htons ( 14600 ); // maximum allowed window size tcph->check = 0; //if you set a checksum to zero, your kernel's IP stack should fill in the correct checksum during transmission tcph->urg_ptr = 0; //IP_HDRINCL to tell the kernel that headers are included in the packet int one = 1; const int *val = &one; if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0) { printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno , strerror(errno)); exit(0); } printf("Starting sniffer thread...\n"); char *message1 = "Thread 1"; int iret1; pthread_t sniffer_thread; if( pthread_create( &sniffer_thread , NULL , receive_ack , (void*) message1) < 0) { printf ("Could not create sniffer thread. Error number : %d . Error message : %s \n" , errno , strerror(errno)); exit(0); } printf("Starting to send syn packets\n"); int port; dest.sin_family = AF_INET; dest.sin_addr.s_addr = dest_ip.s_addr; for(port = 1 ; port < 100 ; port++) { tcph->dest = htons ( port ); tcph->check = 0; // if you set a checksum to zero, your kernel's IP stack should fill in the correct checksum during transmission psh.source_address = inet_addr( source_ip ); psh.dest_address = dest.sin_addr.s_addr; psh.placeholder = 0; psh.protocol = IPPROTO_TCP; psh.tcp_length = htons( sizeof(struct tcphdr) ); memcpy(&psh.tcp , tcph , sizeof (struct tcphdr)); tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header)); //Send the packet if ( sendto (s, datagram , sizeof(struct iphdr) + sizeof(struct tcphdr) , 0 , (struct sockaddr *) &dest, sizeof (dest)) < 0) { printf ("Error sending syn packet. Error number : %d . Error message : %s \n" , errno , strerror(errno)); exit(0); } } pthread_join( sniffer_thread , NULL); printf("%d" , iret1); return 0;}
/ Method to sniff incoming packets and look for Ack replies/ void * receive_ack( void *ptr ) { //Start the sniffer thing start_sniffer(); }
int start_sniffer() { int sock_raw;
int saddr_size , data_size; struct sockaddr saddr; unsigned char *buffer = (unsigned char *)malloc(65536); //Its Big! printf("Sniffer initialising...\n"); fflush(stdout); //Create a raw socket that shall sniff sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP); if(sock_raw < 0) { printf("Socket Error\n"); fflush(stdout); return 1; } saddr_size = sizeof saddr; while(1) { //Receive a packet data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size); if(data_size <0 ) { printf("Recvfrom error , failed to get packets\n"); fflush(stdout); return 1; } //Now process the packet process_packet(buffer , data_size); } close(sock_raw); printf("Sniffer finished."); fflush(stdout); return 0;}
void process_packet(unsigned char* buffer, int size) { //Get the IP Header part of this packet struct iphdr iph = (struct iphdr)buffer; struct sockaddr_in source,dest; unsigned short iphdrlen;
if(iph->protocol == 6) { struct iphdr *iph = (struct iphdr *)buffer; iphdrlen = iph->ihl*4; struct tcphdr *tcph=(struct tcphdr*)(buffer + iphdrlen); memset(&source, 0, sizeof(source)); source.sin_addr.s_addr = iph->saddr; memset(&dest, 0, sizeof(dest)); dest.sin_addr.s_addr = iph->daddr; if(tcph->syn == 1 && tcph->ack == 1 && source.sin_addr.s_addr == dest_ip.s_addr ) { printf("Port %d open \n" , ntohs(tcph->source)); fflush(stdout); } }}
/ Checksums - IP and TCP/ unsigned short csum(unsigned short *ptr,int nbytes) { register long sum; unsigned short oddbyte; register short answer;
sum=0; while(nbytes>1) { sum+=*ptr++; nbytes-=2; } if(nbytes==1) { oddbyte=0; *((u_char*)&oddbyte)=*(u_char*)ptr; sum+=oddbyte; } sum = (sum>>16)+(sum & 0xffff); sum = sum + (sum>>16); answer=(short)~sum; return(answer);}
/ Get ip from domain name/ char* hostname_to_ip(char * hostname) { struct hostent *he; struct in_addr **addr_list; int i;
if ( (he = gethostbyname( hostname ) ) == NULL) { // get the host info herror("gethostbyname"); return NULL; } addr_list = (struct in_addr **) he->h_addr_list; for(i = 0; addr_list[i] != NULL; i++) { //Return the first one; return inet_ntoa(*addr_list[i]) ; } return NULL;}
/ Get source IP of system , like 192.168.0.6 or 192.168.1.2/
int get_local_ip ( char * buffer) { int sock = socket ( AF_INET, SOCK_DGRAM, 0);
const char* kGoogleDnsIp = "8.8.8.8"; int dns_port = 53; struct sockaddr_in serv; memset( &serv, 0, sizeof(serv) ); serv.sin_family = AF_INET; serv.sin_addr.s_addr = inet_addr(kGoogleDnsIp); serv.sin_port = htons( dns_port ); int err = connect( sock , (const struct sockaddr*) &serv , sizeof(serv) ); struct sockaddr_in name; socklen_t namelen = sizeof(name); err = getsockname(sock, (struct sockaddr*) &name, &namelen); const char *p = inet_ntop(AF_INET, &name.sin_addr, buffer, 100); close(sock);} Compile and Run
1 $ gcc syn_portscan.c -lpthread -o syn_portscan -lpthread option is needed to link the posix thread libraries.
Now Run
1 2 3 4 5 6 7 8 9 $ sudo ./syn_portscan www.google.com Socket created. www.google.com resolved to 74.125.235.16 Local source IP is 192.168.0.6 Starting sniffer thread... Starting to send syn packets Sniffer initialising... Port 53 open Port 80 open Note :
For the program to run correctly the local ip and the hostname ip should be resolved correctly. Wireshark should also show the TCP Syn packets as "Good" and not bogus or something.
The get_local_ip method is used to find the local ip of the machine which is filled in the source ip of packets. For example : 192.168.1.2 if you are on a LAN or 172.x.x.x if you are directly connected to internet. The local source ip value will show this.
The hostname_to_ip function resolves a domain name to its ip address. It uses the gethostbyname method.
Last Updated On : 9th February 2013
转载于:https://www.cnblogs.com/Dennis-mi/articles/8492023.html
