Banner scanning utility that generates random IP addresses, can search for specified strings, and has a default list of ports to scan if not given a list. Works extremely streamlined as it spawns sixteen children processes.
a29ff2cdc75b2c2460cc3322135bcc6d64cc8afd02c881149655284e653d8275
/*** Coded by phender for fast random ip scanning and 'interesting' port banner ***/
/*** collecting. Anyone looking to get a group together in the ***/
/*** NJ/NYC area, email or IM me, but only if you're serious. peace. ***/
/*** email: phender@hackermail.com aim s/n: wEeZeDuP ***/
/*** Some credit should be given to bzero for his neeto function and gscan.c ***/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <fcntl.h>
#include <ctype.h>
#include <sys/stat.h>
#include <strings.h>
#include <setjmp.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <time.h>
static unsigned int num = 0, alflag=0, sockfd, nflag=0, numf=0, ccquit=0;
unsigned long indie;
sigjmp_buf fromalrm;
sig_t ctrlchandle(int);
sig_t alarmhandle(int);
int ctr=0; /*remove this*/
void usage(char *);
int ip_is_reserved(struct in_addr *);
void neeto(char *s, unsigned int m);
int main(int argc, char *argv[])
{
const int intrstports[8]={21,22,23,25,79,80,110,143};
char z;
struct timeval timeout;
int readret=0, selret=1, chk=0, c;
struct in_addr addr;
struct sockaddr_in target;
time_t seed;
fd_set reads;
char buffer[999];
char ipstr[30];
char gimmie[30], opt, prefix=0, *temppt;
int port=0, pflag=0, i=0, connout = 20, fd=0; /* connout is the connect() timeout in seconds */
while ((opt = getopt(argc, argv, "R:p:n:t:")) != EOF){
switch(opt){
case 'R':
prefix=atoi(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'n':
num=atoi(optarg);
nflag=1;
break;
case 't':
connout=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
signal(SIGALRM, (sig_t) alarmhandle);
signal(SIGINT, (sig_t) ctrlchandle);
timeout.tv_sec=20;
if(!port)
pflag=1;
printf("\nBanScan by phender\n\n");
printf("email: phender@hackermail.com\taim: wEeZeDuP\n\n");
if(port){
printf("----------------------------------------------\n\n");
puts("enter banner to scan for, eg wuftpd, wingate, qpop, telnetd etc\n");
neeto(gimmie, 29);
printf("ok, banner scanning for: %s\n\n", gimmie);
}
fd = open("banscan.txt", O_RDWR | O_CREAT);
if(fd)
{
puts("Logfile is already there.");
printf("Remove it? [Y/N]");
z = toupper(getchar());
if(z!='Y')
{
puts("Aight");
close(fd);
exit(0);
}
unlink("banscan.txt");
}
fd = open("banscan.txt", O_RDWR | O_CREAT, S_IRGRP|S_IROTH|S_IRUSR|S_IWUSR);
if(fd==-1)
{
puts("nah yo...nah");
exit(0);
}
printf("----------------------------------------------\n");
puts("results will be saved to file and presented on the screen");
printf("\n\n");
puts("BanScan initialized");
puts("scanning...");
bzero(&timeout, sizeof(timeout));
/*sockfd=socket(AF_INET, SOCK_STREAM, 0);*/
seed=time(NULL);
for(c=0; c < 4; c++){
if(fork() == -1){
exit(1);
}
srandom((int)getpid() + (int) seed);
}
ccquit=1;
if(num==0){
numf=1;
num=10;
}
else{
num /= 16;
}
if((chk = sigsetjmp(fromalrm, 1)) && alflag){
num = chk;
alflag = 0;
}
for(; num > 0 ; num--)
{
if(numf)
num++;
ctr++;
i = 0;
sockfd=socket(AF_INET, SOCK_STREAM, 0);
FD_ZERO(&reads);
FD_SET(sockfd, &reads);
indie=(unsigned int) random();
if(((indie >> 24) & 0xff) == 0) continue;
if(((indie >> 16) & 0xff) == 0) continue;
if(((indie >> 8) & 0xff) == 0) continue;
if((indie &0xff) == 0) continue;
if(prefix){
(unsigned long*) temppt=&indie;
temppt += 0x03;
*temppt=prefix;
}
addr.s_addr=indie;
if(ip_is_reserved(&addr))
continue;
/*this formats address, I forgot about inet_ntoa, but it looks nice so I'll leave it in*/
printf("Now Scanning: %d.%d.%d.%d\n", (indie >> 24) & 0xff, (indie >> 16) & 0xff, (indie >> 8) & 0xff, (indie & 0xff));
target.sin_family=AF_INET;
target.sin_port=htons(port);
target.sin_addr.s_addr=htonl(indie);
addr.s_addr=htonl(indie);
portlabel:
if(i > 7)
continue;
if(pflag)
target.sin_port=htons(intrstports[i]);
alarm(connout);
if (connect(sockfd, (struct sockaddr*)&target, sizeof(target))==0)
{
alarm(0);
printf("connected\n");
if(!(selret=select(sockfd+1, &reads, NULL, NULL, &timeout)) && i <= 7)
printf("Waiting...\n");
if(!selret && (!pflag || i > 7))
continue;
if(i == 5) /* web server port */
write(sockfd, "fuck IIS\n", 9);
readret=read(sockfd, buffer, sizeof(buffer));
if(pflag){
buffer[readret]='\0';
strcat(buffer, "\n");
sprintf(ipstr, "%s:%d\t", inet_ntoa(target.sin_addr.s_addr), intrstports[i]);
write(fd, ipstr, strlen(ipstr));
write(fd, buffer, strlen(buffer));
fprintf(stdout,"%s:%d\t%s\n", inet_ntoa(target.sin_addr.s_addr), intrstports[i], buffer);
}
else{
if (strstr(buffer, gimmie)!=NULL)
{
fprintf(stdout, "match: %s\n", inet_ntoa(addr));
sprintf(ipstr, "match: %s\n", inet_ntoa(addr));
write(fd, ipstr, strlen(ipstr));
}
if (strstr(buffer, gimmie)==NULL)
{
fprintf(stdout, "open with no match: %s\n", inet_ntoa(addr));
sprintf(ipstr, "open with no match: %s\n", inet_ntoa(addr));
write(fd, ipstr, strlen(ipstr));
}
}
if(i == 7){
continue;
}
if(pflag){
i++;
goto portlabel; /* yeah i know that goto's are unstable and all that */
} /* I dont care though because its much easier */
}
else if(errno==ECONNREFUSED && pflag && i > -1){
alarm(0);
i++;
goto portlabel; /* port closed but host is up, go to next port */
}
else{
alarm(0);
if(errno != EISCONN)
perror("connect");
continue;
}
}
wait(NULL);
close(sockfd);
close(fd);
exit(0);
}
/* bzero's function */
void neeto(char *s, unsigned int m){
register char c;
int i=0;
system("stty -g > initialsttygsettings \n"
"stty -icanon min 1 time 0 -echo");
for(;;){
c=getchar();
if( (c >= 32) && (c < 127) ){
if(i >= m){
printf("\b");
i--;}
*(s+i)=c;
printf("%c",c);
i++;}
else if(c=='\r' || c=='\n'){
*(s+i)='\0';
system("stty `cat initialsttygsettings` >/dev/null 2>&1 \n"
"rm initialsttygsettings");
return;}
else if((c=='\b' || c==127) && i>0){
printf("\b \b");
i--;}
}
return;
}
/* this is code from nmap, it checks to see if the random ip is valid for a scan */
int ip_is_reserved(struct in_addr *ip)
{
char *ipc = (char *) &(ip->s_addr);
unsigned char i1 = ipc[0], i2 = ipc[1], i3 = ipc[2], i4 = ipc[3];
/* 224-239/8 is all multicast stuff */
/* 240-255/8 is IANA reserved */
if (i1 >= 224)
return 1;
/* 096-126/8 is IANA reserved */
/* 127/8 is reserved for loopback */
if (i1 >= 96 && i1 <= 127)
return 1;
/* 070-079/8 is IANA reserved */
if (i1 >= 70 && i1 <= 79)
return 1;
/* 083-095/8 is IANA reserved */
if (i1 >= 83 && i1 <= 95)
return 1;
/* do all the /7's and /8's with a big switch statement, hopefully the
* compiler will be able to optimize this a little better using a jump table
* or what have you
*/
switch (i1)
{
case 0: /* 000/8 is IANA reserved */
case 1: /* 001/8 is IANA reserved */
case 2: /* 002/8 is IANA reserved */
case 5: /* 005/8 is IANA reserved */
case 6: /* USA Army ISC */
case 7: /* used for BGP protocol */
case 10: /* the infamous 10.0.0.0/8 */
case 23: /* 023/8 is IANA reserved */
case 27: /* 027/8 is IANA reserved */
case 31: /* 031/8 is IANA reserved */
case 36: /* 036/8 is IANA reserved */
case 37: /* 037/8 is IANA reserved */
case 39: /* 039/8 is IANA reserved */
case 41: /* 041/8 is IANA reserved */
case 42: /* 042/8 is IANA reserved */
case 55: /* misc. U.S.A. Armed forces */
case 58: /* 058/8 is IANA reserved */
case 59: /* 059/8 is IANA reserved */
case 60: /* 060/8 is IANA reserved */
case 197:
return 1;
default:
break;
}
/* 172.16.0.0/12 is reserved for private nets by RFC1819 */
if (i1 == 172 && i2 >= 16 && i2 <= 31)
return 1;
/* 192.168.0.0/16 is reserved for private nets by RFC1819 */
/* 192.0.2.0/24 is reserved for documentation and examples */
if (i1 == 192) {
if (i2 == 168)
return 1;
else if (i2 == 0 && i3 == 2)
return 1;
}
/* reserved for DHCP clients seeking addresses, not routable outside LAN */
if (i1 == 169 && i2 == 254)
return 1;
/* believe it or not, 204.152.64.0/23 is some bizarre Sun proprietary
* clustering thing */
if (i1 == 204 && i2 == 152 && (i3 == 64 || i3 == 65))
return 1;
/* 255.255.255.255, note we already tested for i1 in this range */
if (i2 == 255 && i3 == 255 && i4 == 255)
return 1;
return 0;
}
sig_t alarmhandle(int n)
{
printf("timeout\n");
alflag=1;
close(sockfd);
alarm(0);
siglongjmp(fromalrm, num);
}
sig_t ctrlchandle(int n)
{
if(ccquit)
kill((getppid()), 9);
exit(0);
}
void usage(char *progname)
{
printf("\nUsage: %s [-p port] [-R prefix] [-n ip_count]\n", progname);
printf("-p port\t\tport to scan for, default po2058rtlist scan (21, 23, 25, 80 etc...) will\n");
printf("\t\tbe used if no port is given\n");
printf("-R prefix\tscans the subnet [prefix], I'd reccomend 216, 128, 24, 64, etc...\n");
printf("-t timeout\tsets the timeout for connect()ing\n");
printf("-n num\t\tsets the number of ip's to scan for, if not given it will scan forever.\n");
printf("\t\tSomething to note is that the number you give will not be the\n");
printf("\t\texact number of output ip's, it will be a number close to it; like\n");
printf("\t\tif you put -n 50 the ips output may be 47 or 52, this is because of the\n");
printf("\t\tchildren that are spawned so it was hard to keep an accurate counter.\n");
exit(1);
}
/************** *** Radiohead - Idioteque *** *****************
Who's in bunker
Who's in bunker
Women and children first
And the children first
And the children first
And the children...
I'll laugh until my head comes off
I'll swallow till I burst
Swallow till I
swallow till I...
Who's in bunker
Who's in bunker
I've seen too much
I haven't seen enough
You haven't seen enough
I'll laugh until my head comes off
Women and children first
And children first
And children first
Here I'm alive, everything all of the time
Here I'm alive, everything all of the time
Ice age comin
Ice age comin
Let me hear both sides
Let me hear both sides
Ice age comin
Ice age comin
Throw me in the fire
Throw me in the fire
Throw me in the...
We're not scaremongerin' this is really happenin
We're not scaremongerin' this is really happenin
This is really happenin
Mobiles working
Mobiles chirping
Take the money and run
Take the money and run
Take the money...
Here I'm alive, everything all of the time
Here I'm alive, everything all of the time
Here I'm alive, everything all of the time
Here I'm alive, everything all of the time...
*******************************EOF******************************/
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed