Port Scanning searches for open ports on a remote system. The basic logic for a portscanner would be to connect to the port we want to check. If the socket gives a valid connection without any error then the port is open , closed otherwise (or inaccessible, or filtered).
This basic technique is called TCP Connect Port Scanning in which we use something like a loop to connect to ports one by one and check for valid connections on the socket.
But this technique has many drawbacks :
1. It is slow since it establishes a complete 3 way TCP handshake. It waits for the connect() function to return.
2. It is detectable. It leaves more logs on the remote system and on any firewall that is running.
TCP-Syn Port scanning is a technique which intends to cure these two problems. The mechanism behind it is the handshaking which takes place while establishing a connection. It sends syn packets and waits for an syn+ack reply. If such a reply is received then the port is open otherwise keep waiting till timeout and report the port as closed. Quite simple! In the TCP connect technique the connect() function sends a ack after receiving syn+ack and this establishes a complete connection. But in Syn scanning the complete connection is not made.
This results in :
1. Faster scans – Partial TCP handshake is done. Only 2 packets exchanged , syn and syn+ack.
2. Incomplete connections so less detectable. But modern firewalls are smart enough to log all syn activites. So this technique is more or less detectable to same extent as TCP connect port scanning.
TCP Connect Port Scan looks like :
You -> Send Syn packet -> Host:port
Host -> send syn/ack packet -> You
You -> send ack packet -> Host
… and connection is established
TCP-Syn Port scan looks like
You -> send syn packet ->Host:port
Host -> send syn/ack or rst packet or nothing depending on the port status -> You
… stop and analyse the reply the host send :
If syn+ack reply then port open.
Closed/filtered otherwise.
Results are almost as accurate as that of TCP connection and the scan is much faster.
So the process is :
1. Send a Syn packet to a port A
2. Wait for a reply of Syn+Ack till timeout.
3. Syn+Ack reply means the port is open , Rst packet means port is closed , and otherwise it might be inaccessible or in a filtered state.
Tools
We shall code a TCP-Syn Port scanner on Linux using sockets and posix thread api.
The tools we need are :
1. Linux system with gcc and posix libraries installed
2. Wireshark for analysing the packets (Optional : for better understanding).
Program Logic
1. Take a hostname to scan.
2. Start a sniffer thread shall sniff all incoming packets and pick up those which are from hostname and are syn+ack packets.
3. start sending syn packets to ports in a loop. This needs raw sockets
4. If the sniffer thread receives a syn/ack packet from the host then get the source port of the packet and report the packet as open.
5. Keep looping as long as you have nothing else to do.
6. Quit the program if someone is calling you.
Code
5 | #include<stdio.h> //printf |
6 | #include<string.h> //memset |
7 | #include<stdlib.h> //for exit(0); |
9 | #include<errno.h> //For errno - the error number |
11 | #include<netdb.h> //hostend |
13 | #include<netinet/tcp.h> //Provides declarations for tcp header |
14 | #include<netinet/ip.h> //Provides declarations for ip header |
16 | void * receive_ack( void *ptr ); |
17 | void process_packet(unsigned char* , int); |
18 | unsigned short csum(unsigned short * , int ); |
19 | char * hostname_to_ip(char * ); |
20 | int get_local_ip (char *); |
24 | unsigned int source_address; |
25 | unsigned int dest_address; |
26 | unsigned char placeholder; |
27 | unsigned char protocol; |
28 | unsigned short tcp_length; |
33 | struct in_addr dest_ip; |
35 | int main(int argc, char *argv[]) |
38 | int s = socket (AF_INET, SOCK_RAW , IPPROTO_TCP); |
41 | printf ("Error creating socket. Error number : %d . Error message : %s \n" , errno ,strerror(errno)); |
46 | printf("Socket created.\n"); |
53 | struct iphdr *iph = (struct iphdr *) datagram; |
56 | struct tcphdr *tcph = (struct tcphdr *) (datagram + sizeof (struct ip)); |
58 | struct sockaddr_in dest; |
59 | struct pseudo_header psh; |
61 | char *target = argv[1]; |
65 | printf("Please specify a hostname \n"); |
69 | if( inet_addr( target ) != -1) |
71 | dest_ip.s_addr = inet_addr( target ); |
75 | char *ip = hostname_to_ip(target); |
78 | printf("%s resolved to %s \n" , target , ip); |
80 | dest_ip.s_addr = inet_addr( hostname_to_ip(target) ); |
84 | printf("Unable to resolve hostname : %s" , target); |
89 | int source_port = 43591; |
91 | get_local_ip( source_ip ); |
93 | printf("Local source IP is %s \n" , source_ip); |
95 | memset (datagram, 0, 4096); |
101 | iph->tot_len = sizeof (struct ip) + sizeof (struct tcphdr); |
102 | iph->id = htons (54321); |
103 | iph->frag_off = htons(16384); |
105 | iph->protocol = IPPROTO_TCP; |
107 | iph->saddr = inet_addr ( source_ip ); |
108 | iph->daddr = dest_ip.s_addr; |
110 | iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1); |
113 | tcph->source = htons ( source_port ); |
114 | tcph->dest = htons (80); |
115 | tcph->seq = htonl(1105024978); |
117 | tcph->doff = sizeof(struct tcphdr) / 4; |
124 | tcph->window = htons ( 14600 ); |
130 | const int *val = &one; |
132 | if (setsockopt (s, IPPROTO_IP, IP_HDRINCL, val, sizeof (one)) < 0) |
134 | printf ("Error setting IP_HDRINCL. Error number : %d . Error message : %s \n" , errno, strerror(errno)); |
138 | printf("Starting sniffer thread...\n"); |
139 | char *message1 = "Thread 1"; |
141 | pthread_t sniffer_thread; |
143 | if( pthread_create( &sniffer_thread , NULL , receive_ack , (void*) message1) < 0) |
145 | printf ("Could not create sniffer thread. Error number : %d . Error message : %s \n" ,errno , strerror(errno)); |
149 | printf("Starting to send syn packets\n"); |
152 | dest.sin_family = AF_INET; |
153 | dest.sin_addr.s_addr = dest_ip.s_addr; |
154 | for(port = 1 ; port < 100 ; port++) |
156 | tcph->dest = htons ( port ); |
159 | psh.source_address = inet_addr( source_ip ); |
160 | psh.dest_address = dest.sin_addr.s_addr; |
162 | psh.protocol = IPPROTO_TCP; |
163 | psh.tcp_length = htons( sizeof(struct tcphdr) ); |
165 | memcpy(&psh.tcp , tcph , sizeof (struct tcphdr)); |
167 | tcph->check = csum( (unsigned short*) &psh , sizeof (struct pseudo_header)); |
170 | if ( sendto (s, datagram , sizeof(struct iphdr) + sizeof(struct tcphdr) , 0 , (struct sockaddr *) &dest, sizeof (dest)) < 0) |
172 | printf ("Error sending syn packet. Error number : %d . Error message : %s \n" ,errno , strerror(errno)); |
177 | pthread_join( sniffer_thread , NULL); |
178 | printf("%d" , iret1); |
186 | void * receive_ack( void *ptr ) |
196 | int saddr_size , data_size; |
197 | struct sockaddr saddr; |
199 | unsigned char *buffer = (unsigned char *)malloc(65536); |
201 | printf("Sniffer initialising...\n"); |
205 | sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP); |
209 | printf("Socket Error\n"); |
214 | saddr_size = sizeof saddr; |
219 | data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size); |
223 | printf("Recvfrom error , failed to get packets\n"); |
229 | process_packet(buffer , data_size); |
233 | printf("Sniffer finished."); |
238 | void process_packet(unsigned char* buffer, int size) |
241 | struct iphdr *iph = (struct iphdr*)buffer; |
242 | struct sockaddr_in source,dest; |
243 | unsigned short iphdrlen; |
245 | if(iph->protocol == 6) |
247 | struct iphdr *iph = (struct iphdr *)buffer; |
248 | iphdrlen = iph->ihl*4; |
250 | struct tcphdr *tcph=(struct tcphdr*)(buffer + iphdrlen); |
252 | memset(&source, 0, sizeof(source)); |
253 | source.sin_addr.s_addr = iph->saddr; |
255 | memset(&dest, 0, sizeof(dest)); |
256 | dest.sin_addr.s_addr = iph->daddr; |
258 | if(tcph->syn == 1 && tcph->ack == 1 && source.sin_addr.s_addr == dest_ip.s_addr ) |
260 | printf("Port %d open \n" , ntohs(tcph->source)); |
269 | unsigned short csum(unsigned short *ptr,int nbytes) |
272 | unsigned short oddbyte; |
273 | register short answer; |
282 | *((u_char*)&oddbyte)=*(u_char*)ptr; |
286 | sum = (sum>>16)+(sum & 0xffff); |
287 | sum = sum + (sum>>16); |
296 | char* hostname_to_ip(char * hostname) |
299 | struct in_addr **addr_list; |
302 | if ( (he = gethostbyname( hostname ) ) == NULL) |
305 | herror("gethostbyname"); |
309 | addr_list = (struct in_addr **) he->h_addr_list; |
311 | for(i = 0; addr_list[i] != NULL; i++) |
314 | return inet_ntoa(*addr_list[i]) ; |
324 | int get_local_ip ( char * buffer) |
326 | int sock = socket ( AF_INET, SOCK_DGRAM, 0); |
328 | const char* kGoogleDnsIp = "8.8.8.8"; |
331 | struct sockaddr_in serv; |
333 | memset( &serv, 0, sizeof(serv) ); |
334 | serv.sin_family = AF_INET; |
335 | serv.sin_addr.s_addr = inet_addr(kGoogleDnsIp); |
336 | serv.sin_port = htons( dns_port ); |
338 | int err = connect( sock , (const struct sockaddr*) &serv , sizeof(serv) ); |
340 | struct sockaddr_in name; |
341 | socklen_t namelen = sizeof(name); |
342 | err = getsockname(sock, (struct sockaddr*) &name, &namelen); |
344 | const char *p = inet_ntop(AF_INET, &name.sin_addr, buffer, 100); |
Compile and Run
1 | $ gcc syn_portscan.c -lpthread -o syn_portscan |
-lpthread option is needed to link the posix thread libraries.
Now Run
1 | $ sudo ./syn_portscan www.google.com |
3 | www.google.com resolved to 74.125.235.16 |
4 | Local source IP is 192.168.0.6 |
5 | Starting sniffer thread... |
6 | Starting to send syn packets |
Note :
1. For the program to run correctly the local ip and the hostname ip should be resolved correctly. Wireshark should also show the TCP Syn packets as “Good” and not bogus or something.
2. The get_local_ip method is used to find the local ip of the machine which is filled in the source ip of packets. For example : 192.168.1.2 if you are on a LAN or 172.x.x.x if you are directly connected to internet. The local source ip value will show this.
3. The hostname_to_ip function resolves a domain name to its ip address. It uses the gethostbyname method.
本文介绍了一种快速且隐蔽的端口扫描技术——TCP SYN扫描。该技术通过发送SYN数据包并监听SYN+ACK响应来判断目标端口是否开放,避免了完整的三次握手过程,从而提高了扫描速度并减少了被检测的可能性。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
