Tcp Tutorial-22

* interface for newer tools)

* * Technique: * 1. Active scanning: not supported - why bother. * * 2. Half-open scanning: * a. send SYN * b. if reply is SYN|ACK send RST, port is listening * c. if reply is RST, port is not listening * * 3. Stealth scanning: (works on nearly all systems tested) * a. sends FIN * b. if RST is returned, not listening. * c. otherwise, port is probably listening. * * (This bug in many TCP implementations is not limited to FIN only; in fact * many other flag combinations will have similar effects. FIN alone was * selected because always returns a plain RST when not listening, and the * code here was fit to handle RSTs already so it took me like 2 minutes * to add this scanning method) * * 4. Stealth scanning: (may not work on all systems) * a. sends ACK * b. waits for RST * c. if TTL is low or window is not 0, port is probably listening.



* (stealth scanning was created after I watched some tcpdump logs with

* these symptoms. The low-TTL implementation bug is currently believed * to appear on Linux only, the non-zero window on ACK seems to exists on * all BSDs.) * * CHANGES: * -------- * 0. (v1.0) * - First code, worked but was put aside since I didn't have time nor * need to continue developing it. * 1. (v1.1) * - BASE CODE MOSTLY REWRITTEN (the old code wasn't that maintainable) * - Added code to actually enforce the usecond-delay without usleep() * (replies might be lost if usleep()ing) * 2. (v1.2) * - Added another stealth scanning method (FIN). * Tested and passed on: * AIX 3 * AIX 4 * IRIX 5.3 * SunOS 4.1.3 * System V 4.0 * Linux * FreeBSD * Solaris


* Tested and failed on:

* Cisco router with services on ( IOS 11.0) * * 3. (v1.21) * - Code commented since I intend on abandoning this for a while. * * 4. (v1.3) * - Resending for ports that weren't replied for. * (took some modifications in the internal structures. this also * makes it possible to use non-linear port ranges * (say 1-1024 and 6000)) * * 5. (v1.31) * - Flood detection - will slow up the sending rate if not replies are * recieved for STCP_THRESHOLD consecutive sends. Saves alot of resends * on easily-flooded networks. * * 6. (v1.32) * - Multiple port ranges support. * The format is: |[,|,...] * * Examples: 20-26,113 * 20-100,113-150,6000,6660-6669 * * PLANNED: (when I have time for this)

* (v2.x) - Multiple flag combination selections, smart algorithm to point

* out uncommon replies and cross-check them with another flag * */

#define RESOLVE_QUIET

#include #include #include #include #include #include #include #include #include #include #include #include #include "resolve.c" #include "tcppkt03.c"

#define STCP_VERSION "1.32" #define STCP_PORT 1234 /* Our local port. */ #define STCP_SENDS 3