4
This program is free software; you can redistribute it and/or modify
5
it under the terms of the GNU General Public License as published by
6
the Free Software Foundation; either version 2 of the License, or
7
(at your option) any later version.
9
This program is distributed in the hope that it will be useful,
10
but WITHOUT ANY WARRANTY; without even the implied warranty of
11
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
GNU General Public License for more details.
14
You should have received a copy of the GNU General Public License
15
along with this program; if not, write to the Free Software
16
Foundation, Inc., 59 Temple Place - Suite 356, Boston, MA 02111-1567, USA.
20
#include "include/nast.h"
22
/* single host syn port scanner*/
23
int port(char *dev,u_long dst_ip,libnet_plist_t *plist_p,int lg)
25
int c, build_ip, fr, fd ;
30
struct servent *service;
33
struct libnet_tcp_hdr *Tcp;
34
struct libnet_ipv4_hdr *ip;
35
struct libnet_icmpv4_hdr *icmp;
38
u_short bport, eport, cport;
39
char errbuf[LIBNET_ERRBUF_SIZE];
41
//char *filter="not src host 62.10.127.46";
42
//char *filter="not src host 192.168.1.1";
45
close = bport = eport = cport = t = fr = fd = 0;
49
/* per avere sia ora che data si pu usare %c, ma il compilatore tira fuori dei warning decisamente noiosi:)*/
50
strftime(timed,60,"%b %d %T",localtime(&tm));
55
n_print (NULL,0,0,lg,"Logging to file... \n");
57
n_print (NULL,0,0,lg,"NAST PORT SCAN REPORT\n");
58
n_print (NULL,0,0,lg,"Made on %s\n\n", timed);
61
#ifdef HAVE_LIBNCURSES
69
w_error(0,"Is very useless demonize me in checking banner! Omit");
73
n_print("princ",lineh,2,lg,"Wait for scanning...\n\n");
74
n_print("princ",++lineh,2,lg,"State Port Services Notes\n\n");
77
if(pcap_lookupnet(dev,&netp,&maskp,errbuf)==-1)
79
w_error(1,"pcap_lookupnet() error %s\n",errbuf);
82
if ((descr = pcap_open_live (dev, BUFSIZ, 0, 1, errbuf))==NULL)
84
w_error(1, "pcap_open_live() error: %s\n",errbuf);
87
sd = pcap_fileno(descr);
89
if ((offset=(device(dev,descr)))==-1) return -1;
92
LIBNET_RAW4, /* injection type */
93
dev, /* network interface */
98
w_error(1, "libnet_init() failed: %s", errbuf);
101
if ((src_ip = libnet_get_ipaddr4(l))==-1)
103
w_error(1, "Can't get local ip address : %s\n", libnet_geterror(l));
106
/*if(pcap_compile(descr,&fp,filter,0,netp) == -1)
108
if(w_error(0, "Error in pcap_compile, insert a different filter\n")==-1)
111
if(pcap_setfilter(descr,&fp) == -1)
113
w_error(1, "Error calling pcap_setfilter\n\n");
120
while (libnet_plist_chain_next_pair(plist_p, &bport, &eport))
122
while (!(bport > eport) && bport != 0)
125
tcp = libnet_build_tcp(
126
1050, /* source port */
127
cport, /* destination port */
128
0x01010101, /* sequence number */
129
0, /* acknowledgement num */
130
TH_SYN, /* control flags */
131
32767, /* window size */
133
0, /* urgent pointer */
134
LIBNET_TCP_H, /* TCP packet size */
136
0, /* payload size */
137
l, /* libnet handle */
138
tcp); /* libnet id */
141
w_error(1, "Can't build TCP header: %s\n", libnet_geterror(l));
147
t = libnet_build_ipv4(
148
LIBNET_IPV4_H + LIBNET_TCP_H, /* length */
153
IPPROTO_TCP, /* protocol */
155
src_ip, /* source IP */
156
dst_ip, /* destination IP */
158
0, /* payload size */
159
l, /* libnet handle */
163
w_error(1, "Can't build IP header: %s\n", libnet_geterror(l));
168
/* usleep con be omissed when scanned another linux box,but if u scan a openBSD
169
it must be uesed! otherwise it find drop rule that doesn't exist!*/
175
w_error(1, "Libnet_write() Error: %s\n", libnet_geterror(l));
183
//tv.tv_usec = 75000;
187
if((pkt = (u_char *) pcap_next(descr,&hdr))==NULL)
192
ip = (struct libnet_ipv4_hdr *) (pkt + offset);
193
icmp = (struct libnet_icmpv4_hdr *) (pkt + offset + LIBNET_IPV4_H);
194
Tcp = (struct libnet_tcp_hdr *) (pkt + offset + LIBNET_IPV4_H);
197
if (Tcp->th_flags == (TH_RST|TH_ACK))
203
service = getservbyport(htons(cport), "tcp");
205
if(ip->ip_p == IPPROTO_ICMP)
207
n_print("princ",lineh,2,lg,"Filtered %d %s",(cport), (service) ? service->s_name : "unknown");
208
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
209
switch((icmp->icmp_type))
213
switch (icmp->icmp_code)
216
n_print("princ",lineh,56,lg,"Network Unreachable(*)\n");
219
n_print("princ",lineh,56,lg,"Host Unreachable(*)\n");
222
n_print("princ",lineh,56,lg,"Protocol Unreachable(*)\n");
225
n_print("princ",lineh,56,lg,"Port Unreachable(*)\n");
228
n_print("princ",lineh,56,lg,"Destination network administratively prohibited(*)\n");
231
n_print("princ",lineh,56,lg,"Destination host administratively prohibited(*)\n");
234
n_print("princ",lineh,56,lg,"Comm. administratively prohibited(*)\n");
239
n_print("princ",lineh,56,lg,"%d(*)\n", icmp->icmp_type);
248
if (!select(sd+1, &rfsd, NULL, NULL, &tv))
250
n_print("princ",lineh,2,lg,"Filtered %d %s", (cport),(service) ? service->s_name : "unknown");
251
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
252
n_print("princ",lineh,56,lg,"SYN packet timeout(**)\n");
258
if (Tcp->th_seq != 0 && (Tcp->th_flags == (TH_SYN|TH_ACK)))
260
n_print("princ",lineh,2,lg,"Open %d %s", cport ,(service) ? service->s_name : "unknown");
261
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
262
n_print("princ",lineh,56,lg,"None\n");
272
n_print("winfo",1,2,lg,"\nAll the other %d ports are in state closed\n",close);
273
if (fr!=0) n_print("winfo",2,1,lg,"(*)Possible REJECT rule in the firewall\n");
274
if (fd!=0) n_print("winfo",3,1,lg,"(**)Possible DROP rule in the firewall\n");
278
n_print("princ",lineh+2,1,lg,"Scanning terminated on %s\n",timed);
282
n_print(NULL,0,0,lg,"Done! Results has been writed to '%s'\n", logname);
290
n_print(NULL,0,0,lg,"Error! Results has been writed to '%s'\n", logname);
298
/* multy hosts - catch banner*/
299
int mport (u_char *dev, u_short ports[],int lg)
302
struct servent *service;
303
struct in_addr daddr;
306
char *msg = "HEAD / HTTP/1.0\n\n";
307
struct sockaddr_in sin;
309
int sd, r, size, bsent,z,k,x,y;
315
char *buf_p, *banner_p, *p;
316
u_char tmpbuf[1024], *ph=NULL, obuf[4];
324
n_print (NULL,0,0,lg,"Logging to file... \n");
326
n_print (NULL,0,0,lg,"NAST BANNER SCAN REPORT\n");
327
n_print (NULL,0,0,lg,"Made on %s\n\n", timed);
330
#ifdef HAVE_LIBNCURSES
338
w_error(0,"Is very useless demonize me in checking banner! Omit");
343
strftime(timed,60,"%b %d %T",localtime(&tm));
345
n_print ("princ",1,1,lg, "Builing hosts list... ");
347
if ((uphost = map_lan(dev, 0, &n))==NULL)
349
if(w_error(0, "\nCan't build truly host list! mmhhh!\nReport bug to author please\n\n")==-1)
354
n_print("winfo",1,1,lg," ");
355
n_print("winfo",1,1,lg,"\nWhat are you doing? You are alone in this network!\n\n");
358
n_print("princ",1,25,lg,"done\n\n");
360
memset (&sin, 0, sizeof (struct sockaddr_in));
361
sin.sin_family = AF_INET;
365
sprintf(ip, "%d.%d.%d.%d", uphost[i].ip[0], uphost[i].ip[1], uphost[i].ip[2], uphost[i].ip[3]);
366
daddr.s_addr = inet_addr (ip);
367
sin.sin_addr = daddr;
369
n_print("princ",lineh,2,lg,"IP : %s (%s)\n", ip, libnet_addr2name4(inet_addr(ip), LIBNET_RESOLVE));
370
n_print("princ",++lineh,2,lg,"OPEN PORTS\t\tBANNER\n");
374
sd = socket(AF_INET, SOCK_STREAM, 0);
375
sin.sin_port = htons(ports[j]);
377
if ((connect(sd, (struct sockaddr *)&sin, sizeof(sin))) != -1)
379
service = getservbyport(htons(ports[j]), "tcp");
380
n_print("princ",linep,2,lg,"%d (%s)", ports[j], service->s_name);
381
if(!graph) printf("\t\t");
387
fcntl(sd, F_SETFL, O_NONBLOCK);
391
select(sd+1, &rfds, NULL, NULL, &tv);
394
bsent = send(sd, msg, size, 0);
395
r = read (sd, banner, 1024);
396
len = strlen("Server: ");
398
banner_p = (char *)malloc(strlen(banner)+1);
399
bzero(banner_p, strlen(banner)+1);
401
for(buf_p = strtok(banner, "\n"); buf_p != NULL;)
403
p = strstr(buf_p, "Server: ");
406
memmove(banner_p, (p+len), strlen(buf_p)-len);
408
buf_p = strtok(NULL, "\n");
412
strncpy(banner, banner_p, 1024);
416
strncpy(banner, "no banner available", 1024);
419
if (banner[r-1]=='\n') banner[r-1]='\0';
420
n_print("princ",linep,24,lg,"%s",banner);
421
if(!graph) printf("\n");
431
select(sd+1, &rfds, NULL, NULL, &tv);
436
r = read (sd, tmpbuf, 1024);
440
for(z = 0; z < r; z++)
442
if((z % 3) == 0 && z > 0)
444
if(tmpbuf[z-3] != 255)
448
for(k = 0; k < r; k++)
454
else if(tmpbuf[k] != 0 && tmpbuf[k] != 13)
456
banner[z] = tmpbuf[k];
471
if( (*ph == 251) || (*ph == 252))
473
if( (*ph == 253) || (*ph == 254))
480
send(sd, obuf, 3, 0);
488
if (banner[r-1]=='\n') banner[r-1]='\0';
489
for(i=0;i<=(strlen(banner));i++)
495
n_print("princ",linep,24,lg,"%s\n",banner);
504
/* read the banner */
505
if (select (sd+1, &rfds, NULL, NULL, &tv))
507
memset (&banner, 0, 1024);
508
r = read (sd, banner, 1024);
509
if (banner[r-1]=='\n') banner[r-1]='\0';
510
n_print("princ",linep,24,lg,"%s\n", banner);
513
/* 1st time out expired */
516
/* send two \n to socket */
517
write (sd, "\n\n", 2);
525
if (select (sd+1, &rfds, NULL, NULL, &tv))
527
memset (&banner, 0, 1024);
528
r = recv (sd, banner, 1024, 0);
529
if (banner[r-1]=='\n') banner[r-1]='\0';
530
n_print("princ",linep,24,lg,"%s\n", banner);
541
if (ports[j] == '\0') break;
546
if(!graph) printf("\n");
551
n_print("winfo",1,1,lg," ");
552
n_print("winfo",1,2,lg,"\nScanning terminated on %s\n",timed);
563
int mhport(u_char *dev,libnet_plist_t *plist_p,int lg)
565
int c, build_ip, fr=0, fd=0 ;
570
struct servent *service;
573
struct pcap_pkthdr pcap_h;
574
struct libnet_tcp_hdr *Tcp;
575
struct libnet_ipv4_hdr *ip;
576
struct libnet_icmpv4_hdr *icmp;
579
u_short bport = 0, eport = 0, cport = 0, i = 0 ,n = 0;
580
char errbuf[LIBNET_ERRBUF_SIZE];
581
struct host * uphost;
590
strftime(timed,60,"%b %d %T",localtime(&tm));
595
n_print (NULL,0,0,lg,"Logging to file... \n");
597
n_print (NULL,0,0,lg,"NAST MULTI PORT SCAN REPORT\n");
598
n_print (NULL,0,0,lg,"Made on %s\n\n", timed);
601
#ifdef HAVE_LIBNCURSES
609
w_error(0,"Is very useless demonize me in checking banner! Omit");
613
n_print ("princ",1,1,lg,"Builing hosts list...");
615
if ((uphost = map_lan(dev, 0, &n))==NULL)
617
if(w_error(0, "\nCan't build truly host list! mmhhh!\nReport bug to author please\n\n")==-1)
622
if(w_error(0, "\nWhat are you doing? You are alone in this network!\n\n")==-1)
626
n_print ("princ",1,22,lg,"done\n");
634
LIBNET_RAW4, /* injection type */
635
dev, /* network interface */
636
errbuf); /* errbuf */
640
w_error(1, "libnet_init() failed: %s", errbuf);
642
if ((src_ip = libnet_get_ipaddr4(l))==-1)
644
w_error(1, "Can't get local ip address : %s\n", libnet_geterror(l));
647
sprintf(testip, "%d.%d.%d.%d", uphost[i].ip[0], uphost[i].ip[1], uphost[i].ip[2], uphost[i].ip[3]);
650
n_print("princ",++lineh,1,lg,"Wait for scanning...");
651
n_print("princ",lineh,22,lg,"%d.%d.%d.%d\n\n", uphost[i].ip[0], uphost[i].ip[1], uphost[i].ip[2], uphost[i].ip[3]);
652
n_print("princ",++lineh,2,lg,"State Port Services Notes\n\n");
654
pcap_lookupnet(dev,&netp,&maskp,errbuf);
658
if ((descr = pcap_open_live (dev, BUFSIZ, NOT_PROMISC, 10,errbuf)) == NULL)
660
w_error(1,"pcap_open_live() error: %s\n",errbuf);
663
sd = pcap_fileno(descr);
665
if ((offset=(device(dev,descr)))==-1) return -1;
668
while (libnet_plist_chain_next_pair(plist_p, &bport, &eport))
670
while (!(bport > eport) && bport != 0)
673
tcp = libnet_build_tcp(
674
1050, /* source port */
675
cport, /* destination port */
676
1234567, /* sequence number */
677
0, /* acknowledgement num */
678
TH_SYN, /* control flags */
679
32767, /* window size */
681
0, /* urgent pointer */
682
LIBNET_TCP_H, /* TCP packet size */
684
0, /* payload size */
685
l, /* libnet handle */
686
tcp); /* libnet id */
691
w_error(1, "Can't build TCP header: %s\n", libnet_geterror(l));
698
t = libnet_build_ipv4(
699
LIBNET_IPV4_H + LIBNET_TCP_H, /* length */
704
IPPROTO_TCP, /* protocol */
706
src_ip, /* source IP */
707
inet_addr(testip), /* destination IP */
709
0, /* payload size */
710
l, /* libnet handle */
716
w_error(1, "Can't build IP header: %s\n", libnet_geterror(l));
724
w_error(1, "Error: %s\n", libnet_geterror(l));
735
pkt = (u_char *) pcap_next(descr,&pcap_h);
736
ip = (struct libnet_ipv4_hdr *) (pkt + offset);
737
icmp = (struct libnet_icmpv4_hdr *) (pkt + offset + LIBNET_IPV4_H);
738
Tcp = (struct libnet_tcp_hdr *) (pkt + offset + sizeof(struct libnet_ipv4_hdr));
740
if (Tcp->th_flags == (TH_RST|TH_ACK))
746
service = getservbyport(htons(cport), "tcp");
748
/*ho lasciato gli icmp pi logici x un filtraggio...dubito che vada bene un echo_request:)*/
749
if(ip->ip_p == IPPROTO_ICMP)
751
n_print("princ",lineh,2,lg,"Filtered %d %s", cport, (service) ? service->s_name : "unknown");
752
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
753
switch((icmp->icmp_type))
757
switch (icmp->icmp_code)
760
n_print("princ",lineh,56,lg,"Network Unreachable(*)\n");
763
n_print("princ",lineh,56,lg,"Host Unreachable(*)\n");
766
fprintf(logd,"Protocol Unreachable(*)\n");
769
n_print("princ",lineh,56,lg,"Port Unreachable(*)\n");
772
n_print("princ",lineh,56,lg,"Destination network administratively prohibited(*)\n");
775
n_print("princ",lineh,56,lg,"Destination host administratively prohibited(*)\n");
778
n_print("princ",lineh,56,lg,"Comm. administratively prohibited(*)\n");
784
n_print("princ",lineh,56,lg,"%i(*)\n", icmp->icmp_type);
792
if (!select(sd+1, &rfsd, NULL, NULL, &tv))
794
n_print("princ",lineh,2,lg,"Filtered %d %s", cport,(service) ? service->s_name : "unknown");
795
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
796
n_print("princ",lineh,56,lg,"SYN packet timeout(**)\n");
802
if (Tcp->th_seq != 0 && (Tcp->th_flags == (TH_SYN|TH_ACK)))
804
n_print("princ",lineh,2,lg,"Open %d %s", cport,(service) ? service->s_name : "unknown");
805
if(!graph || (graph && lg)) fprintf(logd,"\t\t\t");
806
n_print("princ",lineh,56,lg,"None\n");
815
n_print("princ",++lineh,2,lg,"\nAll the other %d ports are in state closed\n",close);
816
if (fr!=0) n_print("princ",++lineh,1,lg,"(*)Possible REJECT rule in the firewall\n");
817
if (fd!=0) n_print("princ",++lineh,1,lg,"(**)Possible DROP rule in the firewall\n");
827
n_print("winfo",2,2,lg,"Scanning terminated on %s\n",timed);
830
printf ("Done! Results has been writed to '%s'\n", logname);