50
void checkport(int port, char command[]) {
60
fich_tmp=popen (command, "r") ;
63
while (!feof(fich_tmp) && ok == 0) {
65
fgets(ports, 30, fich_tmp);
67
sprintf(compare,"%i\n",port);
69
if (strcmp(ports, compare) == 0) {ok = 1;}
78
printf ("Found Hidden port that not appears in netstat: %i\n", port) ;
91
printf ("Unhide 20110113\n") ;
92
printf ("http://www.unhide-forensics.info\n\n\n") ;
94
printf ("Starting TCP checking\n\n") ;
96
for (i =1; i < 65535; i++) {
99
struct sockaddr_in address;
102
socket_desc=socket(AF_INET,SOCK_STREAM,0);
104
address.sin_family = AF_INET;
105
address.sin_addr.s_addr = INADDR_ANY;
106
address.sin_port = htons(i);
108
bind(socket_desc,(struct sockaddr *)&address,sizeof(address));
109
listen(socket_desc,1);
115
checkport(i, tcpcommand);
122
printf ("Starting UDP checking\n\n") ;
125
for (u =1; u < 65535; u++) {
128
struct sockaddr_in address;
131
socket_desc=socket(AF_INET,SOCK_DGRAM,0);
133
address.sin_family = AF_INET;
134
address.sin_addr.s_addr = INADDR_ANY;
135
address.sin_port = htons(u);
137
bind(socket_desc,(struct sockaddr *)&address,sizeof(address));
143
checkport(u, udpcommand);
96
* Run a command to get more information about a port.
98
static void print_info(const char *prog_name, const char *command_fmt, int port)
104
sprintf(buffer, command_fmt, port);
105
fp = popen(buffer, "r") ;
109
warnln(verbose, unlog, "Couldn't run command: %s", buffer) ;
113
msgln(unlog, 1, "%s reports :", prog_name) ;
115
while (NULL != fgets(buffer, 1000, fp))
117
msgln(unlog, 1, buffer) ;
123
/* Print a port, optionally querying info about it via lsof or fuser. */
124
void print_port(enum Proto proto, int port)
126
msgln(unlog, 0, "\nFound Hidden port that not appears in %s: %i", checker, port) ;
131
print_info("fuser", fuserTCPcommand, port);
135
print_info("fuser", fuserUDPcommand, port);
142
print_info("lsof", lsofTCPcommand, port);
146
print_info("lsof", lsofUDPcommand, port);
153
* Check if port is seen by netstat.
155
* If not, report it and optionnally run lsof and/or fuser
158
int checkoneport(int port, char command[], enum Proto proto)
166
if (NULL != (fich_tmp=popen (command, "r")))
168
sprintf(compare,"%i\n",port);
169
while ((NULL != fgets(ports, 30, fich_tmp)) && ok == 0) {
170
if (strcmp(ports, compare) == 0) {ok = 1;}
176
die(unlog, "Couldn't execute command : %s while checking port %d", command, port) ;
182
* Check all TCP ports one by one.
184
static void print_hidden_TCP_ports_1_by_1(enum Proto proto)
187
char tcpcommand[512] ;
190
for (i =1; i <= 65535; i++)
193
struct sockaddr_in address;
195
if ( -1 != (socket_desc=socket(AF_INET,SOCK_STREAM,0)))
197
address.sin_family = AF_INET;
198
address.sin_addr.s_addr = INADDR_ANY;
199
address.sin_port = htons(i);
201
if ( -1 != bind(socket_desc,(struct sockaddr *)&address,sizeof(address)))
203
listen(socket_desc,1);
204
if ( EADDRINUSE == errno ) // port is listened by another process
208
sprintf(tcpcommand, tcpcommand2, i) ;
212
strncpy(tcpcommand, tcpcommand1, 512) ;
214
if (0 == checkoneport(i, tcpcommand, TCP))
217
listen(socket_desc,1);
218
if ( EADDRINUSE == errno ) // port is still listened by another process
221
print_port(proto, i) ;
233
if (EADDRINUSE == errno) //port is in use by another process
237
sprintf(tcpcommand, tcpcommand2, i) ;
241
strncpy(tcpcommand, tcpcommand1, 512) ;
243
if (0 == checkoneport(i, tcpcommand, TCP))
246
if ( -1 == bind(socket_desc,(struct sockaddr *)&address,sizeof(address)))
248
if ( EADDRINUSE == errno ) // port is still used by another process
251
print_port(proto, i) ;
255
warnln(verbose, unlog, "can't bind to socket while checking port %d", i) ;
269
warnln(verbose, unlog, "can't create socket while checking port %d/tcp", i) ;
275
* Check all UDP ports one by one.
277
static void print_hidden_UDP_ports_1_by_1(enum Proto proto)
280
char udpcommand[512] ;
284
for (u = 1; u <= 65535; u++)
287
struct sockaddr_in address;
289
if ( -1 != (socket_desc=socket(AF_INET,SOCK_DGRAM,0)))
291
address.sin_family = AF_INET;
292
address.sin_addr.s_addr = INADDR_ANY;
293
address.sin_port = htons(u);
295
if ( 0 != bind(socket_desc,(struct sockaddr *)&address,sizeof(address)))
297
if ( EADDRINUSE == errno ) //port is in use by another process
301
sprintf(udpcommand, udpcommand2, u) ;
305
strncpy(udpcommand, udpcommand1, 512) ;
308
if (0 == checkoneport(u, udpcommand, UDP))
311
if ( 0 != bind(socket_desc,(struct sockaddr *)&address,sizeof(address))) // port is still in use by another process
313
if ( EADDRINUSE == errno ) //port is in use by another process
316
print_port(proto, u) ;
325
warnln(verbose, unlog, "can't bind to socket while checking port %d", u) ;
328
else // port is available
335
warnln(verbose, unlog, "can't create socket while checking port %d/udp", u) ;
344
void usage(char * command) {
346
printf("Usage: %s [options] \n\n", command);
347
printf("Options :\n");
348
printf(" -V Show version and exit\n");
349
printf(" -v verbose\n");
350
printf(" -h display this help\n");
351
printf(" -f show fuser output for hidden ports\n");
352
printf(" -l show lsof output for hidden ports\n");
353
printf(" -o log result into unhide-tcp.log file\n");
354
printf(" -s use very quick version for server with lot of opened ports\n");
355
printf(" -n use netstat instead of ss\n");
359
* Parse command line arguments (exiting if requested by any option).
361
void parse_args(int argc, char **argv)
365
static struct option long_options[] =
367
/* These options set a flag. */
368
{"verbose", no_argument, &verbose, 1},
369
{"brief", no_argument, &verbose, 0},
370
{"fuser", no_argument, &use_fuser, 1},
371
{"lsof", no_argument, &use_lsof, 1},
372
{"log", no_argument, &logtofile, 1},
373
{"netstat", no_argument, &use_ss, 0},
374
{"server", no_argument, &use_quick, 1},
375
/* These options don't set a flag.
376
We distinguish them by their indices. */
377
{"help", no_argument, 0, 'h'},
378
{"version", no_argument, 0, 'V'},
382
for(;;) // until there's no more option
384
/* getopt_long stores the option index here. */
385
int option_index = 0;
387
c = getopt_long (argc, argv, "Vvhflosn",
388
long_options, &option_index);
390
/* Detect the end of the options. */
396
case 0 : // flag long options
397
if (long_options[option_index].flag != 0) //if this option set a flag
399
break; // nothing to do
401
printf ("option %s", long_options[option_index].name);
402
if (optarg) // if there's an argument
404
printf (" with arg %s", optarg);
433
case '?' : // invalid option
436
default : // something very nasty happened
443
// generate options string for logging
444
strncpy(used_options, "Used options: ", 1000);
446
strncat(used_options, "verbose ", 1000-1-strlen(used_options));
448
strncat(used_options, "use_lsof ", 1000-1-strlen(used_options));
450
strncat(used_options, "use_fuser ", 1000-1-strlen(used_options));
452
strncat(used_options, "use_netscape ", 1000-1-strlen(used_options));
454
strncat(used_options, "use_quick ", 1000-1-strlen(used_options));
456
strncat(used_options, "logtofile ", 1000-1-strlen(used_options));
460
* Look for TCP and UDP ports that are hidden to netstat.
462
* Returns 0 if none is found, 1 if there is some internal error, 4 if TCP
463
* hidden ports were found, 8 if UDP hidden ports were found or 12 (4 & 8) if
466
int main(int argc, char **argv)
473
die(unlog, "You must be root to run %s !", argv[0]) ;
476
parse_args(argc, argv) ;
480
unlog = init_log(logtofile, header, "unhide-tcp") ;
482
msgln(unlog, 0, used_options) ;
486
strncpy(checker, "ss", 10);
490
strncpy(checker, "netstat", 10);
493
setpriority(PRIO_PROCESS,0,-20); /* reduce risk of race condition - may fail, dont care */
495
msgln(unlog, 0, "[*]Starting TCP checking") ;
498
print_hidden_ports(TCP);
502
print_hidden_TCP_ports_1_by_1(TCP) ;
509
msgln(unlog, 0, "[*]Starting UDP checking") ;
512
print_hidden_ports(UDP);
516
print_hidden_UDP_ports_1_by_1(UDP) ;
525
close_log(unlog, "unhide-tcp") ;