[TOOL] ScanUDP, Improved UDP Scanning Tool
From: support@securiteam.comDate: 11/07/02
- Previous message: support@securiteam.com: "[NEWS] Com21 Cable Modem Configuration File Feeding Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 7 Nov 2002 10:42:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
ScanUDP, Improved UDP Scanning Tool
------------------------------------------------------------------------
DETAILS
This simple program written in C for Linux scan for UDP ports in remote
hosts, determining which UDP services they are offering. All UDP scanners
that Fryxar tried work with the following principle:
UDP datagram -> Closed Port -> ICMP Port Unreachable
UDP datagram -> Open Port -> No Reply (or application dependent)
But, if the scanned devices are behind a firewall, all the ports will seem
open. So, what scanudp does is to send "dependend protocol packets", and
wait for the application response. To insert new "dependen protocol
packets", simple modify the "port" variable array.
Tool:
/* UDP Scanner (with protocol probes)
By: fryxar
Compile: gcc scanudp.c -o scanudp
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <netdb.h>
#define VERSION "1.0"
#define MAXBUF 1400
#define MAXSCAN 100
#define TIMEOUT 6
typedef struct config {
int timeout;
} config;
typedef struct scan {
u_int16_t number;// Number of udp port
char *name;// Name of udp port
char *outstring;// String to send (protocol dependent)
int outstringlen;// Len above
char *instring;// String to wait (protocol dependent, NULL for
anything)
int instringlen;// Len above
char match;// Does port match? Allways initialized to 0
} scan;
// Port scanning probes definitions (protocol dependent)
struct scan port[] = {
7, "echo",
"probe", 5, "probe", 5, 0,
13, "daytime",
"\x0a", 1, NULL, 0, 0,
19, "chargen",
"\x0a", 1, NULL, 0, 0,
// dig @ip localhost A
53, "dns",
"\x68\x6c\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x00\x00\x01\x00\x01", 27, NULL, 0, 0,
// echo "get a" | tftp ip
69, "tftp",
"\x00\x01\x61\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00", 13, NULL, 0,
0,
// ntpq -p ip
123, "ntp",
"\x16\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00", 13, NULL, 1, 0,
// nbtstat -A ip
137, "ns-netbios",
"\x98\x38\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x20\x43\x4b\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x21\00\01", 50, NULL, 1, 0,
// snmpwalk ip ILMI
161, "snmp(ILMI)",
"\x30\x24\x02\x01\x00\x04\x04\x49\x4c\x4d\x49\xa1\x19\x02\x04\x18\x39\x99\xcd\x02\x01\x00\x02\x01\x00\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01\x05\x00", 38, NULL, 0, 0,
// snmpwalk ip public
161, "snmp(public)",
"\x30\x26\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa1\x19\x02\x04\x2c\x60\x2d\xb6\x02\x01\x00\x02\x01\x00\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01\x05\x00", 40, NULL, 0, 0,
0, NULL, NULL, 0, NULL, 0, 0
};
void usage(char *program) {
int i;
fprintf( stderr,
"%s v"VERSION" - by: Franco Pieressa\n"
"usage: %s [options] <host>\n\n"
"options:\n"
" -t <timeout> Set port scanning timeout\n"
"\nSupported protocol:\n"
, program, program);
for( i=0; port[i].number; i++)
fprintf( stderr, "%s ", port[i].name );
fprintf( stderr, "\n\n" );
exit(-1);
}
struct config conf;
int main(int argc, char *argv[]) {
charbuf[MAXBUF], opt, *host;
int fd[MAXSCAN], nread, i, j, maxfd, repeat;
struct timevaltv;
struct sockaddr_indest_addr;
fd_setfdset;
structhostent *he;
// Set defaults
conf.timeout = 10;
if(argc < 2) usage( argv[0] );
while((opt = getopt(argc, argv, "t:")) != -1) {
switch(opt) {
case 't':
if(strlen(optarg) == 0) usage(argv[0]);
conf.timeout = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
host = argv[argc-1];
if( (he = gethostbyname(host)) == NULL) {
fprintf(stderr, "Error: Cannot resolve %s!\n", host);
exit(-1);
}
FD_ZERO( &fdset );
maxfd = 0;
for( i = 0; port[i].number; i++ ) {
if((fd[i] = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror(NULL);
exit(2);
}
if( maxfd < fd[i] ) maxfd = fd[i];
FD_SET( fd[i], &fdset );
dest_addr.sin_family = AF_INET;
dest_addr.sin_addr = *((struct in_addr *)he->h_addr);
dest_addr.sin_port =htons(port[i].number);
if( connect(fd[i], (struct sockaddr *)&dest_addr, sizeof(dest_addr)) <
0 ) {
perror(NULL);
close(fd[i]);
exit(4);
}
memcpy( buf, port[i].outstring, port[i].outstringlen );
if( send(fd[i], buf, port[i].outstringlen, 0) < 0 ) {
perror(NULL);
close(fd[i]);
exit(5);
}
}
// Wait for timeout
sleep( conf.timeout );
tv.tv_sec= 0;
tv.tv_usec = 0;
if( select( maxfd+1, &fdset, NULL, NULL, &tv ) < 0 ) {
perror(NULL);
exit(6);
}
for( i = 0; port[i].number; i++ ) {
if( !FD_ISSET( fd[i], &fdset ) ) {
close( fd[i] );
continue;
}
if( (nread = recv(fd[i], buf, MAXBUF, 0)) <= 0 ) {
close( fd[i] );
continue;
}
if( port[i].instring == NULL || !memcmp( buf, port[i].instring,
port[i].instringlen ) ) {
for( repeat = 0, j = 0; j < i; j++ )
if( port[i].number == port[j].number && port[j].match > 0 ) repeat =
1;
if( !repeat ) {
printf( "%s\t%d/udp\n", host, port[i].number );
port[i].match++;
}
close( fd[i] );
}
}
exit(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:fryxar@datafull.com> Fryxar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Com21 Cable Modem Configuration File Feeding Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [PATCH 2.6.21] Usb Serial Keyspan: add support for USA-49WG & USA-28XG
... Add support for Keyspan adapters: ... 2003sep04 LPM add support for new
single port product USA19HS. ... struct keyspan_serial_private { ... int
reset_port) ... (Linux-Kernel) - Re: Linux 2.6.23.5
... int ehea_create_busmap ... struct pppol2tp_tunnel *tunnel; ...
u16 tunnel_id, session_id; ... xm_read16(hw, port, XM_ISRC); ... (Linux-Kernel) - [PATCH] 2.6 Altix : rs422 support for ioc4 serial driver
... struct ioc4_control { ... int ic_irq; ... /* Since each port
has different register offsets and bitmasks ... unsigned int ret = 0; ... (Linux-Kernel) - [PATCH 04/17] Add RapidIO multi mport support.
... -static struct rio_dbell_ring { ... int tx_slot; ... goto
out; ... struct rio_mport *port; ... (Linux-Kernel) - [PATCH 04/17] Add RapidIO multi mport support.
... -static struct rio_dbell_ring { ... int tx_slot; ... goto
out; ... struct rio_mport *port; ... (Linux-Kernel)
