port scanner

[gandhi_rohit]

hi ,

I want to make a port scanner in C.Could somebody explain to me the working of a port scanner.From where should i begin.Can anyone also redirect me to the concerned links?

Thanx,
Rohit.

[V3RIZON]

here is a very simple port scanner in php, save it in a php file, create a form passing values $host $lowport and $highport and you have yourself a nice little lightweight port scanner. I know you asked for one in c but I don't know c although it should be similiar. hope it helps.


$time = 1;
if ($pressed)
{
set_time_limit(0);
echo "Scanning $host" . "...
\n"; flush();
for ($i = $lowport; $i <= $highport; $i++) {
$portn = fsockopen($target, $i, $errno, $errstr, $time);
if (!$portn) {
echo "Port $i is not open on $host";
flush();
}
else {
echo "Open port at $i";
flush();
fclose($portn);
}
}
}

[dspeidel]

I think using the built in socket functionality of Unix the above could be ported quickly to C. But why bother since the PHP script appears legit.

[coolnads]

try writing a stealth Ps in PHP script...i think C would be better candidate for that.....neverthelss rohit u could try The ethical......... Ankit Fadia..it has both the c and perl code plus a breif discription..i m not sure but there could be something on his site to..... check it out hackingtruths.box.sk

[souleman]

Well, I think it kicks ass that you actually want to write one, instead of just running someone else's script. I would recommend dl'ing the source for a couple of open source port scanners, and go from their.

From where should i begin?

Well:
void main (){


That should get you started.

[V3RIZON]

I wouldnt know where to begin on a stealth ps in php, is it even possible, if so I'd like to hear some ideas.
Soulman I agree with you on not using someone elses work, I just posted that so he could see the logic behind one, then as dspeidel stated he could port it to c. I am currently working on a tutorial with a more advanced version of that script, hope to have it done in a day or 2.

[Rewandythal]

Looking at the source code for NMAP might be a good place to start, since its the best port scanner ever to roam the Earth.
www.insecure.org/nmap

[Truti]

It's simpel!

You only have to make a program there Connact to target to se if the port are open! you kan use a for command:

a = some input (start)
b = some input (end)

for(i = a; i <= b; i++)
{
If()
blah
else
blah
}

There you can scan the ranke the user type!

[Truti]

Basic:

Connact to a port if it's open return with 1 if not return with 0.......
and then just print out!

[ac1dsp3ctrum]

Yet again, Google saves the day... I did a search for portscan.c and I got this.... The original page is here [http://staticdischarge.org/Hacking/Sources/PORTSCAN.C]

Code:

/* 
 * internet port scanner 
 *
 * This program will scan a hosts TCP ports printing all ports that accept
 * connections, and if known, the service name.
 * This program can be trivially altered to do UDP ports also.
 *
 * Kopywrong (K) Aug. 25, '94 [email protected]
 *
 * Hey kiddies, this is a C program, to run it do this:
 * $ cc -o pscan pscan.c
 * $ pscan <host> [max port]
 *
 * No, this will not get you root.
 * 
 * Changes:
 * Changed fprintf to printf in line 34 to work with my Linux 1.1.18 box
 * Netrunner 1/18/95 11:30pm
 *
 * Changes:
 * converts port# to network byte order.
 * Therapy 10/29/96 9:00pm
 * 
*/
static char sccsid[] = "@(#)pscan.c     1.0     (KRAD) 08/25/94";
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define MAX_PORT 1024 /* scan up to this port */
int s;
struct sockaddr_in addr;
char rmt_host[100];

int skan(port)
int port;
{
 int r;
    s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (s < 0) {
       /* fprintf("ERROR: socket() failed\n"); */
       /* Changed to printf for my Linux 1.1.18 box */
       printf("ERROR: socket() failed\n");
       exit(0);
    }

    addr.sin_family = PF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr(rmt_host);

    r = connect(s,(struct sockaddr *) &addr, sizeof(addr));

    close(s);
    if (r==-1) {
       return (1 == 0);
    }

    return (1 == 1);
}

main(argc,argv) 
int argc;
char *argv[];
{
 int a,b,c,d,e,f;
 struct hostent *foo;
 struct servent *bar;

   if (argc < 2) {
      fprintf(stderr,"usage: %s <host> [highest port]\n",argv[0]);
      exit(0);
   }

   if (sscanf(argv[1],"%d.%d.%d.%d",&a,&b,&c,&d) != 4) {
      foo = gethostbyname(argv[1]);
      if (foo == NULL) {
         fprintf(stderr,"error: cannot resolve host %s\n",argv[1]);
         exit(0);
      }
      sprintf(rmt_host,"%d.%d.%d.%d",(unsigned char )foo->h_addr_list[0][0],
              (unsigned char ) foo->h_addr_list[0][1], 
              (unsigned char ) foo->h_addr_list[0][2], 
              (unsigned char ) foo->h_addr_list[0][3]);
   } else {
      strncpy(rmt_host,argv[1],99);
   }


   if (argc > 2) {
      f = atoi(argv[2]);
   } else
      f = MAX_PORT;

   fprintf(stdout,"Scanning host %s - TCP ports 1 through %d\n",rmt_host,f);

   for (e =1;e<=f;e++) {
    char serv[100];
      if (skan(e)) {
         bar = getservbyport(htons(e),"tcp"); 
         printf("%d (%s) is running.\n",e,(bar == NULL) ? "UNKNOWN" :
                bar->s_name); 
      }
   }
}




------------------------------------------------------------------------------------

	Here is another simple portscanner written in PERL

#!/usr/bin/perl
#
# A simple TCP port scanner in perl
# [email protected]  27 January 1996
#
# output to stdout, logging to stderr
#
# todo - 
#  better arg handling :)
#  fork() scans?

# ports to scan:
# 21 - ftp
# 23 - telnet
# 25 - smtp
# 79 - finger
# 80 - www
# 119 - nntp
# 139 - netbios (wfwg over tcpip)
# 8000 - occasional www
# 8080 - ocassional www

@myports = (21, 23, 25, 79, 80, 119, 139, 8000, 8080);

require 'sys/socket.ph';
require 'flush.pl';

$SIG{'ALRM'} = 'do_alarm';

if ($ARGV[0] eq "") {
 print "please provide a subnet to scan!  e.g., 134.114.84\n";
 exit 1;
}

{
 $net = $ARGV[0];
 ($a, $b, $c) = split(/\./, $net);
 
  for ($d=0;$d<256;$d++) {
   $host = "$a.$b.$c.$d";

   @portlist = @myports;

   while(@portlist) {
    $port = shift(@portlist);
    print STDERR "Trying $host:$port\n";
    $data = scan($host, $port);
    if (index($data, "FAILED") != 0) {
     @addr = split(/\./, $host);
     $addr = pack(' C4', @addr[0], @addr[1], @addr[2], @addr[3]);
     ($name, $aliases, $type, $len, @addrs) = gethostbyaddr($addr, 2);
     if ($name eq "") {
      $name = $host;
     }
     print STDOUT "$name:$port:$data\n";
     flush(STDOUT);
    }
   }
  }
}

#
# scan (host, port)
# returns error or banner
#

sub scan
{
 
 $hostname = shift @_;
 $serverport = shift @_;

 $connecttimeout = "1";		# time to wait for a reply
 $bannertimeout = "7";		# time to wait for data after a connect

init:
    
   # seed & pick a random port number 
 
   for ($i=0; $i < $$; $i++) { rand(); }

   $clientport = int(rand(32768) + 1024);
   $sockaddr = 'S n a4 x8';
   $locport=pack($sockaddr, &AF_INET, $clientport, "\0\0\0\0");

   if (!socket(C, &PF_INET, &SOCK_STREAM, $proto)) {
    #print "WARNING - couldn't create client socket: $!\n";
    sleep 5;
    goto init;
   }

   if (!bind(C, $locport)) { 
    # die("cannot bind client socket: $!\n");
    #print "WARNING - couldn't bind client socket:$!\n";
    sleep (5);
    goto init;
   }

   ($name, $aliases, $proto) = getprotobyname('tcp');
   ($name, $aliases, $type, $len, $thisaddr) = gethostbyname($hostname);
   ($a,$b,$c,$d) = unpack('C4', $thisaddr);

   $ipaddr="$a.$b.$c.$d";
   
   $thatport = pack($sockaddr, &AF_INET, $serverport, $thisaddr);
   
   alarm(0);
   alarm($connecttimeout);

   if (!connect(C, $thatport)) {
    return "FAILED: $!\n";
   }

   alarm(0);

   select(C); 
   $| = 1;
   select(STDOUT);

   # Now send/rec data to C

   # nudge it..

   print C "\r\n";

   alarm($bannertimeout); 

   $banner = "";
   while ($data = <C>) {
    $banner = "$banner$data" 
   }

   alarm(0);

   if ($banner eq "") {
    $banner = $data;
   }

   shutdown(C, 1);
   close(C);

   $banner =~ tr/\r/\./;
   $banner =~ tr/\n/\./;

   return $banner;
}

#
# Handle timeouts
#

sub do_alarm {
  alarm(0); # reset alarm clock
  $SIG{'ALRM'} = 'do_alarm';
  close (C);
  return "FAILED: timeout";
}





--------------------------------------------------------------------------------