Stealth
Scanner¸¦ ¸¸µé¾î º¸ÀÚ~! (4)
- Stealth Scanner ±¸Çö
±×·³ Áö±Ý±îÁö °øºÎÇÑ Áö½ÄÀ» Åä´ë·Î stealth scanner¸¦ Á¦ÀÛÇØ º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
ÀÌÁ¦ ¸¸µå´Â ÇÁ·Î±×·¥Àº ÀÎÀڷΠŸ°ÙÀÇ IP ȤÀº µµ¸ÞÀÎ ÁÖ¼Ò¸¦ ÀÔ·Â ¹Þ¾Æ
1¹ø¿¡¼
500¹ø±îÁöÀÇ Æ÷Æ®¸¦ ½ºÄµÇÕ´Ï´Ù. ±×¸®°í ¿¸° Æ÷Æ®°¡ ÀÖÀ» ½Ã ÇØ´ç Æ÷Æ®¸¦ Ãâ·ÂÇØ
ÁÝ´Ï´Ù.
ÀÛµ¿ °á°ú´Â ±âÁ¸ÀÇ TCP Æ÷Æ® ½ºÄ³³Ê¿Í µ¿ÀÏÇÏÁö¸¸ ·Î±× ±â·Ï ºÎºÐ¿¡
´ëÇÑ Â÷ÀÌ´Â
¾î¶»°Ô µÉÁö µÚ¿¡¼ ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
|
// ÇÊ¿äÇÑ Çì´õµé ¼±¾ð #include
<stdio.h> #include
<stdlib.h> #include
<unistd.h> #include
<string.h> #include
<sys/socket.h> #include
<sys/types.h> #include
<arpa/inet.h> #include
<netinet/in.h> #include
<linux/ip.h> #include
<linux/tcp.h> #include
<netdb.h> // ¹ß½ÅÀÚÀÇ IP ÁÖ¼Ò, ÄÄÆÄÀÏ Àü¿¡ ¼öÁ¤Çϼ¼¿ä. #define LOCAL_IP ¡°218.149.4.173¡± // üũ¼¶À» ±¸ÇÏ´Â ÇÔ¼ö ¼±¾ð/Á¤ÀÇ. unsigned short
in_cksum(u_short *addr, int len) {
int
sum=0;
int
nleft=len;
u_short
*w=addr;
u_short
answer=0;
while (nleft > 1){
sum += *w++;
nleft -= 2; } if
(nleft == 1){
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer; }
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer); } // °¡»ó Çì´õ ±¸Á¶Ã¼ ¼±¾ð struct pseudohdr
{
u_int32_t saddr;
u_int32_t daddr;
u_int8_t
useless;
u_int8_t
protocol;
u_int16_t tcplength; }; int main( int
argc, char **argv ) {
unsigned char packet[40];
int raw_socket, recv_socket;
int on=1, len ;
char recv_packet[100], compare[100];
struct iphdr *iphdr;
struct tcphdr *tcphdr;
struct in_addr source_address, dest_address; struct
sockaddr_in address, target_addr; struct
pseudohdr *pseudo_header;
struct in_addr ip;
struct hostent *target;
int port; if(
argc < 2 ){
fprintf( stderr, "Usage : %s Target\n", argv[0] );
exit(1); }
source_address.s_addr = inet_addr( LOCAL_IP );
dest_address.s_addr = inet_addr( argv[1] );
strcpy( compare, argv[1] ); //
ÀÎÀÚ·Î µµ¸ÞÀÎÀ» ÁÖ¾úÀ» °æ¿ì IP·Î º¯È¯.
if( dest_address.s_addr == -1 ){
if( (target = gethostbyname( argv[1] )) == NULL ){
fprintf( stderr, "µµ¸ÞÀÎ ÁÖ¼Ò°¡ ¿Ã¹Ù¸£Áö ¾Ê½À´Ï´Ù.\n"
);
exit( 1 );
}
bcopy( target->h_addr, (char *)&ip.s_addr, target->h_length
);
dest_address.s_addr
= ip.s_addr;
strcpy( compare, inet_ntoa( dest_address ) ); } printf( "\n[Wise Scanner Started.]\n\n" ); //
1¹ø¿¡¼ºÎÅÍ 500¹ø±îÁö ½ºÄµ
for( port=1; port<500; port++ ){
// raw socket »ý¼º raw_socket = socket( AF_INET, SOCK_RAW,
IPPROTO_RAW ); setsockopt( raw_socket, IPPROTO_IP,
IP_HDRINCL, (char *)&on, sizeof(on));
// TCP, IP Çì´õ ÃʱâÈ
iphdr = (struct iphdr *)packet;
memset( (char *)iphdr, 0, 20 );
tcphdr = (struct tcphdr *)(packet + 20 );
memset( (char *)tcphdr, 0, 20 );
// TCP Çì´õ Á¦ÀÛ
tcphdr->source = htons( 777 );
tcphdr->dest = htons( port );
tcphdr->seq = htonl( 92929292 );
tcphdr->ack_seq = htonl( 12121212 );
tcphdr->doff
= 5;
tcphdr->syn = 1;
tcphdr->window = htons( 512 );
// °¡»ó Çì´õ »ý¼º.
pseudo_header = (struct pseudohdr
*)((char*)tcphdr-sizeof(struct pseudohdr));
pseudo_header->saddr = source_address.s_addr;
pseudo_header->daddr = dest_address.s_addr;
pseudo_header->protocol = IPPROTO_TCP;
pseudo_header->tcplength = htons( sizeof(struct tcphdr) );
// TCP üũ¼¶ °è»ê.
tcphdr->check = in_cksum( (u_short *)pseudo_header,
sizeof(struct
pseudohdr) + sizeof(struct tcphdr) );
// IP Çì´õ Á¦ÀÛ
iphdr->version = 4;
iphdr->ihl = 5;
iphdr->protocol =
IPPROTO_TCP;
iphdr->tot_len = 40;
iphdr->id = htons( 12345 );
iphdr->ttl = 60;
iphdr->saddr = source_address.s_addr;
iphdr->daddr = dest_address.s_addr;
// IP üũ¼¶ °è»ê.
iphdr->check = in_cksum( (u_short *)iphdr, sizeof(struct iphdr));
address.sin_family = AF_INET;
address.sin_port = htons( port );
address.sin_addr.s_addr = dest_address.s_addr;
// ÆÐŶ Àü¼Û
sendto( raw_socket, &packet, sizeof(packet), 0x0,
(struct sockaddr *)&address, sizeof(address));
// ÀÀ´ä ÆÐŶÀÇ Çì´õ¸¦ ÀúÀåÇÒ º¯¼ö ÃʱâÈ.
iphdr = (struct iphdr *)recv_packet;
tcphdr = (struct tcphdr *)(recv_packet + 20); memset( (char *)iphdr, 0, 20 ); memset( (char *)tcphdr, 0, 20 );
// ¼ö½Å¿ë ÆÐŶ »ý¼º
recv_socket = socket( AF_INET, SOCK_RAW, IPPROTO_TCP );
len = sizeof( target_addr );
// ÀÀ´ä ÆÐŶ °ËÃâ
while(1){
recvfrom(
recv_socket, recv_packet, 100, 0, (struct sockaddr *)&target_addr,
&len );
if( strcmp( inet_ntoa(target_addr.sin_addr), compare ) == 0 ){
if( ntohs(tcphdr->dest) == 777 ){
// syn Ç÷¡±× ¼³Á¤ ¿©ºÎ È®ÀÎ
if(
tcphdr->syn == 1 )
printf( "%d Port is open.\n", port );
break;
}
}
}
close( recv_socket );
close( raw_socket ); } printf( "\n[Scan ended.]\n\n" ); } |
ÀÌ»óÀÔ´Ï´Ù. ¿ª½Ã ÀÌÇظ¦ ½±°Ô Çϱâ À§ÇØ ¿¡·¯ ó¸® ¹× ÇÔ¼öÈ °úÁ¤Àº
»ý·«ÇÏ¿´½À´Ï´Ù.
±×·³ ÀÌÁ¦ ÄÄÆÄÀÏ ÇÑ ÈÄ ½ÇÇàÇØ º¸µµ·Ï ÇսôÙ.
|
[root@WiseGuyS
/Stealth_Scanner]# pwd /Stealth_Scanner [root@WiseGuyS
/Stealth_Scanner]# gcc -o wise wise.c [root@WiseGuyS
/Stealth_Scanner]# |
|
[root@WiseGuyS
/Stealth_Scanner]# ./wise
hackerschool.org [Wise Scanner
Started.] 21 Port is open. 23 Port is open. 53 Port is open. 80 Port is open. 111 Port is open. [Scan ended.] [root@WiseGuyS
/Stealth_Scanner]# |
Æ÷Æ® ½ºÄ³´×ÀÇ °á°ú´Â ¿©´À ´Ù¸¥ ½ºÄ³³Ê¿Í ´Ù¸¦°Ô ¾ø½À´Ï´Ù.
±×·³ ÀÌÁ¦ ÀÌ ½ºÄ³³Ê°¡ Stealth ±â´ÉÀ» Á¦´ë·Î ¹ßÈÖÇÏ°í ÀÖ´ÂÁö¿¡
´ëÇØ È®ÀÎÇØ º¸µµ·Ï ÇսôÙ.
|
[ ½ºÄ³´× ´ë»ó ¼¹ö : www.hackerschool.org ] [root@hackerschool
log]# pwd /var/log [root@hackerschool
log]# cat > messages [root@hackerschool
log]# cat > secure [root@hackerschool
log]# ¸íÈ®ÇÑ È®ÀÎÀ» À§ÇØ ·Î±× ÆÄÀÏÀ» ÃʱâÈ Çß½À´Ï´Ù. |
|
[ °ø°Ý ¼¹ö : Naska´ÔÀÇ TCP Æ÷Æ® ½ºÄ³³Ê¸¦
ÀÛµ¿½ÃÄ×½À´Ï´Ù. ] [root@WiseGuyS
naska21]# ./port hackerschool.org ::: WG
PortScanner by naska21 <naska21@hanmail.net> in WiseGuys!! ::: Host :
211.189.88.58 Port Service
Comment
============================================================================ 21 ftp
File Transfer 23 telnet
Telnet 53 domain
Domain Name Server 80 http
World Wide Web HTTP 111 sunrpc
SUN Remote Procedure Call scanning.. 100% [root@WiseGuyS
naska21]# |
|
[ ½ºÄµ ´ë»ó ¼¹ö : ½ºÄ³´×¿¡ ´ëÇÑ ·Î±× ±â·Ï
È®ÀÎ ] [root@hackerschool
log]# cat secure Dec 13 Dec 13 Dec 13 [root@hackerschool
log]# cat messages Dec 13 client_cert allow, data allow Dec 13 Dec 13 [root@hackerschool
log]# Æ÷Æ® ½ºÄ³´× ³»¿ëÀÌ ±×´ë·Î ·Î±× ÆÄÀÏ¿¡ ÀúÀåµÈ °ÍÀ»
¾Ë ¼ö ÀÖ½À´Ï´Ù. |
|
[ ½ºÄµ ´ë»ó ¼¹ö : ·Î±× ±â·Ï ÃʱâÈ ] [root@hackerschool
log]# cat > secure [root@hackerschool
log]# cat > messages [root@hackerschool
log]# ´Ù½Ã ·Î±× ÆÄÀÏÀ» ÃʱâÈ ÇÏ°í.. |
|
[ °ø°Ý ¼¹ö : Stealth scanner¸¦
ÀÌ¿ëÇÏ¿© Æ÷Æ® ½ºÄµ ] [root@WiseGuyS
/Stealth_Scanner]# ./wise
hackerschool.org [Wise Scanner
Started.] 21 Port is open 23 Port is open 53 Port is open 80 Port is open 111 Port is open [Scan ended.] [root@WiseGuyS
/Stealth_Scanner]# À̹ø¿£ Stealth
Scanner¸¦ ÀÌ¿ëÇÏ¿© Æ÷Æ® ½ºÄµÀ» ÇÕ´Ï´Ù. |
|
[ ½ºÄµ ´ë»ó ¼¹ö : ·Î±× ±â·Ï È®ÀÎ ] [root@hackerschool
log]# cat secure [root@hackerschool
log]# cat messages [root@hackerschool
log]# Ÿ°Ù ¼¹ö¿¡ ÀüÇô ·Î±× ±â·ÏÀ» ³²±âÁö ¾Ê¾Ò½À´Ï´Ù. |
Áö±Ý±îÁö ÃÑ 4ȸ¿¡ °ÉÃÄ stealth scanningÀ̶ó´Â ÁÖÁ¦¸¦ ÅëÇÏ¿©
raw socket programming¿¡ ´ëÇÏ¿©
ÇнÀÇÏ¿´½À´Ï´Ù. ¸¹Àº ºÎºÐÀÌ ºÎÁ·ÇÑ °Á¿´Áö¸¸ raw socket
programming¿¡ ´ëÇØ ¾î´ÀÁ¤µµ ÀÌÇØ´Â
ÇϼÌÀ» °Å¶ó°í »ý°¢ÇÕ´Ï´Ù. ±×·³ Áö±Ý±îÁö ¹è¿î ³»¿ë¿¡ ´ëÇÑ ½Ç½ÀÀ» ²À
Çغ¸¼Å¾ß È¿°ú°¡ ÀÖÀ» °Å¶õ
¸»¾¸À» µå¸®¸é¼ °Á¸¦ ¸¶Ä¡µµ·Ï ÇÏ°Ú½À´Ï´Ù.