cowboy me, 2.0: jose nazario beauty and the street

jscan 0.3.1 released ... HiTB talk code

in time for my hackinthebox presentation, i'm releasing some of the demo code i'll be showing. jscan is a TCP SYN scanner that shows how to use libdnet, libevent, and libpcap to generate a reasonably fast TCP scanner. this is just an example, "let's show how to use these libraries" type release. it also shows how to use some basic logic to fingerprint received packets into their respective source OS names.

above is a callgraph for the program. in blue are internal functions, in grey are external functions from libdnet, libpcap, and libevent. not terribly complex code, but it's educational. the whole thing is driven by event_dispatch() once the events are initialized and the context object is filled in. they reschedule events using event_add() and continue with event_dispatch. in an active scan, once the scan is done they stop rescheduling, causing event_dispatch() to return and the program completes itself normally.

jscan is based on some of dugsong's code in many ways, but lacks many of the cool features that dug worked in (including OS forgery and such). however, the basic premise is pretty cool as far as functionality goes, you have either an active or a passive scanner. here it is in passive mode:

$ sudo jscan -t passive -i fxp0 -f compat/pf.os
scan started, type is passive, listening on fxp0                                unknown             www     80/tcp                      FreeBSD 4.6-4.8             www     80/tcp
and here it is in active mode:

$ sudo jscan -t active -s -d -i fxp0 -f compat/pf.os
scan started, type is active, listening on fxp0                             Linux 2.0.3x         daytime     13/tcp                             Linux 2.0.3x             ssh     22/tcp                             Linux 2.0.3x            time     37/tcp                             Linux 2.0.3x           whois     43/tcp                             Linux 2.0.3x          domain     53/tcp                             Linux 2.0.3x            auth    113/tcp                             Linux 2.0.3x             bgp    179/tcp                             Linux 2.0.3x         unknown   2605/tcp                             Linux 2.0.3x         unknown   6001/tcp
scan completed. total execution time was 70 seconds.
what's kind of neat about it is that you can decouple the sender and receiver by running two processes. one process is a passive capture system, the other an active sender. the sender spoofs the source address of the listener so replies get redirected there.

because this is just example code, keep this in mind (from the README): "the user is expected to flesh out its functionality, consider this your take home exam." it's relatively trivial to fingerprint this version of the scanner. version 0.3 is out and ready for public use.

some of the code is taken from OpenBSD, dugsong, and the siphon project.

update: version 0.3.2 is out, this fixes a bug or two and enhances OS detection a bit ... same location, but if you downloaded 0.3.1 try 0.3.2 instead ...



| archives

Last modified: Tuesday, Sep 21, 2004 @ 11:05am
Weblog Commenting and Trackback by

Your Ad Here

copyright © 2002-2005 jose nazario, all rights reserved.