cowboy me, 2.0: jose nazario beauty and the street


jscan 0.3.1 released ... HiTB talk code

http://monkey.org/~jose/figs/jscan-call-small.jpg

in time for my hackinthebox presentation, i'm releasing some of the demo code i'll be showing. jscan is a TCP SYN scanner that shows how to use libdnet, libevent, and libpcap to generate a reasonably fast TCP scanner. this is just an example, "let's show how to use these libraries" type release. it also shows how to use some basic logic to fingerprint received packets into their respective source OS names.

above is a callgraph for the program. in blue are internal functions, in grey are external functions from libdnet, libpcap, and libevent. not terribly complex code, but it's educational. the whole thing is driven by event_dispatch() once the events are initialized and the context object is filled in. they reschedule events using event_add() and continue with event_dispatch. in an active scan, once the scan is done they stop rescheduling, causing event_dispatch() to return and the program completes itself normally.

jscan is based on some of dugsong's code in many ways, but lacks many of the cool features that dug worked in (including OS forgery and such). however, the basic premise is pretty cool as far as functionality goes, you have either an active or a passive scanner. here it is in passive mode: 

$ sudo jscan -t passive -i fxp0 -f compat/pf.os
scan started, type is passive, listening on fxp0
192.48.159.40                                unknown             www     80/tcp
216.136.204.117                      FreeBSD 4.6-4.8             www     80/tcp
and here it is in active mode: 

$ sudo jscan -t active -s 192.168.3.4 -d 192.168.1.4 -i fxp0 -f compat/pf.os
scan started, type is active, listening on fxp0
192.168.1.4                             Linux 2.0.3x         daytime     13/tcp
192.168.1.4                             Linux 2.0.3x             ssh     22/tcp
192.168.1.4                             Linux 2.0.3x            time     37/tcp
192.168.1.4                             Linux 2.0.3x           whois     43/tcp
192.168.1.4                             Linux 2.0.3x          domain     53/tcp
192.168.1.4                             Linux 2.0.3x            auth    113/tcp
192.168.1.4                             Linux 2.0.3x             bgp    179/tcp
192.168.1.4                             Linux 2.0.3x         unknown   2605/tcp
192.168.1.4                             Linux 2.0.3x         unknown   6001/tcp
scan completed. total execution time was 70 seconds.
what's kind of neat about it is that you can decouple the sender and receiver by running two processes. one process is a passive capture system, the other an active sender. the sender spoofs the source address of the listener so replies get redirected there.

because this is just example code, keep this in mind (from the README): "the user is expected to flesh out its functionality, consider this your take home exam." it's relatively trivial to fingerprint this version of the scanner. version 0.3 is out and ready for public use.

some of the code is taken from OpenBSD, dugsong, and the siphon project.

update: version 0.3.2 is out, this fixes a bug or two and enhances OS detection a bit ... same location, but if you downloaded 0.3.1 try 0.3.2 instead ...

|

----

next Wednesday, Sep 22, 2004 @ 08:54am | previous Monday, Sep 20, 2004 @ 07:49am | archives

Last modified: Tuesday, Sep 21, 2004 @ 11:05am
Weblog Commenting and Trackback by HaloScan.com

Your Ad Here

copyright © 2002-2005 jose nazario, all rights reserved.