me, 2.0: jose nazario
beauty and the street
jscan 0.3.1 released ... HiTB talk code
in time for my hackinthebox presentation,
i'm releasing some of the demo code i'll be showing. jscan is a TCP SYN
scanner that shows how
to use libdnet, libevent, and libpcap to generate a reasonably fast
TCP scanner. this is just an example, "let's show how to use these
libraries" type release. it also shows how to use some basic logic
to fingerprint received packets into their respective source OS
above is a callgraph
for the program. in blue are internal functions, in grey are external
functions from libdnet, libpcap, and libevent. not terribly complex code,
but it's educational. the whole thing is driven by event_dispatch() once
the events are initialized and the context object is filled in. they
reschedule events using event_add() and continue with event_dispatch.
in an active scan, once the scan is done they stop rescheduling, causing
event_dispatch() to return and the program completes itself normally.
jscan is based on some of dugsong's code in many ways, but lacks many of
the cool features
that dug worked in (including OS forgery and such). however, the basic
premise is pretty cool as far as functionality goes, you have either an
active or a passive scanner. here it is in passive mode:
$ sudo jscan -t passive -i fxp0 -f compat/pf.os
scan started, type is passive, listening on fxp0
188.8.131.52 unknown www 80/tcp
184.108.40.206 FreeBSD 4.6-4.8 www 80/tcp
and here it is in active mode:
$ sudo jscan -t active -s 192.168.3.4 -d 192.168.1.4 -i fxp0 -f compat/pf.os
scan started, type is active, listening on fxp0
192.168.1.4 Linux 2.0.3x daytime 13/tcp
192.168.1.4 Linux 2.0.3x ssh 22/tcp
192.168.1.4 Linux 2.0.3x time 37/tcp
192.168.1.4 Linux 2.0.3x whois 43/tcp
192.168.1.4 Linux 2.0.3x domain 53/tcp
192.168.1.4 Linux 2.0.3x auth 113/tcp
192.168.1.4 Linux 2.0.3x bgp 179/tcp
192.168.1.4 Linux 2.0.3x unknown 2605/tcp
192.168.1.4 Linux 2.0.3x unknown 6001/tcp
scan completed. total execution time was 70 seconds.
what's kind of neat about it is that you can decouple the sender and
receiver by running two processes. one process is a passive capture
system, the other an active sender. the sender spoofs the source
address of the listener so replies get redirected there.
because this is just example code, keep this in mind (from the README):
"the user is expected to flesh out its functionality, consider this your
take home exam." it's relatively trivial to fingerprint this version of the
scanner. version 0.3 is out and ready for public use.
some of the code is taken from OpenBSD, dugsong, and the siphon project.
update: version 0.3.2 is out, this fixes a bug or two and enhances
OS detection a bit ... same location, but if you downloaded 0.3.1 try
0.3.2 instead ...
Last modified: Tuesday, Sep 21, 2004 @ 11:05am
copyright © 2002-2005 jose nazario, all rights reserved.