HiTB 2004 example code: jscan

requirements

libevent (in OpenBSD base)
libdnet (in OpenBSD ports)
libpcap (in OpenBSD base)

my development environment is OpenBSD.

OpenBSD users should set EVENT_NOKQUEUE=yes in their shell to ensure libevent works properly.

jscan features

jscan is an active SYN scanner:

$ sudo jscan -t active -s 192.168.3.4 -d 192.168.1.4 -i fxp0 -f compat/pf.os
scan started, type is active, listening on fxp0
192.168.1.4                          3x:Linux 2.0.3x         daytime     13/tcp
192.168.1.4                          3x:Linux 2.0.3x             ssh     22/tcp
192.168.1.4                          3x:Linux 2.0.3x            time     37/tcp
192.168.1.4                          3x:Linux 2.0.3x           whois     43/tcp
192.168.1.4                          3x:Linux 2.0.3x          domain     53/tcp
192.168.1.4                          3x:Linux 2.0.3x          sunrpc    111/tcp
192.168.1.4                          3x:Linux 2.0.3x            auth    113/tcp
192.168.1.4                          3x:Linux 2.0.3x             bgp    179/tcp
scan completed. total execution time was 70 seconds.

jscan is a passive TCP scanner, too!

$ sudo jscan -t passive -i fxp0 -f compat/pf.os
scan started, type is passive, listening on fxp0
192.48.159.40                                unknown             www     80/tcp
216.136.204.117                     :FreeBSD 4.6-4.8             www     80/tcp

and .. yes. you can run two instances of jscan and have one send the packets and one listen for the replies. decoupled scanning ...

NOTE

this code is NOT suitable for real world use, it contains a number of flaws which make it easy to detect scanning and fingerprint the scanner. it is up to the reader to improve upon this codebase.

download

jscan-0.3.2.tar.gz 21 sep 2004

changelog

0.2: randomize a bunch of attributes
0.3: OS fingerprinting, using the OpenBSD pf.os file and routines from siphon 0.666.
0.3.1: slight code/display cleanup
0.3.2: minor refactor, improve use of the pf.os file a bit