网络扫描技术揭秘读书笔记3--TCP SYN扫描
来源:互联网 发布:java接口的特点 编辑:程序博客网 时间:2024/04/29 21:35
TCP SYN扫描(使用Winpcap库实现)
0.核心原理
半开扫描(TCP SYN)不同于CSocket和Socket2扫描,后两者扫描都是完成了一个完整的三次握手(即connect函数),而半开扫描则只完成了两次握手就宣告结果,因为仅通过两次握手已读到了要读的数据。
扫描函数的原理就是完成三次握手中的前两次,其中第一次是由扫描器向被扫描的服务器端发送SYN同步数据包,第二次是服务器端回复扫描器ACK确认数据包。按原“计划”,扫描器应该再向服务器发送一个ACK确认包完成三次握手,然而TCP SYN半开扫描在第三次握手时中止该操作或者向服务器端发送FIN结束数据包。
1.使用核心库函数以及核心代码:
#include <pcap.h>#include <iphlpapi.h>#pragma comment(lib,"iphlpapi.lib")#define DEF_BUF_SIZE 100#define ACK_SYN 1#define ACK_RST 0#define ILLEGAL_FLAG -1#define MAX_FRAME_LEN 1500//IP地址转换处理typedef union MultiByteStruct {//IP地址联合体 int iInt; //int有符号整型 float fFloat; //浮点数 UINT uInt; //无符号整数 ULONG uLong; //ULONG无符号整型 DWORD dwDword; //DWORD有符号整型 WORD wWord[2]; //WORD无符号整型数组 UCHAR ucByte[4]; //无符号字符数组 char cByte[4]; //字符数组 }UNIONIP,*PUNIONIP; SYNTHREADPARAM SynThreadParam;//传递给TCP SYNSCAN 线程的参数结构体static USHORT g_uLocalPort=1240;//绑定的本地端口号USHORT CPortScan_TCPDlg::CheckSum(USHORT *buffer, int size){unsigned long cksum=0; while(size>1) { cksum+=*buffer++; size-=sizeof(USHORT); } if(size) { cksum+=*(UCHAR*)buffer; } cksum=(cksum>>16)+(cksum&0xffff); cksum+=(cksum>>16); return (USHORT)(~cksum); }CString IPIntToStr(UINT IPInt){CString IPStr; UNIONIP IP; IP.uInt=IPInt; //IPStr.Format(_T("%d.%d.%d.%d"),IP.ucByte[0],IP.ucByte[1],IP.ucByte[2],IP.ucByte[3]);IPStr.Format(_T("%d.%d.%d.%d"),IP.ucByte[3],IP.ucByte[2],IP.ucByte[1],IP.ucByte[0]);return IPStr; }//char *->CStringvoid CharStrToCString(CString *str,const char *char_str) {int byteLen=strlen(char_str); int Charlen=MultiByteToWideChar(CP_ACP,0,char_str,byteLen,NULL,0); TCHAR *TcharTempItem=new TCHAR[Charlen+1]; MultiByteToWideChar(CP_ACP,0,char_str,byteLen,TcharTempItem,Charlen); TcharTempItem[Charlen]='\0';*str=TcharTempItem;//*****}void CPortScan_TCPDlg::SynScan_By_WinpCap(UNIONIP uIPBegin,UNIONIP uIPEnd,UINT uPortBegin,UINT uPortEnd){MessageBox(_T("sys scan by winpcap style..."));PSDHEADER psdHeader; //伪TCP包头 UCHAR *tcp_packet_str=new UCHAR[MIN_TCPPACKET_LEN+1];PACKET tcp_packet;UINT SrcIp;// 获取本地地址信息char szLocalName[DEF_BUF_SIZE]={0};gethostname(szLocalName,DEF_BUF_SIZE);hostent* pHost=gethostbyname(szLocalName);if(pHost!=NULL)memcpy(&SrcIp,pHost->h_addr_list[0],pHost->h_length);elsereturn ;//获取网卡设备句柄pcap_t *fp;pcap_if_t *d;GetAdapterHandle(&fp,&d);if(!fp)MessageBox(_T("获取网卡设备句柄失败!"));//recv response packet (ACK+SYN)//Theread:监听目标主机(UNIONIP uIPBegin,UNIONIP uIPEnd)的TCP响应数据包SynThreadParam.fp=fp;SynThreadParam.d=d;SynThreadParam.uIPBegin=uIPBegin;SynThreadParam.uIPEnd=uIPEnd;SynThreadParam.SrcIp=SrcIp;SynThreadParam.ptr=this;CString strIP=IPIntToStr(uIPBegin.uInt);HTREEITEM curr=m_ctlTreeResult.InsertItem(strIP,1,1,TVI_ROOT); SynThreadParam.TreeItem=curr;AfxBeginThread(ThreadRecvTCPSYNPacket,&SynThreadParam,THREAD_PRIORITY_IDLE);//监听返回的ACK+SYN数据包Sleep(1000);//预留做监听的准备时间 或者设置定时器判断 开始发送数据包的时间 12.16//end for 12.16for (UINT ip=uIPBegin.uInt;ip<=uIPEnd.uInt;ip++) {BYTE SrcMac[6];BYTE DstMac[6];GetMacAddress(SrcMac);//GetMacAddrOfIP(ip,DstMac);//for(UINT port=m_uPortBegin;port<=m_uPortEnd;port++) { memset(tcp_packet_str,0,MIN_TCPPACKET_LEN+1);memset(&tcp_packet,0,sizeof(PACKET));//EtherHeader partmemcpy(tcp_packet.ethhead.DestMac,DstMac,6);memcpy(tcp_packet.ethhead.SrcMac,SrcMac,6);USHORT type=0x0800;//***以太网帧类型 0x0800 网际协议 ***tcp_packet.ethhead.Type=htons(type);//分别自己填充IP头、TCP头、伪TCP头,并计算其中的校验和 //设置IP头 tcp_packet.ipHeader.h_verlen=0x45; tcp_packet.ipHeader.tos=0; tcp_packet.ipHeader.total_len=htons(sizeof(IPHEADER)+sizeof(TCPHEADER)); tcp_packet.ipHeader.ident=1; tcp_packet.ipHeader.frag_and_flags=0; tcp_packet.ipHeader.ttl=128; tcp_packet.ipHeader.proto=IPPROTO_TCP; tcp_packet.ipHeader.checksum=0; tcp_packet.ipHeader.sourceIP=SrcIp; tcp_packet.ipHeader.destIP=htonl(ip);// //设置TCP头 tcp_packet.translayer.tcpHeader.th_sport=htons(g_uLocalPort); tcp_packet.translayer.tcpHeader.th_dport=htons(port); //tcp_packet.translayer.tcpHeader.th_seq=htonl(SEQ); tcp_packet.translayer.tcpHeader.th_ack=0; tcp_packet.translayer.tcpHeader.th_lenres=(sizeof(TCPHEADER)/4<<4|0); tcp_packet.translayer.tcpHeader.th_flag=2; //2:SYN;1:FIN;16:ACK tcp_packet.translayer.tcpHeader.th_win=htons(512); tcp_packet.translayer.tcpHeader.th_urp=0; tcp_packet.translayer.tcpHeader.th_sum=0; //伪TCP头 psdHeader.saddr=tcp_packet.ipHeader.sourceIP;psdHeader.daddr=tcp_packet.ipHeader.destIP; psdHeader.mbz=0; psdHeader.ptcl=IPPROTO_TCP; psdHeader.tcpl=htons(sizeof(TCPHEADER)); //TCP头校验和 checksum(PsdHeader+TcpHeader)char tempBuf[40];memcpy(tempBuf,&psdHeader,sizeof(PSDHEADER));memcpy(tempBuf+sizeof(psdHeader),&tcp_packet.translayer.tcpHeader,sizeof(TCPHEADER));tcp_packet.translayer.tcpHeader.th_sum=CheckSum((USHORT*)tempBuf,sizeof(PSDHEADER)+sizeof(TCPHEADER));//*****IP头校验和 checksum(IpHeader)memcpy(tempBuf,&tcp_packet.ipHeader,sizeof(IPHEADER));tcp_packet.ipHeader.checksum=CheckSum((USHORT*)tempBuf,sizeof(IPHEADER));//数据包流序列化memcpy(tcp_packet_str,(UCHAR*)&tcp_packet,sizeof(PACKET));SetDlgItemInt(IDC_PORT_EDIT,port);if(pcap_sendpacket(fp,tcp_packet_str,sizeof(PACKET)) != 0)//发送数据包 sizeof(PACKET){MessageBox(_T("pcap_sendpacket()函数执行发生错误!"));return;}}}}//[in] Param :{fp,d,IP,ptr,TreeItem...}UINT ThreadRecvTCPSYNPacket(LPVOID pParam){//capture,resolve,check 12.16SYNTHREADPARAM *SynThreadParam=(SYNTHREADPARAM *)pParam;pcap_t *fp=SynThreadParam->fp;pcap_if_t *d=SynThreadParam->d;UNIONIP uIPBegin=SynThreadParam->uIPBegin;UNIONIP uIPEnd=SynThreadParam->uIPEnd;UINT SrcIp=SynThreadParam->SrcIp;CPortScan_TCPDlg *ptr=SynThreadParam->ptr; HTREEITEM curr=SynThreadParam->TreeItem; const BYTE *pkt_data=new BYTE[MAX_FRAME_LEN];UINT res;struct pcap_pkthdr *header;char *packet_filter_str=new char[100];char SrcIp_str[16],DstIp_str[16];SOCKADDR_IN addr_src,addr_dst;struct bpf_program fcode;bpf_u_int32 NetMask;if(d->addresses->netmask)NetMask=((struct sockaddr_in *)d->addresses->netmask)->sin_addr.s_addr;elseNetMask=0xffffff;//filter response tcp packets//tcp and ip src host (uIPBegin to uIPEnd) and ip dst host localhost//for (UINT ip=uIPBegin.uInt;ip<=uIPEnd.uInt;ip++)memset(packet_filter_str,0,100);strcpy(packet_filter_str,"tcp and ip src host ");addr_dst.sin_addr.S_un.S_addr=htonl(uIPBegin.uInt);//***only the first destination host(12.16)strcpy(SrcIp_str,inet_ntoa(addr_dst.sin_addr));//SrcIpstrcat(packet_filter_str,SrcIp_str);strcat(packet_filter_str," and ip dst host ");addr_src.sin_addr.S_un.S_addr=SrcIp;strcpy(DstIp_str,inet_ntoa(addr_src.sin_addr));//DstIpstrcat(packet_filter_str,DstIp_str);if(pcap_compile(fp, &fcode, packet_filter_str, 1, NetMask)<0){AfxMessageBox(_T("Error compiling filter: wrong syntax."));return 1;}if(pcap_setfilter(fp, &fcode)<0){AfxMessageBox(_T("Error setting the filter."));return 1;}int elapse_times=0;while((res=pcap_next_ex(fp,&header,&pkt_data))>=0){if(elapse_times>10)//根据超时次数粗略确定已经没有余下的响应数据包break;if(res==0){//ptr->MessageBox(_T("获取报文超时!"));elapse_times++;continue;}//resolve received tcp_packet and check relevant bitsPACKET *TcpPacket=(PACKET *)pkt_data;int iphead_len=((TcpPacket->ipHeader.h_verlen)&0x0f)*4;TCPHEADER *TcpHeader=(TCPHEADER *)(pkt_data+sizeof(ETHERNET_HEAD)+iphead_len);UCHAR flag=TcpHeader->th_flag;USHORT opened_port=ntohs(TcpHeader->th_sport);//ntohs() 12.16 p.m.CString strTemp;if(((flag&0x10)>>4)&((flag&0x02)>>1))//0 0 URG ACK PSH RST SYN FIN{struct servent *se; CString strNameTemp;se=getservbyport(TcpHeader->th_sport,"tcp"); if(se!=NULL) //get the info of the port and corresponding server name{strTemp.Format(_T("%d "),opened_port);CharStrToCString(&strNameTemp,se->s_name);strTemp+=strNameTemp;}else strTemp.Format(_T("%d"),opened_port); ptr->m_ctlTreeResult.InsertItem(strTemp,2,2,curr); //insert the port node into the tree}}if(res == -1){AfxMessageBox(_T("Error reading the packets"));return 1;}ptr->MessageBox(_T("Finished SynScan..."));return 1;}void GetMacAddress(BYTE *mac_addr){IP_ADAPTER_INFO adapter[5]; //Maximum 5 adaptersDWORD buflen=sizeof(adapter);DWORD status=GetAdaptersInfo(adapter,&buflen);BYTE s[8];if(status==ERROR_SUCCESS){PIP_ADAPTER_INFO painfo=adapter;memcpy(s,painfo->Address,6);for(int i=0;i<6;i++){mac_addr[i]=s[i];}}}void GetAdapterHandle(pcap_t **fp,pcap_if_t **d){pcap_if_t *alldevs;char errbuf[PCAP_ERRBUF_SIZE];int i,inum;//网卡设备编号if(pcap_findalldevs(&alldevs, errbuf) == -1){AfxMessageBox(_T("pcap_findalldevs()函数执行发生错误!"));exit(1);}inum=3;//如何动态获取本地连接网卡 --需改进for (*d=alldevs, i=0; i< inum-1 ;*d=(*d)->next, i++);if ((*fp = pcap_open_live((*d)->name,65536,1,1000,errbuf)) == NULL){AfxMessageBox(_T("打开适配器发生错误"));exit(1);}}void GetMacAddrOfIP(UINT ip,BYTE *mac_addr){//获取网卡设备句柄pcap_t *fp;pcap_if_t *d;GetAdapterHandle(&fp,&d);if(!fp)AfxMessageBox(_T("获取网卡设备句柄失败!"));// 获取本地地址信息:IP和MACUINT SrcIP;UINT DstIP=ip;//[in] formal parameterBYTE SrcMac[6];BYTE DstMac[6];char szLocalName[DEF_BUF_SIZE]={0};gethostname(szLocalName,DEF_BUF_SIZE);hostent* pHost=gethostbyname(szLocalName);if(pHost!=NULL)memcpy(&SrcIP,pHost->h_addr_list[0],pHost->h_length);elsereturn ;GetMacAddress(SrcMac);memset(DstMac,0xff,6);//1.构造ARP请求包//SrcMac SrcIP DstMac DstIP=ipARP_PACKET arp_request;USHORT type=0x0806;USHORT hardware_type=0x0001;USHORT protocol_type=0x0800;BYTE mac_len=0x06;BYTE ip_len=0x04;USHORT option=0x0001;//1 Request//MAC Frame Headmemset(&arp_request,0,sizeof(ARP_PACKET));memcpy(arp_request.EthHead.DestMac,DstMac,6);memcpy(arp_request.EthHead.SrcMac,SrcMac,6);arp_request.EthHead.Type=htons(type);//ARP Request Headarp_request.ArpFrame.hardware_type=htons(hardware_type);arp_request.ArpFrame.protocol_type=htons(protocol_type);arp_request.ArpFrame.add_len=mac_len;arp_request.ArpFrame.pro_len=ip_len;arp_request.ArpFrame.option=htons(option);memcpy(arp_request.ArpFrame.sour_addr,SrcMac,6);arp_request.ArpFrame.sour_ip=SrcIP;//SrcIP: net sequencememcpy(arp_request.ArpFrame.dest_addr,DstMac,6);arp_request.ArpFrame.dest_ip=htonl(DstIP);//DstIP UINT:host sequence memset(arp_request.ArpFrame.padding,0x00,18);if(pcap_sendpacket(fp,(BYTE *)&arp_request,sizeof(arp_request)) != 0){AfxMessageBox(_T("pcap_sendpacket()函数执行发生错误!"));return;}//2.recv arp response packetconst BYTE *pkt_data;UINT res;struct pcap_pkthdr *header;char *packet_filter_str=new char[100];char mac_str[18];char ip_str[16];struct bpf_program fcode;bpf_u_int32 NetMask;if(d->addresses->netmask)//掩码不为空NetMask=((struct sockaddr_in *)d->addresses->netmask)->sin_addr.s_addr;elseNetMask=0xffffff;//默认为 C类网络GetMacStrFromByte(SrcMac,mac_str);//MAC StrSOCKADDR_IN addr;addr.sin_addr.S_un.S_addr=htonl(DstIP);//************下面的innet_ntoa()参数是--网络上--的一个IP地址************strcpy(ip_str,inet_ntoa(addr.sin_addr));//IP Str//packet_filter_str="arp and ether dst str(SrcMac) and src host str(DstIP)"//packet_filter_str += arp_request.ArpFrame.option=0x0002memset(packet_filter_str,0,100);strcpy(packet_filter_str,"arp and ether dst ");strcat(packet_filter_str,mac_str);strcat(packet_filter_str," and src host ");strcat(packet_filter_str,ip_str);if(pcap_compile(fp, &fcode, packet_filter_str, 1, NetMask)<0){AfxMessageBox(_T("Error compiling filter: wrong syntax."));return;}if(pcap_setfilter(fp, &fcode)<0){AfxMessageBox(_T("Error setting the filter."));return ;}/* Capture data */while((res = pcap_next_ex(fp,&header,&pkt_data))>=0){if(res == 0)/* Timeout elapsed */continue;if(pkt_data)break;}if(res == -1){AfxMessageBox(_T("Error reading the packets"));return;}//3.resolve response arp arp packet of sour_addr attribute//const BYTE * pkt_data -->SrcMacETHERNET_HEAD *Ether_Header=(ETHERNET_HEAD *)pkt_data;memcpy(mac_addr,Ether_Header->SrcMac,6);}void GetMacStrFromByte(BYTE *SrcMac,char *mac_str){/*In: SrcMac={00,30,18,A3,D2,8E};Out: mac_str="00:30:18:A3:D2:8E"*/char *MacStr=new char[18];memset(MacStr,0,18);for(int i=0;i<6;i++){MacStr[3*i]=GetHexChar((SrcMac[i]&0xf0)>>4);MacStr[3*i+1]=GetHexChar(SrcMac[i]&0x0f);if(i<=4)MacStr[3*i+2]=':';}strcpy(mac_str,MacStr);}char GetHexChar(BYTE HexNum){if(HexNum>=0&&HexNum<=9)return '0'+HexNum;else if(HexNum>=0xA&&HexNum<=0xF)return 'A'+HexNum-0xA;else{AfxMessageBox(_T("Illegal HexNum!"));return 0;}}
(1)
TCP SYN扫描结果:发现目标主机出现超时重ACK+SYN 数据包的现象
第一个重传(TCP Retransmission)的数据包是来自目标主机的端口netbios-ssn(139)的数据包
使用Wireshark工具得到该数据包的SEQ/ACK分析:判断为可疑的重传数据包
(2)
添加端口对应的服务名称之后,最终的运行结果:
(3)使用nmap扫描工具进行对比:
3.忽略掉的问题
只扫描了知名端口(1-1024);
没有动态识别本地连接对应的网卡;
没有对重传数据包的判定;
只考虑了对单一主机的扫描,没有考虑多个目标主机的情况;
获取的端口服务名只是使用getservbyport()从本地配置文件读取;
接收TCP响应包的线程函数的退出仅仅根据超时次数,没有恰当处理退出的条件;
其它
......
4.定义的相关数据结构
#pragma pack (1)typedef struct SYNThreadParamStruct{pcap_t *fp;pcap_if_t *d;UNIONIP uIPBegin;UNIONIP uIPEnd;UINT SrcIp;CPortScan_TCPDlg *ptr; HTREEITEM TreeItem; }SYNTHREADPARAM;//以太网帧头typedef struct _ETHERNET_HEAD{BYTE DestMac[6];//目的MAC地址BYTE SrcMac[6];//源MAC地址USHORT Type;//协议类型 IP(0x0800) ARP(0x0806是ARP帧的类型值) RARP}ETHERNET_HEAD;//14Bytestypedef struct _ARP_HEADER{ //固定头长度:28BytesUSHORT hardware_type; //硬件类型:以太网接口类型为1 USHORT protocol_type; //协议类型:IP协议类型为0X0800 BYTE add_len; //硬件地址长度:MAC地址长度为6B BYTE pro_len; //协议地址长度:IP地址长度为4B USHORT option; //操作:ARP请求为1,ARP应答为2 BYTE sour_addr[6]; //源MAC地址:发送方的MAC地址 UINT sour_ip; //源IP地址:发送方的IP地址 BYTE dest_addr[6]; //目的MAC地址:ARP请求中该字段没有意义;ARP响应中为接收方的MAC地址 UINT dest_ip; //目的IP地址:ARP请求中为请求解析的IP地址;ARP响应中为接收方的IP地址BYTE padding[18]; //填充字符长度=以太网最小帧长(64Bytes)-MAC帧头(14Bytes)-ARP包固定长度(28Bytes)-帧校验序列FCS(4Bytes)}ARP_HEADER,*PARP_HEADER; // ARP Packet = ETHERNET_HEAD + ARP_HEADERtypedef struct _ARP_PACKET{ETHERNET_HEAD EthHead;ARP_HEADER ArpFrame;}ARP_PACKET,*PARP_PACKET;typedef struct _iphdr { unsigned char h_verlen; //4位IP版本号+4位首部长度 unsigned char tos; //8位服务类型TOS unsigned short total_len; //16位总长度(字节) unsigned short ident; //16位标识 标记当前分片为第几个分片 unsigned short frag_and_flags; //3位标志位+13位片偏移 unsigned char ttl; //8位生存时间 TTL unsigned char proto; //8位协议(TCP、UDP或其他协议) unsigned short checksum; //16位IP首部校验和 unsigned int sourceIP; //32位源IP地址 unsigned int destIP; //32位目的IP地址 }IPHEADER; //TCP伪首部的作用主要是进行校验和的计算 typedef struct psd_hdr //定义TCP伪首部 12Bytes{ unsigned long saddr; //源地址 unsigned long daddr; //目的地址 char mbz; char ptcl; //协议类型 unsigned short tcpl; //TCP长度 }PSDHEADER; typedef struct _tcphdr //定义TCP首部 { USHORT th_sport; //16位源端口 USHORT th_dport; //16位目的端口 unsigned int th_seq; //32位序列号 unsigned int th_ack; //32位确认号 unsigned char th_lenres; //4位首部长度/6位保留字 unsigned char th_flag; //6位标志位 USHORT th_win; //16位窗口大小 USHORT th_sum; //16位校验和 USHORT th_urp; //16位紧急数据偏移量 }TCPHEADER; //数据包typedef struct _packet { ETHERNET_HEAD ethhead; IPHEADER ipHeader; union Translayer { TCPHEADER tcpHeader; UDPHEADER udpHeader; ICMPHEADER icmpHeader; }translayer; //char padding[10];//填充字符}PACKET; #pragma pack()
0 0
- 网络扫描技术揭秘读书笔记3--TCP SYN扫描
- 网络扫描技术揭秘读书笔记3-TCP/UDP端口扫描器设计原理
- 网络扫描技术揭秘读书笔记1--简介
- 网络扫描技术揭秘
- 网络扫描技术揭秘读书笔记2--常用的网络编程-TCP/IP协议编程
- 网络扫描技术揭秘读书笔记2--嵌入外部程序
- TCP SYN扫描
- tcp SYN扫描
- 《网络扫描技术揭秘》博客目录
- 网络扫描技术揭秘读书笔记2--常用的网络编程-其它协议编程
- 网络扫描技术揭秘读书笔记2--扫描器中公用编程示例(1)
- 网络扫描技术揭秘读书笔记2--扫描器中公用编程示例(2)
- 浅谈TCP扫描与SYN扫描与FIN扫描
- 网络扫描技术揭秘学习笔记《一》TCP/IP协议编程
- TCP,SYN,FIN扫描的介绍
- 网络扫描技术
- 网络扫描技术
- 网络扫描技术总结
- 黑马程序员_温习 IO流五 (个人笔记)摘要(字符编码)
- 内核中与驱动相关的内存操作之一(MMU)
- NYOJ 67 三角形面积
- 二进制的表白
- AS3 对JSON的读取和发送
- 网络扫描技术揭秘读书笔记3--TCP SYN扫描
- AS3 Vector
- 电脑改名 tomcat启动 地址栏localhost改名
- iOS 通知机制 Notifications (二)
- 指针传递 引用传递 小结
- Parsing Twitter Timestamp in Java
- Euler 92
- java.lang.NoClassDefFoundError: org/slf4j/impl/StaticLoggerBinder
- 折线分割平面