PortScanner : Efficient TCP port scanner based on popular TCP Half Open scanning method

• Download demo - 151 Kb
• Download source - 19 Kb

Introduction

There are various port scanners which uses simple method of scanning. These applications work at application level and are quite slow. This scanner is faster than normal scanner. It is based on the TCP Half Open Scanning or TCP SYN scanning technique. This method is less detectable than the simple port scanner.

What is Half Open Scanning ?

When any two hosts wants to communicate together connection must be established between them. In case of TCP , three way handshake takes place before any communication begins. This is called Full connection and the process is described below.

1. First the host A sends the SYN packet (TCP packet with SYN flag set) to host B.
2. If the port is open then host B responds by sending SYN+ACK packet. else it sends the RST+ACK packet to host B.
3. Now host A sends the ACK packet to host B. (if SYN+ACK packet is received).

Once the connection is established- both machines can transmit data packet until one of them ends the connection by sending FIN packet. Some of the simple port scanners use this technique. It can be implemented by creating socket and calling Connect method on each port.This is simple to implement but quite slow and moreover it can be easily detected.

Half scanning is more fast and efficient than full scanning technique. Half open connection is explained below.

1. First the host A sends the SYN packet (TCP packet with SYN flag set) to host B.
2. If the port is open then host B responds by sending SYN+ACK packet. else it sends the RST+ACK packet to host B.

Since the host A does not send any additional ACK packet , it is called half open connection. Now the host can easily find out if the target port is open or closed. It it receives TCP packet with SYN+ACK flag set, then it means that target port is open. If it receives RST+ACK packet ,it implies that target port is closed.

In this method full handshake does not take place , hence it is quite faster than full scanning method. Since the implementation has to be done at the protocol level , knowledge of TCP/IP protocol suite is essential.

Implementation

Core part of the implementation is sending the TCP packet and ARP packet. This involves building the raw packet by filling all headers. For this we must know MAC address of the source and destination machine. MAC address also called Ethernet address ,is the address associated with Ethernet adapter.

Find source MAC address

There are various methods for obtaining the source MAC address. This method is simple.

IP_ADAPTER_INFO adapter[5]; 
DWORD buflen=sizeof(adapter); 
DWORD status=GetAdaptersInfo(adapter,&buflen); 

Now the adapter structure contain the source MAC address.

Find destination MAC address

This is done by sending ARP packet. ARP packet is used to determine the host's MAC address when its IP address is known. First ARP request packet is sent by specifying the source MAC address, source IP address and destination IP Address. The ARP reply packet contains the destination MAC address. This method also prevents the target host from sending arp packet to source host when the source host sends the first SYN packet during scanning process. From the ARP request packet that we have sent , target host will come to know about the MAC address of the source host.

Scanning process

Scanning process involves building TCP packet.For this one has to prepare the Ethernet Header, IP header and TCP header. Header file packet.h contains the format details for each of these headers. You can refer RFC for details regarding these formats.

Each time during scanning TCP SYN packet is sent with different port numbers. Then the corresponding reply packet is checked for the flag RST+ACK or SYN+ACK. Based upon this flag target port status is determined.

Requirement

You need Winpcap ( Windows version of Libpcap) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packet in detail. I advice to you to go through the WinPcap documentation before going through the source code.

Running the application

First make sure that you have installed WinPcap , then run the application. Port Scanner dialog box get displayed. Select the capture device, specify the target host and range of port number to be scanned. On starting scan port numbers and their status will be displayed.

Acknowledgement

I am thankful to ( Hacker ) Hr.Ankit Fadia for his great book "Unofficial guide to Ethical Hacking". Most of the technical details that I have mentioned here ,I learnt from this book. If you want more details or you have any doubts , please feel free to drop a mail at nsry2002@yahoo.co.in

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 28 (Total in Forum: 28) (Refresh) FirstPrevNext

complie error ylfeng86 3:07 16 Feb '09   Packet.cpp(389) : error C2664: 'pcap_next_ex' : cannot convert parameter 3 from 'unsigned char ** ' to 'const unsigned char ** ' Can you tell me the solution? Many thanks! Sign In·View Thread·PermaLink 5.00/5 (1 vote) compiler error !!! jiaruey 23:22 20 Sep '08   Hi, compiling the source i get the error: PortScannerDlg.cpp(26) : fatal error C1083: Cannot open include file: 'iphlpapi.h': No such file or directory How I can solve the problem? Thanks. Jacky Sign In·View Thread·PermaLink compiler errors jm.alkema 6:29 17 Feb '07   Hello Nagareshwar , I use XP and VS2005. I get the next compiler errors. 1>c:\tmp\gui\portscanner_src\packet.cpp(63) : error C2440: 'static_cast' : cannot convert from 'BOOL (__thiscall Packet::* )(int)' to 'void (__thiscall CWinThread::* )(WPARAM,LPARAM)' 1> None of the functions with this name in scope match the target type 1>c:\tmp\gui\portscanner_src\packet.cpp(64) : error C2440: 'static_cast' : cannot convert from 'LRESULT (__thiscall Packet::* )(WPARAM,LPARAM)' to 'void (__thiscall CWinThread::* )(WPARAM,LPARAM)' 1> None of the functions with this name in scope match the target type 1>c:\tmp\gui\portscanner_src\packet.cpp(65) : error C2440: 'static_cast' : cannot convert from 'LRESULT (__thiscall Packet::* )(WPARAM,LPARAM)' to 'void (__thiscall CWinThread::* )(WPARAM,LPARAM)' 1> None of the functions with this name in scope match the target type 1>c:\tmp\gui\portscanner_src\packet.cpp(66) : error C2440: 'static_cast' : cannot convert from 'BOOL (__thiscall Packet::* )(void)' to 'void (__thiscall CWinThread::* )(WPARAM,LPARAM)' 1> None of the functions with this name in scope match the target type Please info to solve the errors, Greetings Jan Marco Sign In·View Thread·PermaLink 1.90/5 (4 votes) Re: compiler errors Member 4095515 7:22 28 Jun '08   I have the same problem. need help ! Sign In·View Thread·PermaLink Re: compiler errors Member 4034236 2:10 10 Jul '08   This code doesn't compile with Visual studio 2005. I'm getting the same errors. can some help on this? Sign In·View Thread·PermaLink Is there a way to detect Network Printers' IP addresse Jan Palmer 21:47 25 Dec '06   I have been trying to solve on how to detect IP addresses based on my installed printer drivers around my network but I am getting frustrated each day..heheh.. Win32_Printer, Win32_NetworkAdapter and Win32_TCPIPPrinter failed to get the information that I want.. if you're kind enough share your knowledge to email it to me at janverge@gmail.com thanks again.. nice one.. Sign In·View Thread·PermaLink 2.00/5 (2 votes) uuid.lib(objidl_i.obj) : fatal error LNK1103 zcxzcx 20:45 4 Sep '06   I am using VC++6.0SP6 compile this project and SDK using Microsoft Platform SDK for Windows XP SP2 the error is : Linking... uuid.lib(objidl_i.obj) : fatal error LNK1103: debugging information corrupt; recompile module Error executing link.exe. Creating browse info file... PortScanner.exe - 1 error(s), 0 warning(s) please help me ,thanks! Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: uuid.lib(objidl_i.obj) : fatal error LNK1103 kihong 18:58 7 Dec '06   Did you fix the promblem? I got sample problem but I compiled with Release mode successfully. Why does debug mode produce them problem? Sign In·View Thread·PermaLink Re: uuid.lib(objidl_i.obj) : fatal error LNK1103 nebulon 23:15 8 Oct '07   Try this for the "uuid.lib(docobj_i.obj) : fatal error LNK1103: debugging". After some web search, it appers that olf version of VC6 are not compatible with the uuid.lib file of the new SDK. To solve it: Copy the file "C:\Program Files\Microsoft Visual Studio\VC98\Lib\uuid.lib" (old version of the library) to the new SDK "C:\Program Files\Microsoft Platform SDK\Lib\uuid.lib". Do before a backup of the uuid.lib to reverse this action if necessary. Sign In·View Thread·PermaLink 5.00/5 (2 votes) Re: uuid.lib(objidl_i.obj) : fatal error LNK1103 Duoc T 3:21 12 Mar '08   Thanks a million. I was building an unrelated project when I got this error. Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: uuid.lib(objidl_i.obj) : fatal error LNK1103 Jun Du 12:19 12 Mar '08   Thanks for the instruction, which also helped me to resolve the same issue. Best, Jun Sign In·View Thread·PermaLink No network adapters are present... error vikramchiruvolu 6:57 9 Aug '05   I certainly have network adapters, why am I getting this error? Running XP Pro SP2 on a Gateway P4 machine. VC Sign In·View Thread·PermaLink 1.83/5 (6 votes) ports Anonymous 1:49 20 Mar '05   i want to know about port in my PC and how can i control it by on\off . how can i know about the ports open & close in my PC . i want to know the ports open in another PC . can u sent a software that i can know with it and some text files . with my best wishes ledo,,,, ledo_eng_2003@yahoo.com Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: ports Ceri 6:13 6 Apr '05   To see what local ports and established connections you active on your machine I would recommend you try TCPView by sysinternals. To see what ports a remote machine has opened then this article basicly explains how it's done and there is a myriad of free port scanner on the web. Just google it and im sure you will find one Sign In·View Thread·PermaLink 3.00/5 (1 vote) Not bad but.... Ceri 5:09 25 Jan '05   There is no need for you to be sending ARP requests to get a remote MAC address, ARP is usually used on LAN's only. All you need to do is set the DST MAC address in your SYN packet as the gateway's MAC address rather than the destination's MAC address, with this method you can then use the iphlpapi function SendARP function just the once to get MAC address for the gateway increasing speed and reliability (SendARP is only win2k onwards mind so if you wanted a broader range of OS support you could revert to sending the initial ARP packet using Winpcap) Sign In·View Thread·PermaLink 2.00/5 (2 votes) Re: Not bad but.... Prashanth Gedde N 8:41 27 Feb '06   I have a doubt, will the ARP requests work if ICMP/PING have been disabled? Is there any dependency? Sign In·View Thread·PermaLink Re: Not bad but.... Ceri 23:07 27 Feb '06   I beleive that ARP is a different subset to the IP protocol than ICMP, so if you have disabled ICMP/PING requests then ARP should still get through as normal Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: Not bad but.... Prashanth Gedde N 23:43 27 Feb '06   Thanks for the reply Sign In·View Thread·PermaLink wondering why the rating is low sudhir mangla 2:38 21 Dec '04   i am wondering why the rating is low for such a good piece ofcode .I gave my 5. thank for code Sudhir Mangla http://Programmerworld.net (Free books , articles , Source Code and Programming Tools and Utilities) Sign In·View Thread·PermaLink Ask for source code thong_lam 17:36 18 Nov '04   Hi. I downloaded your source already but it was too large to understand. Can you give me the function or the way to build it by VC++ with CSocket Class (in console app) to check the port on remote host open or not? input: remote IP:Port output: True/Fault I need it just for my test. Thanks for your help. Thong Lam VN Sign In·View Thread·PermaLink 3.50/5 (2 votes) Re: Ask for source code Nagareshwar 19:19 18 Nov '04   hi You can do like this.. 1) Create CSocket stream object 2) connect(ip , port) 3) if success port is open... This is simple...and more detectable..as well as slow... The portscanner i have developer uses tcp half scanning technique..and its much faster...it may appear slow because of gui and other stuffs.... and its less detectable ..since it does half connection unlike tcp full connection.... "Winners make things to happen" Sign In·View Thread·PermaLink 1.67/5 (3 votes) Re: Ask for source code thong_lam 1:19 22 Nov '04   Hi. I did as what you show and success. And it was also too slow, too. I 'll try to do with half connection. I will ask more. Thanks for your help. Thong Lam VN Sign In·View Thread·PermaLink 2.00/5 (2 votes) Re: Ask for source code thong_lam 19:29 22 Nov '04   Hi Nagareshwar. How can i use CAsyncSocket to check port. Is it the same with csocket. Thong Lam VN Sign In·View Thread·PermaLink 1.00/5 (1 vote) Compling error Piccinano 12:26 15 Nov '04   Hi, compiling the source i get the error: "fatal error C1083: Cannot open include file: 'pcap.h': No such file or directory" How I can solve the problem? Thanks. Regards Piccinano Sign In·View Thread·PermaLink 2.00/5 (1 vote) Re: Compling error Nagareshwar 23:01 15 Nov '04   YOu need to download winpcap developer pack which contains all the header files and lib files.. Note : Download winpcap 3.0 version ..don't download beta version..! "Winners make things to happen" Sign In·View Thread·PermaLink 5.00/5 (1 vote)

Last Visit: 18:34 4 Jul '09     Last Update: 18:34 4 Jul '09 12 Next »