Click here to Skip to main content
15,867,488 members
Articles / Desktop Programming / MFC
Article

PortScanner : Efficient TCP port scanner based on popular TCP Half Open scanning method

Rate me:
Please Sign up or sign in to vote.
4.42/5 (24 votes)
17 Jun 20044 min read 214.9K   10.8K   48   31
A TCP port scanner

Introduction

There are various port scanners which uses simple method of scanning. These applications work at application level and are quite slow. This scanner is faster than normal scanner. It is based on the TCP Half Open Scanning or TCP SYN scanning technique. This method is less detectable than the simple port scanner.

What is Half Open Scanning ?

When any two hosts wants to communicate together connection must be established between them. In case of TCP , three way handshake takes place before any communication begins. This is called Full connection and the process is described below.

  1. First the host A sends the SYN packet (TCP packet with SYN flag set) to host B.
  2. If the port is open then host B responds by sending SYN+ACK packet. else it sends the RST+ACK packet to host B.
  3. Now host A sends the ACK packet to host B. (if SYN+ACK packet is received).

Once the connection is established- both machines can transmit data packet until one of them ends the connection by sending FIN packet. Some of the simple port scanners use this technique. It can be implemented by creating socket and calling Connect method on each port.This is simple to implement but quite slow and moreover it can be easily detected.

Half scanning is more fast and efficient than full scanning technique. Half open connection is explained below.

  1. First the host A sends the SYN packet (TCP packet with SYN flag set) to host B.
  2. If the port is open then host B responds by sending SYN+ACK packet. else it sends the RST+ACK packet to host B.

Since the host A does not send any additional ACK packet , it is called half open connection. Now the host can easily find out if the target port is open or closed. It it receives TCP packet with SYN+ACK flag set, then it means that target port is open. If it receives RST+ACK packet ,it implies that target port is closed.

In this method full handshake does not take place , hence it is quite faster than full scanning method. Since the implementation has to be done at the protocol level , knowledge of TCP/IP protocol suite is essential.

Implementation

Core part of the implementation is sending the TCP packet and ARP packet. This involves building the raw packet by filling all headers. For this we must know MAC address of the source and destination machine. MAC address also called Ethernet address ,is the address associated with Ethernet adapter.

Find source MAC address

There are various methods for obtaining the source MAC address. This method is simple.
IP_ADAPTER_INFO adapter[5]; 
DWORD buflen=sizeof(adapter); 
DWORD status=GetAdaptersInfo(adapter,&buflen); 

Now the adapter structure contain the source MAC address.

Find destination MAC address

This is done by sending ARP packet. ARP packet is used to determine the host's MAC address when its IP address is known. First ARP request packet is sent by specifying the source MAC address, source IP address and destination IP Address. The ARP reply packet contains the destination MAC address. This method also prevents the target host from sending arp packet to source host when the source host sends the first SYN packet during scanning process. From the ARP request packet that we have sent , target host will come to know about the MAC address of the source host.

Scanning process

Scanning process involves building TCP packet.For this one has to prepare the Ethernet Header, IP header and TCP header. Header file packet.h contains the format details for each of these headers. You can refer RFC for details regarding these formats.

Each time during scanning TCP SYN packet is sent with different port numbers. Then the corresponding reply packet is checked for the flag RST+ACK or SYN+ACK. Based upon this flag target port status is determined.

Requirement

You need Winpcap ( Windows version of Libpcap) to run this application. It can be downloaded from this location. It contains the setup file along with good documentation that explains capturing and sending packet in detail. I advice to you to go through the WinPcap documentation before going through the source code.

Running the application

First make sure that you have installed WinPcap , then run the application. Port Scanner dialog box get displayed. Select the capture device, specify the target host and range of port number to be scanned. On starting scan port numbers and their status will be displayed.

Acknowledgement

I am thankful to ( Hacker ) Hr.Ankit Fadia for his great book "Unofficial guide to Ethical Hacking". Most of the technical details that I have mentioned here ,I learnt from this book. If you want more details or you have any doubts , please feel free to drop a mail at nsry2002@yahoo.co.in

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
India India
Nagareshwar is a security enthusiastic person involved in reverse engineering, vulnerability research, coding security tools etc. He spend most of the time in uncovering the secrets of computer world.

He holds 'Bachelor of Engineering' degree from National Institute of Technology of Karnataka, India. He had professional experience of 2.5 years in Novell. At Novell he was working on various security products including 'Novell Secure Login' and CASA.

For more details visit his website http://securityxploded.com

Comments and Discussions

 
Generalcomplie error Pin
ylfeng8616-Feb-09 2:07
ylfeng8616-Feb-09 2:07 
GeneralRe: complie error Pin
mchanglee27-Dec-13 13:49
mchanglee27-Dec-13 13:49 
Generalcompiler error !!! Pin
jiaruey20-Sep-08 22:22
jiaruey20-Sep-08 22:22 
Generalcompiler errors Pin
jm.alkema17-Feb-07 5:29
jm.alkema17-Feb-07 5:29 
GeneralRe: compiler errors Pin
Member 409551528-Jun-08 6:22
Member 409551528-Jun-08 6:22 
GeneralRe: compiler errors Pin
Member 403423610-Jul-08 1:10
Member 403423610-Jul-08 1:10 
GeneralRe: compiler errors Pin
spicture16-Feb-10 13:14
spicture16-Feb-10 13:14 
QuestionIs there a way to detect Network Printers' IP addresse Pin
Jan Palmer25-Dec-06 20:47
Jan Palmer25-Dec-06 20:47 
Generaluuid.lib(objidl_i.obj) : fatal error LNK1103 Pin
zcxzcx4-Sep-06 19:45
zcxzcx4-Sep-06 19:45 
GeneralRe: uuid.lib(objidl_i.obj) : fatal error LNK1103 Pin
kihong7-Dec-06 17:58
kihong7-Dec-06 17:58 
GeneralRe: uuid.lib(objidl_i.obj) : fatal error LNK1103 Pin
nebulon8-Oct-07 22:15
nebulon8-Oct-07 22:15 
GeneralRe: uuid.lib(objidl_i.obj) : fatal error LNK1103 Pin
duoct12-Mar-08 2:21
duoct12-Mar-08 2:21 
Thanks a million. I was building an unrelated project when I got this error.
GeneralRe: uuid.lib(objidl_i.obj) : fatal error LNK1103 Pin
Jun Du12-Mar-08 11:19
Jun Du12-Mar-08 11:19 
GeneralNo network adapters are present... error Pin
vikramchiruvolu9-Aug-05 5:57
vikramchiruvolu9-Aug-05 5:57 
Generalports Pin
Anonymous20-Mar-05 0:49
Anonymous20-Mar-05 0:49 
GeneralRe: ports Pin
Ceri6-Apr-05 5:13
Ceri6-Apr-05 5:13 
GeneralNot bad but.... Pin
Ceri25-Jan-05 4:09
Ceri25-Jan-05 4:09 
QuestionRe: Not bad but.... Pin
Prashanth Gedde N27-Feb-06 7:41
Prashanth Gedde N27-Feb-06 7:41 
AnswerRe: Not bad but.... Pin
Ceri27-Feb-06 22:07
Ceri27-Feb-06 22:07 
GeneralRe: Not bad but.... Pin
Prashanth Gedde N27-Feb-06 22:43
Prashanth Gedde N27-Feb-06 22:43 
Generalwondering why the rating is low Pin
Sudhir Mangla21-Dec-04 1:38
professionalSudhir Mangla21-Dec-04 1:38 
GeneralRe: wondering why the rating is low Pin
spicture16-Feb-10 13:17
spicture16-Feb-10 13:17 
GeneralAsk for source code Pin
thong_lam18-Nov-04 16:36
thong_lam18-Nov-04 16:36 
GeneralRe: Ask for source code Pin
Nagareshwar18-Nov-04 18:19
Nagareshwar18-Nov-04 18:19 
GeneralRe: Ask for source code Pin
thong_lam22-Nov-04 0:19
thong_lam22-Nov-04 0:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.