Scans anything from class C's to the entire internet for broadcast to use with DoS attacks. It has a decent amount of versatility. Read the comments prior to usage.
c0ddc7fb338978523aa42832beb988f9f39fc117eb8f2b811327aca26d9e6aff/*
* smurfscan.c by lore
* <fiddler@antisocial.com>
*
* - This code is not to be compiled under any circumstances -
*
* The author takes NO responsibility for your actions. This code
* is for example purposes only.
*
*/
/*
This code CAN be used to scan for broadcasts.
If you want to scan class C, lets say, 198.142.111.255, simply type
./ss c 198.142.111
To scan the class B, type
./ss b 198.142
And the class A, type
./ss a 198
To scan the entire internet, just type
./ss x
Alternatively, you can put a list of broadcast IPs in a file, then
scan all of them with,
./ss f filename
smurfscan will give output like,
198.123.55.255 201
This tells you that the broadcast address 198.123.55.255 has 201
DUPs.
You can change the output so it display only the IP address, let's say,
if you were making a broadcast file for a DoS exploit with,
./ss o c 198.123.55
You can verify the number of seconds the scanner waits to receive
DUPs by using the 't' flag
./ss t 10 c 198.123.55
That will make it wait 10 seconds for DUPs, default is 3.
To make the scanner only display broadcasts that have a minimum
number of DUPs use the 'd' flags,
./ss d 100 c 198.123.55
Will only display broadcasts with DUPs about 100.
So, one big command would be:
./ss d 100 o t 2 x
Will only display broadcasts with DUPs above 100, will only output
the IP, will wait 2 seconds for DUPs and will scan the entire net.
Easy huh?
*/
#define _BSD_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <time.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <unistd.h>
#define TRUE 0x00000001
#define FALSE 0x00000000
#define ERR 0xffffffff
typedef short bool;
typedef struct ip ip_h;
typedef struct icmphdr icmp_h;
typedef u_long ip_t;
typedef u_short sock_t;
#define IP_SIZE (sizeof(ip_h))
#define ICMP_SIZE (sizeof(icmp_h))
#define IP_OFF (0)
#define ICMP_OFF (IP_SIZE)
#define PSIZE (IP_SIZE + ICMP_SIZE)
typedef struct icmp_pckt {
char buf[PSIZE];
ip_h * ip_ptr;
icmp_h * icmp_ptr;
} icmp_pckt;
#define ISIZE (sizeof(struct icmp_pckt))
typedef struct ip_hold {
u_char a;
u_char b;
u_char c;
u_char d;
} ip_hold;
int main __P ((int, char * *));
int send_icmp __P ((sock_t, icmp_pckt *, ip_t));
int recv_icmp __P ((sock_t, icmp_pckt *));
void usage __P ((void));
void scan_all __P ((void));
void scan_class_a __P ((u_char));
void scan_class_b __P ((u_char, u_char));
void scan_class_c __P ((u_char, u_char, u_char));
int scan_file __P ((u_char *));
ip_t MAKE_IP __P ((u_char, u_char, u_char, u_char));
u_short checks __P ((u_short *, int));
void ipconv __P ((u_char *, ip_hold *));
bool my_poll __P ((sock_t, int, int));
bool match_ip __P ((ip_t, ip_t));
int G_TIMEOUT = 3;
int G_DUPS = 0;
int G_OIP = 0;
int main (int argc, char * * argv)
{
ip_hold iph;
fprintf(stderr, "\nSmurfScan by lore <fiddler@antisocial.com>\n\n");
++argv; --argc;
if (!argv || !*argv) usage();
while (argv && *argv)
{
switch (**argv)
{
case ('t'): case ('T'):
{
if (!++argv || !*argv) usage();
G_TIMEOUT = atoi(*argv);
break;
}
case ('d'): case ('D'):
{
if (!++argv || !*argv) usage();
G_DUPS = atoi(*argv);
break;
}
case ('o'): case ('O'):
{
G_OIP = 1;
break;
}
case ('c'): case ('C'):
{
if (!++argv || !*argv) usage();
ipconv(*argv, &iph);
scan_class_c(iph.a, iph.b, iph.c);
break;
}
case ('b'): case ('B'):
{
if (!++argv || !*argv) usage();
ipconv(*argv, &iph);
scan_class_b(iph.a, iph.b);
break;
}
case ('a'): case ('A'):
{
if (!++argv || !*argv) usage();
ipconv(*argv, &iph);
scan_class_a(iph.a);
break;
}
case ('x'): case ('X'):
{
scan_all();
break;
}
case ('f'): case ('F'):
{
if (!++argv || !*argv) usage();
scan_file(*argv);
break;
}
default: usage();
}
++argv;
}
fprintf(stdout, "Scan finished\n");
return (EXIT_SUCCESS);
}
int send_icmp (sock_t sock, icmp_pckt * mem, ip_t to)
{
struct sockaddr_in sa;
memset(mem, 0, ISIZE);
mem->ip_ptr = (ip_h *)(mem->buf + IP_OFF);
mem->icmp_ptr = (icmp_h *)(mem->buf + ICMP_OFF);
mem->ip_ptr->ip_hl = 5;
mem->ip_ptr->ip_v = 4;
mem->ip_ptr->ip_tos = 0;
mem->ip_ptr->ip_len = htons(PSIZE);
mem->ip_ptr->ip_id = 0;
mem->ip_ptr->ip_off = 0;
mem->ip_ptr->ip_ttl = 255;
mem->ip_ptr->ip_p = IPPROTO_ICMP;
mem->ip_ptr->ip_sum = checks((u_short *)mem->ip_ptr, IP_SIZE);
mem->ip_ptr->ip_src.s_addr = INADDR_ANY;
mem->ip_ptr->ip_dst.s_addr = to;
mem->icmp_ptr->type = ICMP_ECHO;
mem->icmp_ptr->code = 0;
mem->icmp_ptr->checksum = checks((u_short *)mem->icmp_ptr, ICMP_SIZE);
sa.sin_port = 0;
sa.sin_addr.s_addr = to;
sa.sin_family = AF_INET;
return (sendto(sock, mem->buf, PSIZE, 0, (struct sockaddr *)&sa,
sizeof(struct sockaddr_in)));
}
int recv_icmp (sock_t sock, icmp_pckt * mem)
{
memset(mem, 0, ISIZE);
if ((recv(sock, mem->buf, PSIZE, 0)) <= 0) return (FALSE);
mem->ip_ptr = (ip_h *)(mem->buf + IP_OFF);
mem->icmp_ptr = (icmp_h *)(mem->buf + ICMP_OFF);
return (TRUE);
}
void usage (void)
{
fprintf(stderr, "
Usage: ./ss c <class c> --> Scan a class C
Or: ./ss b <class b> --> Scan a class B
Or: ./ss a <class a> --> Scan a class A
Or: ./ss x --> Scan everything
Or: ./ss f <file> --> Scan all IPs in a file
Options: (put these before the above)
o --> Display only IP
d --> Minimum number of DUPs
t --> Timeout\n\n");
exit(EXIT_SUCCESS);
}
void scan_all (void)
{
u_char a;
for (a = 1; a < 255; ++a) scan_class_a(a);
}
void scan_class_a (u_char a)
{
u_char b;
for (b = 1; b < 255; ++b) scan_class_b(a, b);
}
void scan_class_b (u_char a, u_char b)
{
u_char c;
for (c = 1; c < 255; ++c) scan_class_c(a, b, c);
}
u_char * strip (ip_t ipaddr)
{
struct in_addr addr;
addr.s_addr = ipaddr;
return (inet_ntoa(addr));
}
void scan_class_c (u_char a, u_char b, u_char c)
{
ip_t ipaddr = MAKE_IP(a, b, c, 255);
icmp_pckt ipt;
int count = 0;
sock_t in_sock;
sock_t out_sock;
char * yes = "1";
int to = G_TIMEOUT * 100;
in_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
out_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
setsockopt(out_sock, IPPROTO_IP, IP_HDRINCL, &yes, 1);
setsockopt(out_sock, SOL_SOCKET, SO_BROADCAST, &yes, 1);
send_icmp(out_sock, &ipt, ipaddr);
while (to)
{
if (my_poll(in_sock, 0, 1))
{
recv_icmp(in_sock, &ipt);
if (match_ip(ipt.ip_ptr->ip_src.s_addr, ipaddr))
{
++count;
}
}
--to;
}
if (count && count >= G_DUPS)
{
if (G_OIP) fprintf(stdout, "%s\n", strip(ipaddr));
else fprintf(stdout, "%s %d\n", strip(ipaddr), count);
}
fflush(stdout);
close(in_sock);
close(out_sock);
}
int scan_file (u_char * path)
{
FILE * fp;
u_char line[100];
ip_hold iph;
if (!(fp = fopen(path, "r")))
{
return (FALSE);
}
while (!feof(fp))
{
fgets(line, 100, fp);
ipconv(line, &iph);
scan_class_c(iph.a, iph.b, iph.c);
}
fclose(fp);
return (TRUE);
}
ip_t MAKE_IP (u_char a, u_char b, u_char c, u_char d)
{
ip_t ret = 0;
int bit;
for (bit = 0; bit < 8; ++bit)
{
if (a & (1 << bit)) ret |= (1 << bit);
if (b & (1 << bit)) ret |= (1 << (bit + 8));
if (c & (1 << bit)) ret |= (1 << (bit + 16));
if (d & (1 << bit)) ret |= (1 << (bit + 24));
}
return (ret);
}
/* This function is not by me, it's from the ping.c source */
u_short checks (u_short *addr, int len)
{
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum + 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
void ipconv (u_char * string, ip_hold * iph)
{
memset(iph, 0, sizeof(ip_hold));
sscanf(string, "%d.%d.%d", &iph->a, &iph->b, &iph->c);
}
bool my_poll (sock_t fd, int secs, int usecs)
{
fd_set in_set;
struct timeval tv;
FD_ZERO(&in_set);
FD_SET(fd, &in_set);
tv.tv_sec = secs;
tv.tv_usec = usecs;
if ((select(fd + 1, &in_set, NULL, NULL, &tv)) > 0) return (TRUE);
return (FALSE);
}
bool match_ip (ip_t ipaddr, ip_t broad)
{
u_char a, b, c;
int bit;
a = b = c = 0;
for (bit = 0; bit < 8; ++bit)
if (ipaddr & (1 << bit)) a |= (1 << bit);
for (bit = 8; bit < 16; ++bit)
if (ipaddr & (1 << bit)) b |= (1 << (bit - 8));
for (bit = 16; bit < 24; ++bit)
if (ipaddr & (1 << bit)) c |= (1 << (bit - 16));
if (MAKE_IP(a, b, c, 255) == broad) return (TRUE);
return (FALSE);
}
/* EOF */
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed