/* * Basic IP Scanning techniques used by worms * * - Vivek Ramachandran ( vivek@security-freak.net ) * * */ #include #include #include #include #include #include #include #include void SeedRandomNoGenerator(void) { struct timeval tv; struct timezone tz; /* get a seed for the random number generator */ gettimeofday(&tv, &tz); /* Seed the random number generator */ srand(tv.tv_sec); return; } unsigned int GetLocalIp(char *device) { int sock; struct ifreq local_ip; struct sockaddr_in *ip; if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return 0; } bzero(&local_ip, sizeof(local_ip)); /* Open the file net/if.h and lookup the ifreq struct */ /* Copy the device name */ memcpy(local_ip.ifr_name, device, IFNAMSIZ-1); /* Do the ioctl to get the ip address for the device */ if((ioctl(sock, SIOCGIFADDR,&local_ip)) <0) { printf("IOCTL failed !\n"); return 0; } /* ifru_addr is of type sockaddr - hence typecast to sockaddr_in for getting ip address easily */ ip = (struct sockaddr_in *)&local_ip.ifr_ifru.ifru_addr; /* The IP is being returned in network byte order */ return (ip->sin_addr.s_addr); } unsigned int GetNetmask(char *device) { int sock; struct ifreq netmask; struct sockaddr_in *nmask; if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return 0; } bzero(&netmask, sizeof(netmask)); /* Open the file net/if.h and lookup the ifreq struct */ /* Copy the device name */ memcpy(netmask.ifr_name, device, IFNAMSIZ-1); /* Do the ioctl to get the netmask for the device */ if((ioctl(sock, SIOCGIFNETMASK, &netmask)) <0) { printf("IOCTL failed !\n"); return 0; } /* ifru_addr is of type sockaddr - hence typecast to sockaddr_in for getting ip address easily */ nmask = (struct sockaddr_in *)&netmask.ifr_netmask; /* The netmask is being returned in network byte order */ return (nmask->sin_addr.s_addr); } unsigned int GenerateRandomIp(void) { /* Rand() will return a random number of size 4 bytes = IP address length */ return (rand()); } unsigned int SequentialScan(unsigned int *seed) { /* Convert ip value to host byte order, increment and then convert back to network byte order */ *seed = htonl(ntohl(*seed) +1); return *seed; } void SubnetScan(struct in_addr ip, struct in_addr netmask) { struct in_addr victim; victim.s_addr = ip.s_addr & netmask.s_addr; while((victim.s_addr & netmask.s_addr) == (ip.s_addr & netmask.s_addr)) { printf("Victim IP is %s\n", inet_ntoa(victim)); victim.s_addr = htonl( ntohl( victim.s_addr ) +1); } } /* argv[1] - Interface to release worm through * argv[2] - No of victim IPs to generate * */ main(int argc, char **argv) { struct in_addr ip; struct in_addr netmask; char *device = argv[1]; struct in_addr victim_ip; unsigned int temp_ip; int counter = atoi(argv[2]); /* Find the host's IP address */ ip.s_addr = GetLocalIp(device); /* Find the netmask */ netmask.s_addr = GetNetmask(device); printf("Local Host IP = %s\n", inet_ntoa(ip)); printf("Netmask = %s\n\n", inet_ntoa(netmask)); /* Seed the random number generator */ SeedRandomNoGenerator(); temp_ip = ip.s_addr; /* Starting Sequential scan output */ printf("Sequential Scan:\n\n"); while(counter--) { victim_ip.s_addr = SequentialScan(&temp_ip); printf("Victim IP = %s\n", inet_ntoa(victim_ip)); } /* Starting subnet scan */ printf("\n\nSubnet Scan:\n\n"); SubnetScan(ip, netmask); /* Random scan */ printf("\n\nRandom Scan\n\n"); counter = atoi(argv[2]); while(counter--) { printf("Victim IP: %s\n", inet_ntoa(GenerateRandomIp()) ); } return 0; }