TCP SYN扫描(使用Winpcap库实现)
0.核心原理
半开扫描(TCP SYN)不同于CSocket和Socket2扫描,后两者扫描都是完成了一个完整的三次握手(即connect函数),而半开扫描则只完成了两次握手就宣告结果,因为仅通过两次握手已读到了要读的数据。
扫描函数的原理就是完成三次握手中的前两次,其中第一次是由扫描器向被扫描的服务器端发送SYN同步数据包,第二次是服务器端回复扫描器ACK确认数据包。按原“计划”,扫描器应该再向服务器发送一个ACK确认包完成三次握手,然而TCP SYN半开扫描在第三次握手时中止该操作或者向服务器端发送FIN结束数据包。
1.使用核心库函数以及核心代码:
#include <pcap.h>
#include <iphlpapi.h>
#pragma comment(lib,"iphlpapi.lib")
#define DEF_BUF_SIZE 100
#define ACK_SYN 1
#define ACK_RST 0
#define ILLEGAL_FLAG -1
#define MAX_FRAME_LEN 1500
//IP地址转换处理
typedef union MultiByteStruct
{//IP地址联合体
int iInt; //int有符号整型
float fFloat; //浮点数
UINT uInt; //无符号整数
ULONG uLong; //ULONG无符号整型
DWORD dwDword; //DWORD有符号整型
WORD wWord[2]; //WORD无符号整型数组
UCHAR ucByte[4]; //无符号字符数组
char cByte[4]; //字符数组
}UNIONIP,*PUNIONIP;
SYNTHREADPARAM SynThreadParam;//传递给TCP SYNSCAN 线程的参数结构体
static USHORT g_uLocalPort=1240;//绑定的本地端口号
USHORT CPortScan_TCPDlg::CheckSum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size>1)
{
cksum+=*buffer++;
size-=sizeof(USHORT);
}
if(size)
{
cksum+=*(UCHAR*)buffer;
}
cksum=(cksum>>16)+(cksum&0xffff);
cksum+=(cksum>>16);
return (USHORT)(~cksum);
}
CString IPIntToStr(UINT IPInt)
{
CString IPStr;
UNIONIP IP;
IP.uInt=IPInt;
// IPStr.Format(_T("%d.%d.%d.%d"),IP.ucByte[0],IP.ucByte[1],IP.ucByte[2],IP.ucByte[3]);
IPStr.Format(_T("%d.%d.%d.%d"),IP.ucByte[3],IP.ucByte[2],IP.ucByte[1],IP.ucByte[0]);
return IPStr;
}
//char *->CString
void CharStrToCString(CString *str,const char *char_str)
{
int byteLen=strlen(char_str);
int Charlen=MultiByteToWideChar(CP_ACP,0,char_str,byteLen,NULL,0);
TCHAR *TcharTempItem=new TCHAR[Charlen+1];
MultiByteToWideChar(CP_ACP,0,char_str,byteLen,TcharTempItem,Charlen);
TcharTempItem[Charlen]='\0';
*str=TcharTempItem;//*****
}
void CPortScan_TCPDlg::SynScan_By_WinpCap(UNIONIP uIPBegin,UNIONIP uIPEnd,UINT uPortBegin,UINT uPortEnd)
{
MessageBox(_T("sys scan by winpcap style..."));
PSDHEADER psdHeader; //伪TCP包头
UCHAR *tcp_packet_str=new UCHAR[MIN_TCPPACKET_LEN+1];
PACKET tcp_packet;
UINT SrcIp;
// 获取本地地址信息
char szLocalName[DEF_BUF_SIZE]={0};
gethostname(szLocalName,DEF_BUF_SIZE);
hostent* pHost=gethostbyname(szLocalName);
if(pHost!=NULL)
memcpy(&SrcIp,pHost->h_addr_list[0],pHost->h_length);
else
return ;
//获取网卡设备句柄
pcap_t *fp;
pcap_if_t *d;
GetAdapterHandle(&fp,&d);
if(!fp)
MessageBox(_T("获取网卡设备句柄失败!"));
//recv response packet (ACK+SYN)
//Theread:监听目标主机(UNIONIP uIPBegin,UNIONIP uIPEnd)的TCP响应数据包
SynThreadParam.fp=fp;
SynThreadParam.d=d;
SynThreadParam.uIPBegin=uIPBegin;
SynThreadParam.uIPEnd=uIPEnd;
SynThreadParam.SrcIp=SrcIp;
SynThreadParam.ptr=this;
CString strIP=IPIntToStr(uIPBegin.uInt);
HTREEITEM curr=m_ctlTreeResult.InsertItem(strIP,1,1,TVI_ROOT);
SynThreadParam.TreeItem=curr;
AfxBeginThread(ThreadRecvTCPSYNPacket,&SynThreadParam,THREAD_PRIORITY_IDLE);//监听返回的ACK+SYN数据包
Sleep(1000);//预留做监听的准备时间 或者设置定时器判断 开始发送数据包的时间 12.16
//end for 12.16
for (UINT ip=uIPBegin.uInt;ip<=uIPEnd.uInt;ip++)
{
BYTE SrcMac[6];
BYTE DstMac[6];
GetMacAddress(SrcMac);//
GetMacAddrOfIP(ip,DstMac);//
for(UINT port=m_uPortBegin;port<=m_uPortEnd;port++)
{
memset(tcp_packet_str,0,MIN_TCPPACKET_LEN+1);
memset(&tcp_packet,0,sizeof(PACKET));
//EtherHeader part
memcpy(tcp_packet.ethhead.DestMac,DstMac,6);
memcpy(tcp_packet.ethhead.SrcMac,SrcMac,6);
USHORT type=0x0800;//***以太网帧类型 0x0800 网际协议 ***
tcp_packet.ethhead.Type=htons(type);
//分别自己填充IP头、TCP头、伪TCP头,并计算其中的校验和
//设置IP头
tcp_packet.ipHeader.h_verlen=0x45;
tcp_packet.ipHeader.tos=0;
tcp_packet.ipHeader.total_len=htons(sizeof(IPHEADER)+sizeof(TCPHEADER));
tcp_packet.ipHeader.ident=1;
tcp_packet.ipHeader.frag_and_flags=0;
tcp_packet.ipHeader.ttl=128;
tcp_packet.ipHeader.proto=IPPROTO_TCP;
tcp_packet.ipHeader.checksum=0;
tcp_packet.ipHeader.sourceIP=SrcIp;
tcp_packet.ipHeader.destIP=htonl(ip);//
//设置TCP头
tcp_packet.translayer.tcpHeader.th_sport=htons(g_uLocalPort);
tcp_packet.translayer.tcpHeader.th_dport=htons(port); //
tcp_packet.translayer.tcpHeader.th_seq=htonl(SEQ);
tcp_packet.translayer.tcpHeader.th_ack=0;
tcp_packet.translayer.tcpHeader.th_lenres=(sizeof(TCPHEADER)/4<<4|0);
tcp_packet.translayer.tcpHeader.th_flag=2; //2:SYN;1:FIN;16:ACK
tcp_packet.translayer.tcpHeader.th_win=htons(512);
tcp_packet.translayer.tcpHeader.th_urp=0;
tcp_packet.translayer.tcpHeader.th_sum=0;
//伪TCP头
psdHeader.saddr=tcp_packet.ipHeader.sourceIP;
psdHeader.daddr=tcp_packet.ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(TCPHEADER));
//TCP头校验和 checksum(PsdHeader+TcpHeader)
char tempBuf[40];
memcpy(tempBuf,&psdHeader,sizeof(PSDHEADER));
memcpy(tempBuf+sizeof(psdHeader),&tcp_packet.translayer.tcpHeader,sizeof(TCPHEADER));
tcp_packet.translayer.tcpHeader.th_sum=CheckSum((USHORT*)tempBuf,sizeof(PSDHEADER)+sizeof(TCPHEADER));
//*****IP头校验和 checksum(IpHeader)
memcpy(tempBuf,&tcp_packet.ipHeader,sizeof(IPHEADER));
tcp_packet.ipHeader.checksum=CheckSum((USHORT*)tempBuf,sizeof(IPHEADER));
//数据包流序列化
memcpy(tcp_packet_str,(UCHAR*)&tcp_packet,sizeof(PACKET));
SetDlgItemInt(IDC_PORT_EDIT,port);
if(pcap_sendpacket(fp,tcp_packet_str,sizeof(PACKET)) != 0)//发送数据包 sizeof(PACKET)
{
MessageBox(_T("pcap_sendpacket()函数执行发生错误!"));
return;
}
}
}
}
//[in] Param :{fp,d,IP,ptr,TreeItem...}
UINT ThreadRecvTCPSYNPacket(LPVOID pParam)
{
//capture,resolve,check 12.16
SYNTHREADPARAM *SynThreadParam=(SYNTHREADPARAM *)pParam;
pcap_t *fp=SynThreadParam->fp;
pcap_if_t *d=SynThreadParam->d;
UNIONIP uIPBegin=SynThreadParam->uIPBegin;
UNIONIP uIPEnd=SynThreadParam->uIPEnd;
UINT SrcIp=SynThreadParam->SrcIp;
CPortScan_TCPDlg *ptr=SynThreadParam->ptr;
HTREEITEM curr=SynThreadParam->TreeItem;
const BYTE *pkt_data=new BYTE[MAX_FRAME_LEN];
UINT res;
struct pcap_pkthdr *header;
char *packet_filter_str=new char[100];
char SrcIp_str[16],DstIp_str[16];
SOCKADDR_IN addr_src,addr_dst;
struct bpf_program fcode;
bpf_u_int32 NetMask;
if(d->addresses->netmask)
NetMask=((struct sockaddr_in *)d->addresses->netmask)->sin_addr.s_addr;
else
NetMask=0xffffff;
//filter response tcp packets
//tcp and ip src host (uIPBegin to uIPEnd) and ip dst host localhost
// for (UINT ip=uIPBegin.uInt;ip<=uIPEnd.uInt;ip++)
memset(packet_filter_str,0,100);
strcpy(packet_filter_str,"tcp and ip src host ");
addr_dst.sin_addr.S_un.S_addr=htonl(uIPBegin.uInt);//***only the first destination host(12.16)
strcpy(SrcIp_str,inet_ntoa(addr_dst.sin_addr));//SrcIp
strcat(packet_filter_str,SrcIp_str);
strcat(packet_filter_str," and ip dst host ");
addr_src.sin_addr.S_un.S_addr=SrcIp;
strcpy(DstIp_str,inet_ntoa(addr_src.sin_addr));//DstIp
strcat(packet_filter_str,DstIp_str);
if(pcap_compile(fp, &fcode, packet_filter_str, 1, NetMask)<0)
{
AfxMessageBox(_T("Error compiling filter: wrong syntax."));
return 1;
}
if(pcap_setfilter(fp, &fcode)<0)
{
AfxMessageBox(_T("Error setting the filter."));
return 1;
}
int elapse_times=0;
while((res=pcap_next_ex(fp,&header,&pkt_data))>=0)
{
if(elapse_times>10)//根据超时次数粗略确定已经没有余下的响应数据包
break;
if(res==0)
{
// ptr->MessageBox(_T("获取报文超时!"));
elapse_times++;
continue;
}
//resolve received tcp_packet and check relevant bits
PACKET *TcpPacket=(PACKET *)pkt_data;
int iphead_len=((TcpPacket->ipHeader.h_verlen)&0x0f)*4;
TCPHEADER *TcpHeader=(TCPHEADER *)(pkt_data+sizeof(ETHERNET_HEAD)+iphead_len);
UCHAR flag=TcpHeader->th_flag;
USHORT opened_port=ntohs(TcpHeader->th_sport);//ntohs() 12.16 p.m.
CString strTemp;
if(((flag&0x10)>>4)&((flag&0x02)>>1))//0 0 URG ACK PSH RST SYN FIN
{
struct servent *se;
CString strNameTemp;
se=getservbyport(TcpHeader->th_sport,"tcp");
if(se!=NULL) //get the info of the port and corresponding server name
{
strTemp.Format(_T("%d "),opened_port);
CharStrToCString(&strNameTemp,se->s_name);
strTemp+=strNameTemp;
}
else
strTemp.Format(_T("%d"),opened_port);
ptr->m_ctlTreeResult.InsertItem(strTemp,2,2,curr); //insert the port node into the tree
}
}
if(res == -1)
{
AfxMessageBox(_T("Error reading the packets"));
return 1;
}
ptr->MessageBox(_T("Finished SynScan..."));
return 1;
}
void GetMacAddress(BYTE *mac_addr)
{
IP_ADAPTER_INFO adapter[5]; //Maximum 5 adapters
DWORD buflen=sizeof(adapter);
DWORD status=GetAdaptersInfo(adapter,&buflen);
BYTE s[8];
if(status==ERROR_SUCCESS)
{
PIP_ADAPTER_INFO painfo=adapter;
memcpy(s,painfo->Address,6);
for(int i=0;i<6;i++)
{
mac_addr[i]=s[i];
}
}
}
void GetAdapterHandle(pcap_t **fp,pcap_if_t **d)
{
pcap_if_t *alldevs;
char errbuf[PCAP_ERRBUF_SIZE];
int i,inum;//网卡设备编号
if(pcap_findalldevs(&alldevs, errbuf) == -1)
{
AfxMessageBox(_T("pcap_findalldevs()函数执行发生错误!"));
exit(1);
}
inum=3;//如何动态获取本地连接网卡 --需改进
for (*d=alldevs, i=0; i< inum-1 ;*d=(*d)->next, i++);
if ((*fp = pcap_open_live((*d)->name,65536,1,1000,errbuf)) == NULL)
{
AfxMessageBox(_T("打开适配器发生错误"));
exit(1);
}
}
void GetMacAddrOfIP(UINT ip,BYTE *mac_addr)
{
//获取网卡设备句柄
pcap_t *fp;
pcap_if_t *d;
GetAdapterHandle(&fp,&d);
if(!fp)
AfxMessageBox(_T("获取网卡设备句柄失败!"));
// 获取本地地址信息:IP和MAC
UINT SrcIP;
UINT DstIP=ip;//[in] formal parameter
BYTE SrcMac[6];
BYTE DstMac[6];
char szLocalName[DEF_BUF_SIZE]={0};
gethostname(szLocalName,DEF_BUF_SIZE);
hostent* pHost=gethostbyname(szLocalName);
if(pHost!=NULL)
memcpy(&SrcIP,pHost->h_addr_list[0],pHost->h_length);
else
return ;
GetMacAddress(SrcMac);
memset(DstMac,0xff,6);
//1.构造ARP请求包
//SrcMac SrcIP DstMac DstIP=ip
ARP_PACKET arp_request;
USHORT type=0x0806;
USHORT hardware_type=0x0001;
USHORT protocol_type=0x0800;
BYTE mac_len=0x06;
BYTE ip_len=0x04;
USHORT option=0x0001;//1 Request
//MAC Frame Head
memset(&arp_request,0,sizeof(ARP_PACKET));
memcpy(arp_request.EthHead.DestMac,DstMac,6);
memcpy(arp_request.EthHead.SrcMac,SrcMac,6);
arp_request.EthHead.Type=htons(type);
//ARP Request Head
arp_request.ArpFrame.hardware_type=htons(hardware_type);
arp_request.ArpFrame.protocol_type=htons(protocol_type);
arp_request.ArpFrame.add_len=mac_len;
arp_request.ArpFrame.pro_len=ip_len;
arp_request.ArpFrame.option=htons(option);
memcpy(arp_request.ArpFrame.sour_addr,SrcMac,6);
arp_request.ArpFrame.sour_ip=SrcIP;//SrcIP: net sequence
memcpy(arp_request.ArpFrame.dest_addr,DstMac,6);
arp_request.ArpFrame.dest_ip=htonl(DstIP);//DstIP UINT:host sequence
memset(arp_request.ArpFrame.padding,0x00,18);
if(pcap_sendpacket(fp,(BYTE *)&arp_request,sizeof(arp_request)) != 0)
{
AfxMessageBox(_T("pcap_sendpacket()函数执行发生错误!"));
return;
}
//2.recv arp response packet
const BYTE *pkt_data;
UINT res;
struct pcap_pkthdr *header;
char *packet_filter_str=new char[100];
char mac_str[18];
char ip_str[16];
struct bpf_program fcode;
bpf_u_int32 NetMask;
if(d->addresses->netmask)//掩码不为空
NetMask=((struct sockaddr_in *)d->addresses->netmask)->sin_addr.s_addr;
else
NetMask=0xffffff;//默认为 C类网络
GetMacStrFromByte(SrcMac,mac_str);//MAC Str
SOCKADDR_IN addr;
addr.sin_addr.S_un.S_addr=htonl(DstIP);//************下面的innet_ntoa()参数是--网络上--的一个IP地址************
strcpy(ip_str,inet_ntoa(addr.sin_addr));//IP Str
//packet_filter_str="arp and ether dst str(SrcMac) and src host str(DstIP)"
//packet_filter_str += arp_request.ArpFrame.option=0x0002
memset(packet_filter_str,0,100);
strcpy(packet_filter_str,"arp and ether dst ");
strcat(packet_filter_str,mac_str);
strcat(packet_filter_str," and src host ");
strcat(packet_filter_str,ip_str);
if(pcap_compile(fp, &fcode, packet_filter_str, 1, NetMask)<0)
{
AfxMessageBox(_T("Error compiling filter: wrong syntax."));
return;
}
if(pcap_setfilter(fp, &fcode)<0)
{
AfxMessageBox(_T("Error setting the filter."));
return ;
}
/* Capture data */
while((res = pcap_next_ex(fp,&header,&pkt_data))>=0)
{
if(res == 0)/* Timeout elapsed */
continue;
if(pkt_data)
break;
}
if(res == -1)
{
AfxMessageBox(_T("Error reading the packets"));
return;
}
//3.resolve response arp arp packet of sour_addr attribute
//const BYTE * pkt_data -->SrcMac
ETHERNET_HEAD *Ether_Header=(ETHERNET_HEAD *)pkt_data;
memcpy(mac_addr,Ether_Header->SrcMac,6);
}
void GetMacStrFromByte(BYTE *SrcMac,char *mac_str)
{
/*
In: SrcMac={00,30,18,A3,D2,8E};
Out: mac_str="00:30:18:A3:D2:8E"
*/
char *MacStr=new char[18];
memset(MacStr,0,18);
for(int i=0;i<6;i++)
{
MacStr[3*i]=GetHexChar((SrcMac[i]&0xf0)>>4);
MacStr[3*i+1]=GetHexChar(SrcMac[i]&0x0f);
if(i<=4)
MacStr[3*i+2]=':';
}
strcpy(mac_str,MacStr);
}
char GetHexChar(BYTE HexNum)
{
if(HexNum>=0&&HexNum<=9)
return '0'+HexNum;
else if(HexNum>=0xA&&HexNum<=0xF)
return 'A'+HexNum-0xA;
else
{
AfxMessageBox(_T("Illegal HexNum!"));
return 0;
}
}
(1)
TCP SYN扫描结果:发现目标主机出现超时重ACK+SYN 数据包的现象
第一个重传(TCP Retransmission)的数据包是来自目标主机的端口netbios-ssn(139)的数据包
使用Wireshark工具得到该数据包的SEQ/ACK分析:判断为可疑的重传数据包
(2)
添加端口对应的服务名称之后,最终的运行结果:
(3)使用nmap扫描工具进行对比:
3.忽略掉的问题
只扫描了知名端口(1-1024);
没有动态识别本地连接对应的网卡;
没有对重传数据包的判定;
只考虑了对单一主机的扫描,没有考虑多个目标主机的情况;
获取的端口服务名只是使用getservbyport()从本地配置文件读取;
接收TCP响应包的线程函数的退出仅仅根据超时次数,没有恰当处理退出的条件;
其它
......
4.定义的相关数据结构
#pragma pack (1)
typedef struct SYNThreadParamStruct
{
pcap_t *fp;
pcap_if_t *d;
UNIONIP uIPBegin;
UNIONIP uIPEnd;
UINT SrcIp;
CPortScan_TCPDlg *ptr;
HTREEITEM TreeItem;
}SYNTHREADPARAM;
//以太网帧头
typedef struct _ETHERNET_HEAD
{
BYTE DestMac[6];//目的MAC地址
BYTE SrcMac[6];//源MAC地址
USHORT Type;//协议类型 IP(0x0800) ARP(0x0806是ARP帧的类型值) RARP
}ETHERNET_HEAD;//14Bytes
typedef struct _ARP_HEADER
{
//固定头长度:28Bytes
USHORT hardware_type; //硬件类型:以太网接口类型为1
USHORT protocol_type; //协议类型:IP协议类型为0X0800
BYTE add_len; //硬件地址长度:MAC地址长度为6B
BYTE pro_len; //协议地址长度:IP地址长度为4B
USHORT option; //操作:ARP请求为1,ARP应答为2
BYTE sour_addr[6]; //源MAC地址:发送方的MAC地址
UINT sour_ip; //源IP地址:发送方的IP地址
BYTE dest_addr[6]; //目的MAC地址:ARP请求中该字段没有意义;ARP响应中为接收方的MAC地址
UINT dest_ip; //目的IP地址:ARP请求中为请求解析的IP地址;ARP响应中为接收方的IP地址
BYTE padding[18]; //填充字符长度=以太网最小帧长(64Bytes)-MAC帧头(14Bytes)-ARP包固定长度(28Bytes)-帧校验序列FCS(4Bytes)
}ARP_HEADER,*PARP_HEADER;
// ARP Packet = ETHERNET_HEAD + ARP_HEADER
typedef struct _ARP_PACKET
{
ETHERNET_HEAD EthHead;
ARP_HEADER ArpFrame;
}ARP_PACKET,*PARP_PACKET;
typedef struct _iphdr
{
unsigned char h_verlen; //4位IP版本号+4位首部长度
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识 标记当前分片为第几个分片
unsigned short frag_and_flags; //3位标志位+13位片偏移
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议(TCP、UDP或其他协议)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IPHEADER;
//TCP伪首部的作用主要是进行校验和的计算
typedef struct psd_hdr //定义TCP伪首部 12Bytes
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz;
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}PSDHEADER;
typedef struct _tcphdr //定义TCP首部
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度/6位保留字
unsigned char th_flag; //6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCPHEADER;
//数据包
typedef struct _packet
{
ETHERNET_HEAD ethhead;
IPHEADER ipHeader;
union Translayer
{
TCPHEADER tcpHeader;
UDPHEADER udpHeader;
ICMPHEADER icmpHeader;
}translayer;
//char padding[10];//填充字符
}PACKET;
#pragma pack()