从编程到入侵
大家是不是大都使用别人的工具来搞入侵呢, 我也是, 不过从学了编程以后, 老是想自己写点程序, 然后用它来入侵,这里就是教你如何实现自己的的梦想。
今天所要演示的是telnet的入侵, 近来的sunos_telnet搞的风风火火.
1.扫描一个IP段, 所以要写个IP扫描器
2.Telnet banner check, 看telnet的反应, 所以要写个system os check depent op telnet.
3.用sunos_telnet来测试, sunos_telnet.exe网上有下载.
第一步:
/* simple tcp portscan */
/* 只对一个IP的扫描 */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define START_PORT 1
#define STOP_PORT 1024
struct sockaddr_in addr; /* 以struct sockaddr_in 结构定义 addr */
struct hostent *host;
struct servent *reply;
int sock, i;
int start_port; /* 起始端口 */
int stop_port; /* 结束端口 */
int usage(char *pro) /* 帮助 */
{
printf(" simple TCP scanner\n");
printf("usage: %s \n",pro);
exit(1);
}
int scan(int port) /* scan() 扫描 */
{
if((sock = socket(AF_INET,SOCK_STREAM,0)) < 0) { /* 建立socket描述符 */
printf("scan errno -> socket\n");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *(struct in_addr *)host->h_addr;
if((connect(sock,(struct sockaddr *)&addr,sizeof(addr))) == 0) /*
建立连接,判断端口 */
return 0; /* 成功 */
else
return 1; /* 失败 */
}
int main(int argc,char *argv[]) /* 主程序 */
{
char *service;
if(argc != 4)
usage(argv[0]);
start_port = atoi(argv[2]); /* 将argv[2]转换成整数*/
stop_port = atoi(argv[3]); /* 将argv[3]转换成整数*/
if(strcmp(argv[2],"-")== 0 && strcmp(argv[3],"-")== 0) { /* 对比 argv[2] argv[
3] 和 "-"符号 */
start_port = START_PORT; /* 如果是 "-" 的话,起始端口等于1 */
stop_port = STOP_PORT; /* 如果是 "-" 的话,结束端口等于1 */
}
if(start_port > stop_port) { /* 如果起始端口大于结束端口 */
printf(" start port can not greater than stop port.\n");
usage(argv[0]);
exit(1);
}
if((host = gethostbyname(argv[1])) == NULL) { /* 用gethostbyname()
来得到对方的信息 */
printf("can't get host info %s \n",argv[1]);
exit(1);
}
printf("Scanning host %s from %d to %d ......................\n",argv[1],
start_port,stop_port);
for(i=start_port;i<=stop_port;i++) /* 使用for语句对每个端口进行连接 */
{
if(scan(i) == 0) {
reply = getservbyport(htons(i),"tcp"); /* 用getservbyport得到端口信息 */
if(reply == NULL) /* 无法得到端口信息 */
service = "Uknown";
else
service = reply->s_name; /* reply->s_name 是端口服务 */
printf("Port %5d is open. \tservice <%s>\n",i,service);
}
close(sock);
}
}
/*****************************************************************************/
看懂上面的代码吗? 如果你看不懂的话, 或编写不成功, 就用superscan吧,
superscan扫描结果:
* + 209.249.191.73
|___ 23 Telnet
|___ ............
* + 209.249.191.74
|___ 23 Telnet
* + 209.249.191.75
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.191.76
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.191.77
|___ 23 Telnet
* + 209.249.191.78
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.202.166
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.202.167
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.202.168
|___ 23 Telnet
|___ ..... ..#..'
* + 209.249.242.3
|___ 23 Telnet
|___ ............
* + 209.249.242.14
|___ 23 Telnet
|___ ................User Access Verification....Password:
* + 209.249.249.171
|___ 23 Telnet
|___ ........#..'..$
* + 209.249.249.172
|___ 23 Telnet
|___ ........#..'..$
是不是很讨厌前面的 * + 和 |___ 23 Telnet |___ ........#..'..$ 东西呢, 那再写个程序搞定它,
/*************************superscan clear.c************************/
#include
main(int argc,char *argv[])
{
FILE *in; /* inputfile定义 */
FILE *out; /* outputfile 定义 */
char buf[1024]; /* 缓冲区 */
int i,j;
if(argc<3)
{
printf("usage : %s ",argv[0]);
exit();
}
in = fopen(argv[1],"r"); /* 读文件并差错 */
if(in == NULL)
puts("File open error");
out = fopen(argv[2],"w"); /* 写文件并查错 */
if(out == NULL)
puts("File write error");
while(fgets(buf,21,in) != NULL) /* 输入字串 */
{
for(i=0;i<18;i++)
{
if(buf[i] == '*') /* 字串替换 */
{
for(j=0;j<17;j++)
{
buf[i+j] = buf[i+4+j];
}
buf[i+17]='\n';
fputs(buf,out); /* 写入 */
}
}
}
fclose(in);
fclose(out);
}
/**************************************************************************/
用tc来编辑,可达到最好效果.
使用:
c:\> clear inputfile.txt outputfile.txt
inputfile 是superscan扫描结果文件
outputfile 是处理后要生成的文件,生成后为IP文件
第2步
通过telnet的返回banner来确定对反的系统类型.比如
c:\>telnet 209.249.249.171
SunOS 5.8
login:
从而判断对反的系统类型。
/**************************************************************************/
#include
#include
#include
#include
#include
#include
#include
#define PORT 23 /* 定义端口 */
#define MAX 1024 /* buf的长度 */
FILE *output; /* 定义outputfile */
main(int argc,char *argv[])
{
FILE *input; /* 定义inputfile */
char scan_ip[1024];
if(argc < 4)
{
usage(argv[0]);
exit(1);
}
if(argc== 4) {
if((output = fopen(argv[2],"w")) == NULL) { /* 创建并写入文件 */
printf("could not creat the outputfile\n");
exit(2);
}
fputs("\n",output);
if((input = fopen(argv[1],"r")) == NULL) { /* 读文件 */
printf("could not read the inputfile\n");
exit(2);
}
}
while(fscanf(input,"%s",&scan_ip) != EOF) /* 读取IP */
{
telnet_banner(scan_ip,argv[3]); /* telnet_banner()判断系统类型 */
}
exit(1);
}
int usage(char *pro) /* 帮助 */
{
printf(" System OS detector V0.1\n");
printf(" Welcome to www.9836.com \n");
printf("usage: %s \n",pro);
printf("System OS 1.Sunos 2. Redhat 3. FreeBSD \n");
}
telnet_banner(char *ip,char *os)
{
struct sockaddr_in addr;
u_char buf[MAX];
int sock,size,i;
if((sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP)) == -1) {
printf(" socket failt");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ip);
if(connect(sock,(struct sockaddr *)&addr,sizeof(addr)) == -1) {
printf("connect failt");
exit(1);
}
while (1) { /* 接收banner的循环 */
memset (buf, 0, sizeof (buf)); /* buf的内容置为0 */
if ((size = read (sock, buf, 1)) <= 0) /* 从 sock缓冲中读出第一个字 */
break; /* 等待接收完毕 */
if (*buf == (unsigned int) 255) { /* 如何为空的话,在读入2个字 */
read (sock, (buf + 1), 2);
if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2) )
;
else if ((u_char) * (buf + 1) == (unsigned int) 253) { /* 如果buf[1]的内容为 253的话, 设置buf[1]为252,写入sock缓冲 */
*(buf + 1) = 252;
write (sock, buf, 3);
}
} else {
if (*buf != 0) {
bzero (buf, sizeof (buf));
read (sock, buf, sizeof (buf));
close(sock);
if( *os == 49) /* system os 为 1 */
if(strstr(buf,"SunOS") != 0) {
fprintf(output,"* scanhost %s",ip);
buf[12] = buf[14];
fprintf(output," \tOS : %s",(buf+3)); /* 写入文件 */
}
if( *os == 50) /* system os 为 2 */
if(strstr(buf,"Red Hat") != 0) {
fprintf(output,"* scanhost %s",ip);
buf[39] = ' ';
fprintf(output," \tOS : %s",(buf+1));
}
if( *os == 51) /* system os 为 3 */
if(strstr(buf,"FreeBSD") != 0) {
fprintf(output,"* scanhost %s",ip);
buf[20] = buf[27];
fprintf(output," \tOS : %s\n",(buf+1));
}
}
}
}
}
/**************************************************************************/
使用方法
$./detector
usage: ./detectop
systemos : 1. SunOS 2. Red Hat 3. FreeBSD
./detector 1.txt 2.txt 1
1.txt 为处理后的superscan扫描文件.
2.txt 为使用detector用的文件.
1 表示要找Sunos , 2 表示 Redhat , 3 表示FreeBSD
处理后
* scanhost 209.249.249.171 OS : SunOS 5.8
* scanhost 209.249.249.172 OS : SunOS 5.8
一目了然.
第三步
sunos_telnet的入侵,网上多的是。 到www.9836.com下在动画教程。