-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathREADME
177 lines (129 loc) · 8.27 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
SUMMARY
polarbearscan is an attempt to do faster and more efficient banner grabbing
and port scanning. It combines two different ideas which hopefully will make
it somewhat worthy of your attention and time.
The first of these ideas is to use stateless SYN scanning using
cryptographically protected cookies to parse incoming acknowledgements. To the
best of the author's knowledge this technique was pioneered by Dan Kaminsky in
scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of
scanning utilities, and it was released somewhere in 2001-2002. A mirror of
this code can be found at Packet Storm [1].
The second idea is use a patched userland TCP/IP stack such that the scanner
can restore state immediately upon receiving a cryptographically verified
packet with both the SYN and ACK flags set. The userland stack being used here
by polarbearscan is called libuinet [2]. Unlike some of the other userland
TCP/IP stacks out there this one is very mature as it's simply a port of
FreeBSD's TCP/IP stack.
By patching the libuinet stack one can then construct a socket and complete
the standard TCP 3-way handshake by replying with a proper ACK. Doing it this
way a fully functional TCP connection is immediately established. This as
opposed to other scanners (such as nmap) who would have to, after noting that
a TCP port is open, now perform a full TCP connect via the kernel to do things
such as banner grabbing or version scanning. A full TCP connect leads leads to
a whole new TCP 3-way handshake being performed. This completely discards the
implicit state which was built up by the initial two packets being exchanged
between the hosts. By avoiding this one can reduce bandwidth usage and
immediately go from detecting that a port is open to connecting to it. This
connection can then simply sit back and receive data in banner grab mode or it
could send out an HTTP request.
Please note that the scanner right now only supports IPv4 based scanning and it
will only work properly over Ethernet-type (wired or wireless) interfaces.
There are no plans to support IPv6 or different interfaces in the near future.
INSTALLATION
Compiling the code is pretty straightforward. One just needs a working
connection to the net and git needs to be installed such that the required
dependencies can be downloaded. Besides that standard development utilities
(gcc, make, patch), development editions of libraries (pthread, pcap,
OpenSSL). On Debian based distributions one can simply install all the
packages listed in the DEPENDENCIES file. After that one should be able to
just type 'make' and the external dependencies will be checked out using git
and the entire scanner will be build. This binary can then be copied to
/usr/bin or /usr/local/bin or the like.
If compilation fails please email the author (contact details below) and
include the error output, kernel version, libc version and anything else that
might help with reproducing and fixing the problem. Your help is kindly
appreciated.
USAGE
Running the tool should be pretty straightforward. You will need root
privileges. The -h option shows brief usage information and the options
explained. In most cases one whould not need more than specifying the type of
scan to perform, the port lists to scan and the target IP or IP-ranges. CIDR-
noation is supported for the IP ranges.
There are four different scan types which are specified with -s<arg>.
-sB: This does a standard banner grab. The scanner will not send any data as
it will simply wait and receive data and display it up until the first
newline or carriage return received.
-sH: This mode sends a "GET / HTTP/1.1" request to every successfully setup
connection. It's very useful for quickly identifying HTTP servers.
-sT: TLS scanning mode sends a TLS1.0 NULL probe with zero options and zero
algorithms specified. However if there's a valid TLS server on the
receiving end it will parse out and try to figure out if it's a valid
TLS Error response which will then be dispalyed.
-sC: Custom scanning wich will load a payload from a file (specified with -d)
and send this payload out to every successfully established socket. Can
be useful for quickly probing very specific protocols
-p: The list of TCP ports to scan which can be a range of ports or
single ports with ranges and single ports seperated by comma's. Some
examples: -p22,80,8080-9000,143 will scan port 22,80,143 and the range of
8080 to 9000.
-b <limit>: The bandwidth limit to apply for the outgoing probes. This does not
apply to the data sent and received over the sockets so only to the actual
SYN probes being sent out. Examples: -b300k, -b67m, -b500b would yield
bandwidth limits of 300kbps, 76mbps and 500bps respectively.
-d <filename>: Filename of the file containing the payload used to the custom
scan. The entire file will be sent up until a maximum of 128kB which
should be more than enough for most purposes.
-t<timeout>: This specifies the amount of seconds that the scanner will wait
after it has sent out all the probes with receiving data back over the
still connected sockets. That is assuming there are any otherwise it will
bail out the moment there's no more work left to do.
-x: This forces the tool to alwyas dump output received in hexadecimal
notation. Otherwise it will only dump data in hexadecimal notation if
non-printable characters are found.
-v: This specifies some verbose output. It's mostly only useful for debugging.
-i <iface>: The interface to use for selecting the source IP and setting up
the pcap backend. This should not be necessary on standard machines with
just one properly configured NIC but with multiple NICs one might need it.
-r <seed>: The random seed to use for the RNG being used. Mostly useful for
debugging and making sure that one can get the tool to generate the exact
same sequence of packets again. The argument is an integer and can be
specified in hexadecimal and decimal notation.
-T <ttl>: Override the default IP TTL value to use in SYN probes. Not really
necessary for anything but included for the sake of completeness.
-W <win>: Override the default TCP Window size value to use in SYN probes. Not
really necessary for anything but included for the sake of completeness.
-I <id>: Override the default IP ID value to use in SYN probes. Not really
necessary for anything but included for the sake of completeness.
-n: This option should only be used if you know what you're doing. It will
make sure the tool does NOT set the firewall rule to drop all outgoing
RST packets. If this is used then the scanner will not fork and one has
the responsibility to set this rule by hand as otherwise the kernel will
send RST packets back for every SYNACK packet received. This will make
the tool simply not work. The rule as it's being set on Linux is the
following:
$ /sbin/iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
-o: This option does not do the I/O redirection so one will see more output
of the uinet internals. It's only added for the sake of completeness or
for debugging scenario's as it's not very useful otherwise.
-h: The usage information.
Some examples on how to use the tool. To do a banner grab of port 22 on a /24
range use like:
./pbscan -sB -p22 x.x.x.x/24
To do an HTTP scan on several common HTTP ports for a single IP with the output
in hexadecimal mode use:
./pbscan -sH -x -p80,8080-9000 x.x.x.x
During scanning when you press a key on standard input you see some stats being
printed out, such as the amount of open ports identified, the amount of valid
TCP acks received the number of currently active connections, and how many SYN
probes of the total have already been sent out. This will look something like:
sent: 1.97% (of 254), open: 0, active: 2, acks: 2
AUTHOR
This tool was written by Vincent Berg. Contact me by emailing
[email protected] or visit my website http://santarago.org for updated
releases/news on this scanner.
THANKS
Much appreciation for several folks that helped out testing, porting this
cool and reporting bugs. Thanks to Ehab, Joseph, Alejandro, Julian and Diego.
REFERENCES
[1] http://packetstormsecurity.com/files/30489/paketto-1.10.tar.gz.html
[2] http://wanproxy.org/libuinet.shtml