strobe v1.03 released

[proff () suburbia net (Julian Assange)]

This is strobe1.03 an small update to strobe1.02.

I (proff () suburbia net) have moved on to other projects of this type (e.g
GoSH) and was not intending to release another version of strobe.
However this month a few people (most notably edturka () statt ericsson se)
sent in some important bug fixes (ugh) and some minor new features. When I
applied their patches, I broke my vows about not working on strobe any
more and hacked in a just a few more features that really should have
been there in the first place.

strobe is available from ftp://suburbia.net/pub/strobe.tgz

-Proff

+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  has stood still, who built the largest |
|EMAIL: proff () suburbia net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+


STROBE 1.03(1)                                     STROBE 1.03(1)


NAME
       strobe - Super optimized TCP port surveyor

SYNOPSIS
       strobe [ -vVmdbepPAtnSilfsaM ] [host1 ... [hostn]]

DESCRIPTION
       strobe   is  a  network/security  tool  that  locates  and
       describes all listening tcp ports on a (remote) host or on
       many hosts in a bandwidth utilisation maximising, and pro-
       cess resource minimizing manner.

       strobe approximates a parallel finite state machine inter-
       nally. In non-linear multi-host mode it attempts to appor-
       tion bandwidth and sockets amoung  the  hosts  very  effi-
       ciently.   This  can  reap  appreciable gains in speed for
       multiple distinct hosts/routes.

       On a machine with a reasonable number of  sockets,  strobe
       is  fast  enough to port scan entire Internet sub domains.
       It is even possible to survey an entire small country in a
       reasonable  time  from a fast machine on the network back-
       bone, provided the machine in question uses dynamic socket
       allocation   or  has  had  its  static  socket  allocation
       increased very appreciably (check your kernel options). In
       this  very limited application strobe is said to be faster
       than ISS2.1 (a high quality commercial security scanner by
       cklaus () iss net  and friends) or PingWare (also comercial).

OPTIONS
       -v     Verbose output.

       -V     Verbose statistical output.

       -m     Minimise output. Only print hostname, port  tuples.
              Implies -d.  Useful for automated output parsing.

       -d     Delete duplicate entries for port descriptions. i.e
              use only the first definition.

       -g     Disable usage of getpeername(2).   On  solaris  2.3
              machines  this  causes  a  core  dump,  for reasons
              unknown. This behavior is fixed with  solaris  2.4.
              Under  Linux, HP and perhaps other unix implimenta-
              tions, false tcp connection  positives  may  occurr
              when this option is activated.

       -s     Statistical  information  describing the average of
              all hosts surveyed is sent to stderr on completion.

       -q     Quiet mode. Don't print non-fatal errors or the (c)
              message.

       -d     Display only the  first  description  in  the  port
              services entry file (Cf.  -B).

       -o file
              Direct  output  (but  not any messages which can be
              affected by -q) to file.

       -b number
              Beginning (starting) port number.

       -e number
              Ending port number.

       -p number
              Port number if you intend to scan a single port.

       -P number
              Local port to bind outgoing connection requests to.
              (you  will  normally  need super-user privileges to
              bind ports smaller than 1024)

       -A address
              Interface  address  to  send  outgoing   connection
              requests from for multi-homed machines.

       -t number
              Time  after  which  a  connection attempt to a com-
              pletely unresponsive host/port is aborted.

       -n number
              Use this number of sockets in parallel (defaults to
              64).   strobe  attempts  to figure out if number is
              greater than the quantity of available  sockets  at
              any point in time -- and if so, only use the amount
              found.  On  some  UNIX  implimentations   such   as
              Solaris, this appears not to work correctly and you
              may find yourself with unusual errors  such  as  NO
              ROUTE  TO  HOST  when  you  hit the socket ceiling.
              Remember that strobe probably isn't the  only  pro-
              cess on the system desiring a socket or two. Having
              strobe pilfer  all  the  spare  sockets  away  from
              inetd(8) and other daemons and clients isn't such a
              crash hot idea, unless you want  to  stop  all  new
              incoming and outgoing connections.

       -S file
              Change  the  default port services description file
              to file.  Note that if -S  is  not  specified  port
              services  are  loaded  from one of strobe.services,
              /usr/local/lib/strobe.services, or /etc/services.

       -i file
              Obtain hostnames to strobe from  file  rather  than
              from  the  command  line.  Note that only the first
              white-space seperated word in each line of file  is
              used,  so one can feed in files such as /etc/hosts.
              If filename is '-' , stdin will be used.

       -l     Probe hosts linearly (sequentually) rather than  in
              parallel.  The  actual ports on each host are still
              checked in a parallel manner (with a parallelism of
              -n (defaults to 64)).

       -f     Fast mode, probe only the tcp ports detailed in the
              port services file (see -S).

       -a number
              Abort and skip to the next host after ports upto to
              number  have  been  probed and still no connections
              have occurred. Due to the parallel  nature  of  the
              probing,  reply  packets  for n+m may return before
              those relating to n. What this means is that  ports
              >  number  may be probed. If strobe see's a connec-
              tion on any one of these higher  ports  before  its
              negated  all  possibility of a service listening on
              ports <= number then  despite  the  fact  that  all
              ports up to and including number may turn out to be
              connectionless, strobe will `abort the abort'. This
              is considered optimal, if unusual behavior.

       -M     Mail  a  bug report, or tcp/udp port description to
              the current source maintainer.

EXAMPLES
       strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services  -o
       out

       strobe  all  entries in /etc/hosts (identical ip addresses
       are skipped automagically) using 120 sockets in  parallel,
       but  only check the individual tcp ports mentioned in ser-
       vices.  If we have probed up to port 80 on a host and have
       still not yet evidenced a connection, then skip that host.
       Display speed/time statistics for each host  and  for  the
       totality  of  hosts to stderr. Place the regular output in
       out.

       ypcat hosts | strobe -p 80 -t 2 -A 203.4.184.1 -P 53

       strobe all hosts  in  your  hosts  YP/NIS-table  for  WWW-
       servers.  Use  a  timeout  of two seconds.  Set the source
       address to the 203.4.184.1 interface. Make all  connection
       requests appear to come from port 53 (DNS).

BUGS
       Strobe performs no other security functions (yet) and does
       not verify route blocking against  UDP  or  TCP  handshake
       sequence guessing one-way IP spoofing attacks.

AUTHOR
       Julian Assange

              EMAIL:
                   strobe () suburbia net
                   proff () suburbia net

OFFICAL DISTRIBUTION
       ftp://suburbia.net:/pub/strobe.tgz

COPYRIGHT
       Copyright (c) Julian Assange 1995, All rights reserved.

       This  software  maybe distributed only freely, in full and
       without modification.  It may not be bundled with any sort
       of hardware or software if a fee is charged for that hard-
       ware or software directly or indirectly, in  whole  or  in
       part. If you would like to include this software in such a
       distribution then please contact the author  to  negotiate
       reasonable (possibly free) terms.

       The  author  shall  not under any circumstances accept any
       liability for this software, for its use, misuse,  or  any
       failings it may have. Your on your own.

       The  author  reserves the right to alter the aformentioned
       conditions from time to time as he sees  appropriate.  The
       author's  most  recent copyright notice and conditions for
       this software always supersede any issued previously.

       Use and or distribution of this  software  implies  accep-
       tance of the above.

       So there.


SEE ALSO
       nslookup(1),  host(1),  dig(1),  socket(2),  bind(2), con-
       nect(2), iss(1).
--
+----------------------------------+-----------------------------------------+
|Julian Assange                    | "if you think the United  States has    |
|FAX: +61-3-9819-9066              |  has stood still, who built the largest |
|EMAIL: proff () suburbia net         |  shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+