Bugtraq mailing list archives
ident-scan
From: daveg () escape com (David)
Date: Tue, 13 Feb 1996 23:00:23 -0500
/*
* ident-scan [v0.15]
* This TCP scanner has the additional functionality of retrieving
* the username that owns the daemon running on the specified port.
* It does this by by attempting to connect to a TCP port, and if it
* succeeds, it will send out an ident request to identd on the
* remote host. I believe this to be a flaw in the design of the
* protocol, and if it is the developers intent to allow 'reverse'
* idents, then it should have been stated clearer in the
* rfc(rfc1413).
*
* USES:
* It can be useful to determine who is running daemons on high ports
* that can be security risks. It can also be used to search for
* misconfigurations such as httpd running as root, other daemons
* running under the wrong uids.
*
* COMPILES: Compiles fine under Linux, BSDI and SunOS 4.1.x.
*
* Dave Goldsmith
* <daveg () escape com>
* 02/11/1996
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
enum errlist
{
BAD_ARGS,BAD_HOST,NO_IDENT,SOCK_ERR
};
void
usage(error)
enum errlist error;
{
fprintf(stderr,"ident-scan: ");
switch(error)
{
case BAD_ARGS: fprintf(stderr,"usage: ident-scan hostname [low port] [hi port]\n");
break;
case BAD_HOST: fprintf(stderr,"error: cant resolve hostname\n");
break;
case NO_IDENT: fprintf(stderr,"error: ident isnt running on host\n");
break;
case SOCK_ERR: fprintf(stderr,"error: socket() failed\n");
break;
}
exit(-1);
}
struct hostent *
fill_host(machine,host)
char *machine;
struct hostent *host;
{
if ((host=gethostbyname(machine))==NULL)
{
if ((host=gethostbyaddr(machine,4,AF_INET))==NULL)
return(host);
}
return(host);
}
int
main(argc,argv)
int argc;
char **argv;
{
struct sockaddr_in forconnect,forport,forident;
int i,sockfd,identfd,len=sizeof(forport),hiport=9999,loport=1,curport;
struct servent *service;
struct hostent *host;
char identbuf[15], recieved[85], *uid;
if ((argc<2) || (argc>4))
usage(BAD_ARGS);
if (argc>2)
loport=atoi(argv[2]);
if (argc>3)
hiport=atoi(argv[3]);
if ((host=fill_host(argv[1],host))==NULL)
usage(BAD_HOST);
forconnect.sin_family=host->h_addrtype;
forconnect.sin_addr.s_addr=*((long *)host->h_addr);
forident.sin_family=host->h_addrtype;
forident.sin_addr.s_addr=*((long *)host->h_addr);
forident.sin_port=htons(113);
if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if ((connect(identfd,(struct sockaddr *)&forident,sizeof(forident)))!=0)
usage(NO_IDENT);
close(identfd);
for(curport=loport;curport<=hiport;curport++)
{
for(i=0;i!=85;i++)
recieved[i]='\0';
forconnect.sin_port=htons(curport);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if (connect(sockfd,(struct sockaddr *)&forconnect,sizeof(forconnect))==0)
{
if (getsockname(sockfd,(struct sockaddr *)&forport,&len)==0)
{
if ((identfd=socket(AF_INET,SOCK_STREAM,0))== -1)
usage(SOCK_ERR);
if (connect(identfd,(struct sockaddr *)&forident,sizeof(forident))==0)
{
sprintf(identbuf,"%u,%u",htons(forconnect.sin_port),
htons(forport.sin_port));
write(identfd,identbuf,strlen(identbuf)+1);
read(identfd,recieved,80);
recieved[strlen(recieved)-1]='\0';
uid=strrchr(recieved,' ');
service=getservbyport(forconnect.sin_port,"tcp");
printf("Port: %3d\tService: %10s\tUserid: %s\n",curport,
(service==NULL)?"(?)":service->s_name,uid);
}
}
}
close(sockfd);
close(identfd);
}
}
Current thread:
- ident-scan David (Feb 13)