coydog/zmap-freebsd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
eeb5ddcf0cffd78762b7b223354736f076b21e05
zmap-freebsd/examples/forge-socket/README
Zakir Durumeric 490054d239 inital public release
2013-08-16 11:12:47 -04:00

74 lines
3.3 KiB
Plaintext
Raw Blame History

Forge-socket banner grab
======
This utility, in combination with a kernel module
(https://github.com/ewust/forge_socket/) will complete the half-open connection
created by ZMap during a TCP-scan, optionally send a small message, and wait
for the hosts response. The response is then printed along with their IP
address on stdout. Periodic status messages appear on stderr.
This utility is functionally equivalent to banner-grab-tcp, however, instead of
having the kernel send a RST packet for the server's SYN+ACK, and
banner-grab-tcp attempting to start a fresh TCP connection with the host,
forge-socket will take the parameters of the SYN+ACK packet, and use a kernel
module to add it as an ESTABLISHED TCP connection socket. Then, the
forge-socket user-space program can use this socket to send() and recv() as
normal, and completes the banner-grab process (optionally send a small message,
and receive the server's response).
USING:
-----
# Install forge-socket to the ZMap root directory:
cd ./zmap/
git clone git@github.com:ewust/forge_socket.git
cd forge_socket
make
sudo insmod forge_socket.ko
# Don't send RST packets (forge-socket will complete these connections instead)
sudo iptables -A OUTPUT -p tcp -m tcp --tcp-flags RST,RST RST,RST -j DROP
# Use ZMap + forge-socket simultaneously:
make
#echo -e -n "GET / HTTP/1.1\r\nHost: %s\r\n\r\n" > http-req
sudo su
ulimit -SHn 1000000 && ulimit -SSn 1000000
zmap -p 80 -B 50M -N 1000 -O extended_file -o - | ./forge-socket -c 8000 -d http-req > http-banners.out
The options are similar to banner-grab-tcp, except there is no connection timeout :)
OPTIONS:
-----
-c, --concurent Number of connections that can be going on at once.
This, combined with timeouts, will decide the maximum
rate at which banners are grabbed. If this value
is set higher than 1000, you should use
`ulimit -SSn 1000000` and `ulimit -SHn 1000000` to
avoid running out of file descriptors (typically capped
at 1024).
-r, --read-timeout Read timeout (seconds). Give up on a host if after
connecting (and optionally sending data), it does
not send any response by this time. Default: 4 seconds.
-v, --verbosity Set status verbosity. Status/error messages are outputed
on stderr. This value can be 0-5, with 5 being the most
verbose (LOG_TRACE). Default: 3 (LOG_INFO)
-f, --format Format to output banner responses. One of 'hex', 'ascii',
or 'base64'.
'hex' outputs ascii hex characters, e.g. 48656c6c6f.
'ascii' outputs ascii, without separators, e.g. Hello
'base64' outputs base64 encoding, e.g. SGVsbG8=
Default is base64.
-d, --data Optional data file. This data will be sent to each host
upon successful connection. Currently, this file does
not allow null characters, but supports up to 4
occurances of the current host's IP address, by replacing
%s with the string (inet_ntoa) of that host's IP address.
Reference in New Issue View Git Blame Copy Permalink