{"id":840,"date":"2013-06-24T15:38:50","date_gmt":"2013-06-24T15:38:50","guid":{"rendered":"https:\/\/trouble.org\/?p=840"},"modified":"2013-06-24T18:26:46","modified_gmt":"2013-06-24T18:26:46","slug":"shotgun-scanning","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=840","title":{"rendered":"shotgun scanning"},"content":{"rendered":"

UDP scanning has always been slow. Slower than slow, slower than molasses, really fucking slow.<\/p>\n

<\/a><\/p>\n

So when I started being interested in scanning for IPMI out in the wild, which runs on UDP 623, I first fired up trusty ol’ nmap… but bless it’s heart, it’s a cautious, robust scanner that is outrun by crippled snails on UDP scanning.<\/p>\n

So I\u00a0thought\u2026 well, most scans don’t really need a request-response-follow-up\u2026 so\u2026 well, I can just forge the requesting address\u2026 spread out collectors\u2026 then receive it in one location. \u00a0Then I thought\u2026 why am I writing a receiver? \u00a0I’ll just run tcpdump on the receiving end, and process that\u2026 and that also gives all the packets and data, not just what I think of parsing out at the time.<\/p>\n

I wrote my “scanner” (not sure what to call it, more like a shotgun, it doesn’t really receive any data ;))\u00a0in perl, of course (below.) \u00a0I was playing with the speeds and delays – scanning a \/8 or A CIDR block in 5-10 mins for a single UDP port A is pretty simple, but I never really know if I’m missing traffic – so many systems, so little time, are all the packets really working?<\/p>\n

This might be an old technique or discredited or something… nothing is new under the sun, after all. But it worked for me. And it’s really, really simple, because it’s all the connection details and grabbing and parsing responses, and queuing up all the scans… that takes a fair bit of code – this is just a few for loops and bam.<\/p>\n

And it sure beat the alternatives I knew about, at least, which is scanning for a year or so to do the same you can do in a day. \u00a0It’d be interesting to do a few nets simultaneously to see if any methods or speeds were better than others. \u00a0But for now….<\/p>\n

#!\/usr\/bin\/env perl<\/span>
\n
\nuse<\/span> Try::<\/span>Tiny<\/span>;<\/span>
\nuse<\/span> Net::<\/span>RawIP<\/span>;<\/span>
\n
\n$src<\/span> =<\/span> $ARGV<\/span>[<\/span>0<\/span>]<\/span>;<\/span>
\n$dst<\/span> =<\/span> $ARGV<\/span>[<\/span>1<\/span>]<\/span>;<\/span>
\n
\ndie<\/span><\/a> "Usage: $0 (faux?)source-IP (real)dest-class-A\\n<\/span>"<\/span> unless<\/span> $src<\/span> !=<\/span> ""<\/span> &&<\/span> $dst<\/span> !=<\/span> ""<\/span>;<\/span>
\n
\n# take a breather for delay seconds<\/span>
\n$NET_MOD<\/span> =<\/span> 90<\/span>;<\/span>
\n$DELAY<\/span>   =<\/span> 15<\/span>;<\/span>
\n
\n$src_port<\/span> =<\/span> 623<\/span>;<\/span>
\n$dst_port<\/span> =<\/span> 623<\/span>;<\/span>
\n
\n$torpackedo<\/span> =<\/span> "\\x<\/span>06\\x<\/span>00\\x<\/span>ff\\x<\/span>07\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>09\\x<\/span>20\\x<\/span>18\\x<\/span>c8\\x<\/span>81\\x<\/span>00\\x<\/span>38\\x<\/span>8e\\x<\/span>04\\x<\/span>b5"<\/span>;<\/span>
\n
\n$new_socket<\/span> =<\/span> new<\/span> Net::<\/span>RawIP<\/span>(<\/span>{<\/span>udp =><\/span>{<\/span>}<\/span>}<\/span>)<\/span>;<\/span>
\n
\n# do an \/8<\/span>
\nfor<\/span> $two<\/span> (<\/span>0<\/span>..<\/span>255<\/span>)<\/span> {<\/span>
\n   $dest<\/span> =<\/span> "$dst.$two"<\/span>;<\/span>
\n   print<\/span><\/a> "loading up the network torpedos for $dest\\n<\/span>"<\/span>;<\/span>
\n
\n   for<\/span> $three<\/span> (<\/span>0<\/span>..<\/span>255<\/span>)<\/span> {<\/span>
\n      $dest<\/span> =<\/span> "$dst.$two.$three"<\/span>;<\/span>
\n      print<\/span><\/a> "\\t<\/span>clearing torpedo tubes & decks for $dest\\n<\/span>"<\/span>;<\/span>
\n   
\n      # do a \/24<\/span>
\n      for<\/span> $four<\/span> (<\/span>0<\/span>..<\/span>255<\/span>)<\/span> {<\/span>
\n         $dest<\/span> =<\/span> "$dst.$two.$three.$four"<\/span>;<\/span>
\n         # print "\\tpew pew => $dest\\n";<\/span>
\n     
\n         $new_socket<\/span>-><\/span>set<\/span>(<\/span>{<\/span>
\n            ip  =><\/span> {<\/span>saddr  =><\/span> $src<\/span>,<\/span> daddr =><\/span> $dest<\/span>}<\/span>,<\/span>
\n            udp =><\/span> {<\/span>source =><\/span> $src_port<\/span>,<\/span> dest  =><\/span> $dst_port<\/span>,<\/span> data =><\/span> $torpackedo<\/span> }<\/span>
\n         }<\/span>)<\/span>;<\/span>
\n     
\n         try {<\/span>
\n            $new_socket<\/span>-><\/span>send<\/span><\/a>;<\/span>
\n         }<\/span> catch {<\/span>
\n            ;<\/span>
\n            # warn "couldn't send packet to $dest (Error: $_)\\n";<\/span>
\n         }<\/span>;<\/span>
\n   
\n      }<\/span>
\n   
\n#     if ($three > 0 && !($three % $NET_MOD)) {<\/span>
\n#        print "\\n...breathing for a few seconds...\\n";<\/span>
\n#        sleep($NET_MOD);<\/span>
\n#     }<\/span>
\n   }<\/span>
\n   print<\/span><\/a> "\\n<\/span>...mopping the blood off the decks, hold on $DELAY seconds\\n<\/span>\\n<\/span>"<\/span>;<\/span>
\n   sleep<\/span><\/a>(<\/span>$DELAY<\/span>)<\/span>;<\/span>
\n}<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

UDP scanning has always been slow. Slower than slow, slower than molasses, really fucking slow. So when I started being interested in scanning for IPMI out in the wild, which runs on UDP 623, I first fired up trusty ol’ nmap… but bless it’s heart, it’s a cautious, robust scanner that is outrun by crippled […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[96,146,154,46,19],"tags":[222,223,221,185,224,220],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-art","category-hack","category-ipmi-2","category-perl","category-philosophy","tag-222","tag-buck-shot","tag-mossberg","tag-network","tag-scanning","tag-shogun"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=840"}],"version-history":[{"count":6,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions"}],"predecessor-version":[{"id":846,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions\/846"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}