1
#include <pthread.h>
2
#include <unistd.h>
3
#include <stdio.h>
4
#include <stdlib.h>
5
#include <string.h>
6
#include <sys/socket.h>
7
#include <netinet/in.h>
8
#include <signal.h>
9
#include <sys/time.h>
10
#include <sys/types.h>
11
#include <math.h>
12
#include <ctype.h>
13
#include <errno.h>
14
#include <arpa/inet.h>
15
#include <netinet/ip.h>
16
#include <netinet/udp.h>
17

18
volatile int running_threads = 0;
19
volatile int found_srvs = 0;
20
volatile unsigned long per_thread = 0;
21
volatile unsigned long start = 0;
22
volatile unsigned long scanned = 0;
23
volatile int sleep_between = 0;
24
volatile int bytes_sent = 0;
25
volatile unsigned long hosts_done = 0;
26
FILE *fd;
27
char payload[] =
28
"\x02";
29

30
size = sizeof(payload);
31

32
void *flood(void *par1)
33
{
34
    running_threads++;
35
    int thread_id = (int)par1;
36
    unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
37
    unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
38
    unsigned long w;
39
    int y;
40
    unsigned char buf[65536];
41
    memset(buf, 0x01, 1);
42
    int sizeofpayload = 1;
43
    int sock;
44
    if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
45
        perror("cant open socket");
46
        exit(-1);
47
    }
48
    for(w=ntohl(start_ip);w<htonl(end);w++)
49
    {
50
        struct sockaddr_in servaddr;
51
        bzero(&servaddr, sizeof(servaddr));
52
        servaddr.sin_family = AF_INET;
53
        servaddr.sin_addr.s_addr=htonl(w);
54
        servaddr.sin_port=htons(1434);
55
        sendto(sock,payload,size,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
56
        bytes_sent+=size;
57
        scanned++;
58
        hosts_done++;
59
    }
60
    close(sock);
61
    running_threads--;
62
    return;
63
}
64

65
void sighandler(int sig)
66
{
67
    fclose(fd);
68
    printf("\n");
69
    exit(0);
70
}
71

72
void *recievethread()
73
{
74
    printf("\n");
75
    int saddr_size, data_size, sock_raw;
76
    struct sockaddr_in saddr;
77
    struct in_addr in;
78

79
    unsigned char *buffer = (unsigned char *)malloc(65536);
80
    sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
81
    if(sock_raw < 0)
82
    {
83
        printf("Socket Error\n");
84
        exit(1);
85
    }
86
    while(1)
87
    {
88
        saddr_size = sizeof saddr;
89
        data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
90
        if(data_size <0 )
91
        {
92
            printf("Recvfrom error , failed to get packets\n");
93
            exit(1);
94
        }
95
        struct iphdr *iph = (struct iphdr*)buffer;
96
        if(iph->protocol == 17)
97
        {
98
            unsigned short iphdrlen = iph->ihl*4;
99
            struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
100
            unsigned char* payload = buffer + iphdrlen + 1;
101
            if(ntohs(udph->source) == 1434)
102
            {
103
                int body_length = data_size - iphdrlen - 1;
104

105
                if (body_length > 1)
106

107
                {
108
                found_srvs++;
109

110
                fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);
111
                fflush(fd);
112

113
                }
114

115
            }
116
        }
117

118
    }
119
    close(sock_raw);
120

121
}
122

123
int main(int argc, char *argv[ ])
124
{
125

126
    if(argc < 6){
127
		fprintf(stderr, "Invalid parameters!\n");
128
        fprintf(stdout, "MSSQL Scanner\nUsage: %s <ip range start (192.0.0.0)> <ip range end (198.255.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);
129
        exit(-1);
130
    }
131
    fd = fopen(argv[3], "a");
132
    sleep_between = atoi(argv[5]);
133

134
    signal(SIGINT, &sighandler);
135

136
    int threads = atoi(argv[4]);
137
    pthread_t thread;
138

139
    pthread_t listenthread;
140
    pthread_create( &listenthread, NULL, &recievethread, NULL);
141

142
    char *str_start = malloc(18);
143
    memset(str_start, 0, 18);
144
    str_start = argv[1];
145
    char *str_end = malloc(18);
146
    memset(str_end, 0, 18);
147
    str_end = argv[2];
148
    start = inet_addr(str_start);
149
    per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
150
    unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
151
    int i;
152
    for(i = 0;i<threads;i++){
153
        pthread_create( &thread, NULL, &flood, (void *) i);
154
    }
155
    sleep(1);
156
    printf("Scan in Progress \n");
157
    char *temp = (char *)malloc(17);
158
    memset(temp, 0, 17);
159
    sprintf(temp, "MSSQL Found");
160
    printf("%-16s", temp);
161
    memset(temp, 0, 17);
162
    sprintf(temp, "IP/s");
163
    printf("%-16s", temp);
164
    memset(temp, 0, 17);
165
    sprintf(temp, "Bytes/s");
166
    printf("%-16s", temp);
167
    memset(temp, 0, 17);
168
    sprintf(temp, "Threads");
169
    printf("%-16s", temp);
170
    memset(temp, 0, 17);
171
    sprintf(temp, "Percent Done");
172
    printf("%s", temp);
173
    printf("\n");
174

175
    char *new;
176
    new = (char *)malloc(16*6);
177
    while (running_threads > 0)
178
    {
179
        printf("\r");
180
        memset(new, '\0', 16*6);
181
        sprintf(new, "%s|%-15lu", new, found_srvs);
182
        sprintf(new, "%s|%-15d", new, scanned);
183
        sprintf(new, "%s|%-15d", new, bytes_sent);
184
        sprintf(new, "%s|%-15d", new, running_threads);
185
        memset(temp, 0, 17);
186
        int percent_done=((double)(hosts_done)/(double)(toscan))*100;
187
        sprintf(temp, "%d%%", percent_done);
188
        sprintf(new, "%s|%s", new, temp);
189
        printf("%s", new);
190
        fflush(stdout);
191
        bytes_sent=0;
192
        scanned = 0;
193
        sleep(1);
194
    }
195
    printf("\n");
196
    fclose(fd);
197
    return 0;
198
}
199