Path: blob/master/DDOS Scripts/AMP Methods/NTP - SNMP - HAVEN - DNS -DRDOS - FRAG - SUDP - MEMCACHED/ssdp_scanner.c
4622 views
/* SSDP SCANNER SCRIPT */1#include <pcap.h>2#include <stdio.h>3#include <stdlib.h> // for exit()4#include <string.h> //for memset5#include <sys/ioctl.h>6#include <net/if.h>7#include <sys/socket.h>8#include <arpa/inet.h> // for inet_ntoa()9#include <net/ethernet.h>10#include <netinet/udp.h> //Provides declarations for udp header11#include <netinet/ip.h> //Provides declarations for ip header12#include <pthread.h>13#include <semaphore.h>14#include <signal.h>15#include <sys/resource.h>16#include <unistd.h>1718void process_packet(void *args, struct pcap_pkthdr *header, void *buffer);1920struct buffer21{22void *data;23int size;24struct buffer *next;25struct buffer *prev;26};27struct buffer *head;2829char *ipv4;30int processed,over,total,i,j;31struct sockaddr_in dest;32pthread_mutex_t buf_mutex = PTHREAD_MUTEX_INITIALIZER;33sem_t loop_sem;34int running_threads = 0;35volatile int found_srvs = 0;36volatile unsigned long per_thread = 0;37volatile unsigned long start = 0;38volatile unsigned long scanned = 0;39int sleep_between = 0;40volatile int bytes_sent = 0;41volatile unsigned long hosts_done = 0;42FILE *fd;4344void *readthread()45{46struct buffer *ourhead = head;47struct sockaddr_in saddr;48while(1)49{50sem_wait(&loop_sem);51while(ourhead->data == NULL){ ourhead = ourhead->next; }52pthread_mutex_lock(&buf_mutex);53void *buf = malloc(ourhead->size);54int size = ourhead->size;55memcpy(buf, ourhead->data, ourhead->size);56free(ourhead->data);57ourhead->data = NULL;58ourhead->size = 0;59pthread_mutex_unlock(&buf_mutex);60memset(&saddr, 0, sizeof(saddr));61struct iphdr *iph = (struct iphdr*)(buf + sizeof(struct ethhdr));62saddr.sin_addr.s_addr = iph->saddr;63struct udphdr *udph = (struct udphdr *)(buf + sizeof(struct ethhdr) + sizeof(struct iphdr));64if(ntohs(udph->source) == 1900)65{66int body_length = size - sizeof(struct ethhdr) - sizeof(struct iphdr) - sizeof(struct udphdr);67fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);68fflush(fd);69found_srvs++;70}71free(buf);72processed++;73ourhead = ourhead->next;74}75}7677void *flood(void *par1)78{79running_threads++;80int thread_id = (int)par1;81unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));82unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));83unsigned long w;84int y;85unsigned char buf[65536];86strcpy(buf, "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:ssdp:all\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n");87int sizeofpayload = 90;88int sock;89if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {90perror("cant open socket");91exit(-1);92}93for(w=ntohl(start_ip);w<htonl(end);w++)94{95struct sockaddr_in servaddr;96bzero(&servaddr, sizeof(servaddr));97servaddr.sin_family = AF_INET;98servaddr.sin_addr.s_addr=htonl(w);99servaddr.sin_port=htons(1900);100sendto(sock,(char *)buf,sizeofpayload,0, (struct sockaddr *)&servaddr,sizeof(servaddr));101bytes_sent+=sizeofpayload;102scanned++;103hosts_done++;104usleep(sleep_between*1000);105}106close(sock);107running_threads--;108return;109}110111void sighandler(int sig)112{113fclose(fd);114printf("\n");115exit(0);116}117118void *printthread(void *argvs)119{120char **argv = (char **)argvs;121int threads = atoi(argv[4]);122pthread_t thread;123sleep(1);124char *str_start = malloc(18);125memset(str_start, 0, 18);126str_start = argv[1];127char *str_end = malloc(18);128memset(str_end, 0, 18);129str_end = argv[2];130start = inet_addr(str_start);131per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;132unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));133int i;134for(i = 0;i<threads;i++){135pthread_create( &thread, NULL, &flood, (void *) i);136}137sleep(1);138printf("Starting Scan...\n");139char *temp = (char *)malloc(17);140memset(temp, 0, 17);141sprintf(temp, "Found");142printf("%-16s", temp);143memset(temp, 0, 17);144sprintf(temp, "Host/s");145printf("%-16s", temp);146memset(temp, 0, 17);147sprintf(temp, "B/s");148printf("%-16s", temp);149memset(temp, 0, 17);150sprintf(temp, "Running Thrds");151printf("%-16s", temp);152memset(temp, 0, 17);153sprintf(temp, "Done");154printf("%s", temp);155printf("\n");156157char *new;158new = (char *)malloc(16*6);159while (running_threads > 0)160{161printf("\r");162memset(new, '\0', 16*6);163sprintf(new, "%s|%-15lu", new, found_srvs);164sprintf(new, "%s|%-15d", new, scanned);165sprintf(new, "%s|%-15d", new, bytes_sent);166sprintf(new, "%s|%-15d", new, running_threads);167memset(temp, 0, 17);168int percent_done=((double)(hosts_done)/(double)(toscan))*100;169sprintf(temp, "%d%%", percent_done);170sprintf(new, "%s|%s", new, temp);171printf("%s", new);172fflush(stdout);173bytes_sent=0;174scanned = 0;175sleep(1);176}177printf("\n");178fclose(fd);179exit(0);180}181182int main(int argc, char *argv[ ])183{184if(argc < 6){185fprintf(stderr, "Invalid parameters!\n");186fprintf(stdout, "Usage: %s <ip range start (192.168.0.0)> <ip range end (192.168.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);187exit(-1);188}189fd = fopen(argv[3], "a");190sleep_between = atoi(argv[5]);191192int num_threads = atoi(argv[4]);193194const rlim_t kOpenFD = 1024 + (num_threads * 2);195struct rlimit rl;196int result;197rl.rlim_cur = kOpenFD;198rl.rlim_max = kOpenFD;199result = setrlimit(RLIMIT_NOFILE, &rl);200if (result != 0)201{202perror("setrlimit_nofile");203fprintf(stderr, "setrlimit_nofile returned result = %d\n", result);204}205bzero(&rl, sizeof(struct rlimit));206rl.rlim_cur = 256 * 1024;207rl.rlim_max = 4096 * 1024;208result = setrlimit(RLIMIT_STACK, &rl);209if (result != 0)210{211perror("setrlimit_stack");212fprintf(stderr, "setrlimit_stack returned result = %d\n", result);213}214215signal(SIGINT, &sighandler);216217pcap_if_t *alldevsp;218pcap_t *handle; //Handle of the device that shall be sniffed219220char errbuf[100] , *devname , devs[100][100];221int count = 1 , n;222223if( pcap_findalldevs( &alldevsp , errbuf) )224{225exit(1);226}227228devname = alldevsp->name;229ipv4 = malloc(16);230bzero(ipv4, 16);231struct ifreq ifc;232int res;233int sockfd = socket(AF_INET, SOCK_DGRAM, 0);234235if(sockfd < 0) exit(-1);236strcpy(ifc.ifr_name, devname);237res = ioctl(sockfd, SIOCGIFADDR, &ifc);238close(sockfd);239if(res < 0) exit(-1);240strcpy(ipv4, inet_ntoa(((struct sockaddr_in*)&ifc.ifr_addr)->sin_addr));241printf("Opening device %s for sniffing ... " , devname);242handle = pcap_open_live(devname , 65536 , 1 , 0 , errbuf);243244if (handle == NULL)245{246fprintf(stderr, "Couldn't open device %s : %s\n" , devname , errbuf);247exit(1);248}249printf("Done\n");250251sem_init(&loop_sem, 0, -1);252i = 1024*1000;253while(i--)254{255if(head == NULL)256{257head = (struct buffer *)malloc(sizeof(struct buffer));258bzero(head, sizeof(struct buffer));259head->data = NULL;260head->size = 0;261head->next = head;262head->prev = head;263} else {264struct buffer *new_node = (struct buffer *)malloc(sizeof(struct buffer));265bzero(new_node, sizeof(struct buffer));266new_node->data = NULL;267new_node->size = 0;268new_node->prev = head;269new_node->next = head->next;270head->next = new_node;271}272}273274pthread_t prnthread;275pthread_create( &prnthread, NULL, &printthread, (void *)argv);276pthread_t redthread;277pthread_create( &redthread, NULL, &readthread, NULL);278279pcap_loop(handle , -1 , process_packet , NULL);280281return 0;282}283284void process_packet(void *args, struct pcap_pkthdr *header, void *buffer)285{286int size = header->len;287288//Get the IP Header part of this packet , excluding the ethernet header289struct iphdr *iph = (struct iphdr*)(buffer + sizeof(struct ethhdr));290memset(&dest, 0, sizeof(dest));291dest.sin_addr.s_addr = iph->daddr;292293if(iph->protocol == 17 && strcmp(inet_ntoa(dest.sin_addr), ipv4) == 0)294{295//toss into buffer296if(head->data != NULL) over++;297pthread_mutex_lock(&buf_mutex);298void *temp = malloc(size);299memcpy(temp, buffer, size);300head->data = temp;301head->size = size;302head = head->next;303pthread_mutex_unlock(&buf_mutex);304sem_post(&loop_sem);305total++;306}307}308309