banner
brd1

title

0x01 Introduction

The sole idea of the Dynamic Port Scanner (DPS) is to provide a reliable spoofed source IP port scanner. The spoofed source IP is dynamically generated at run time and it varies for every scan packet; every scan packet carries a random spoofed source IP. Traditionally, a port scan with a spoofed source IP has been considered unreliable due to the fact that reply packets would not reach back the scanning system. However, the technique used by DPS ensures the reliability of such spoofed scan. This technique is based on the integration of ARP Poisoning into port scanning to achieve the desired result. The spoofed IP addresses used by DPS during a scanning process fall within the range of the local subnet. Thus, DPS is best suited for internal scanning.

0x02 Features

  • DPS V 1.5 is a multi-threaded application. It creates upto THREADS_MAX threads at once. Each thread scans a port and does the corresponding ARP Poisoning.
  • DPS differentiates between a scanned host withing the local net and a host outside the local net. If the scanned host is within the local net, it is the target of ARP poisoning. If not, the gateway/router will be the target of ARP poisoning.
  • The spoofed source IP will never match the IP of the scanned machine if it is within the local net. The reason is that one cannot ARP-poison a host with fake info about the machine itself.
  • DPS features 10 different TCP stealth scanning techniques. These are: SYN, FIN, NULL, ACK, URG, PSH, XMAS, XMAS1, XMAS2, XMAS3.
  • DPS is built on top of Libpcap and Libnet

0x03 Code

0x04 Examples

  • Example 1: The default option will scan the ports 1-1024 using SYN scan type.

      suse2:/home/ar/dps-v1.5 # dps 10.1.10.239
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri <ar@securebits.org>
      ============================================================
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.10.239 (10.1.10.239)
      Scan Type: TCP SYN Scan [____S_]
      Total Scan Time: 109 seconds
      Number of scanned ports: 1024
      { [open 3] [filtered 1021] }
      ---- ------ ------- ---------------
      port status service used spoofed IP
      ---- ------ ------- ---------------
      135 open epmap 10.1.10.124 (10.1.10.124)
      139 open netbios-ssn 10.1.10.51 (10.1.10.51)
      445 open microsoft-ds 10.1.10.75 (10.1.10.75)
      The rest of the ports are filtered
  • Example 2: Scanning a host using ACK scan type and verbosity = 1

      suse2:/home/ar/dps-v1.5 # dps -v -t A -p 53,80,88,21,22,135,139,445,464 10.1.0.74
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri <ar@securebits.org>
      ============================================================
      Initializing DPS...
      Starting Scanning...
      Port 80 [UNFILTERED]
      Port 88 [UNFILTERED]
      Port 135 [UNFILTERED]
      Port 21 [UNFILTERED]
      Port 22 [UNFILTERED]
      Port 139 [UNFILTERED]
      Port 445 [UNFILTERED]
      Port 464 [UNFILTERED]
      Port 53 [UNFILTERED]
      Ending Scanning...
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.0.74 (10.1.0.74)
      Scan Type: TCP ACK Scan [_A____]
      Total Scan Time: 2 seconds
      Number of scanned ports: 9
      { [unfiltered 9] }
      All the ports are unfiltered
  • Example 3: Scanning a host using SYN scan type and verbosity = 2

      suse2:/home/ar/dps-v1.5 # dps -vv -p 80,88,21,22,135,139,445,464 10.1.0.76
      ============================================================
      Dynamic Port Scanner [DPS] version 1.5
      A Reliable Spoofed Source IP Port Scanner
      Copyright (c) 2006 - 2008 AR Samhuri <ar@securebits.org>
      ============================================================
      Initializing DPS...
      Starting Scanning...
      PORT [80] SPOOFED IP [10.1.10.87] STATUS [closed]
      PORT [88] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [21] SPOOFED IP [10.1.10.98] STATUS [closed]
      PORT [22] SPOOFED IP [10.1.10.34] STATUS [closed]
      PORT [139] SPOOFED IP [10.1.10.109] STATUS [open]
      PORT [135] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [445] SPOOFED IP [10.1.0.76] STATUS [open]
      PORT [464] SPOOFED IP [10.1.10.106] STATUS [open]
      Ending Scanning...
      =========================== SCAN RESULT ===========================
      Scanned Host: 10.1.0.76 (10.1.0.76)
      Scan Type: TCP SYN Scan [____S_]
      Total Scan Time: 2 seconds
      Number of scanned ports: 8
      { [open 5] [closed 3] }
      ---- ------ ------- ---------------
      port status service used spoofed IP
      ---- ------ ------- ---------------
      80 closed http 10.1.10.87 (10.1.10.87)
      88 open kerberos 10.1.10.81 (10.1.10.81)
      21 closed ftp 10.1.10.98 (10.1.10.98)
      22 closed ssh 10.1.10.34 (10.1.10.34 )
      135 open epmap 10.1.10.59 (10.1.10.59)
      139 open netbios-ssn 10.1.10.109 (10.1.10.109)
      445 open microsoft-ds 10.1.10.8 (10.1.10.8)
      464 open kpasswd 10.1.10.106 (10.1.10.106)

0x05 Additional Materials

0x06 Author

AR Samhuri <ar[at]securebits[dot]org>

0x07 Credits

Thanks to "Saddam" for beta-testing the Version 1.5 of the tool.

 

 

 brd2
brd3

Copyright (c) 2009 Securebits ALL RIGHTS RESERVED