§@ªÌ¡Glake2

¤W¦¸®³¨ì¤@个webshell¡A¥i¬O±µ着¹J¨ì³Â烦¡X¡X¥DÉó装¤Fµw¥ó¨¾¤õ墙¡C虽µM发现¥DÉóªºMSSQL¦s¦bhello·¸¥Xº|¬}¡A¦ý¬O¥Ñ¤_¨¾¤õ墙ªºªý挠©l终®³¤£¨ìshell¡]¤Ï¦V连±µ时发现仅仅¯à够连±µ¡A没¦³数Õu过来¡^¡A¥t¥~¤S试¤FNÏú¥»¦a´£¤É权­­ªº¤èªk¦ý¥H¥¢败§i终¡C­§闷¡I¦Z来¤S·Q¨ì¦pªG¦bwebshell¨½¥Îsqlhello·¸¥X绑©w¤@个¨¾¤õ墙¤¹许开ªººÝ¤f¡A¨º¤£´Nok¤F¡C当µM这个ºÝ¤f¥²须¬O现¦b关闭着ªº¡C

¤j®a³£ª¾¹D¦pªG¯à够连±µ远µ{¥DÉ󪺬Y个ºÝ¤f¡A¨º¤\这个ºÝ¤f¦ÛµM¬O¨¾¤õ墙¤¹许开©ñªº¡C现¦bªº问题¬O¡A现¦bºÝ¤f关闭着¡A¦p¦ó§P断©O¡H

这¨½§Ú·Q¨ì¦³¤j虾说过telnet远µ{¥DÉóºÝ¤f时¡A¦pªG«Ü§Öªð¦^连±µ¥¢败´N说©úºÝ¤f关闭¡F¦pªGµ¥¤F¤Q¦h¬í¤~ªð¦^¦h¥b¬O对¤è装¦³¨¾¤õ墙¡C这个¤èªk¬O对ªº¡A¥i¬O¤@¦@¦³65535个ºÝ¤f¡A¤£会让§ÚºCºC¥htelnet§a¡A©Ò¥H´N写个µ{§Ç¦Û动¥h扫¡C

¦PºÝ¤f扫´yµ{§Ç类¦ü¡A这个µ{§Ç¤]调¥Îwinsockªºconnect¨ç数¡A¦ý¥Ñ¤_ºÝ¤f¬O关闭ªº¡A©Ò¥Hconnect会ªð¦^¤@个错误码10061¡]连±µ³Q©Ú¡C¥Ñ¤_³Q¥Ø标É󾹩Ú绝¡A连±µ无ªk«Ø¥ß¡^¡F¦ý¦pªG¬O对¤èªº¨¾¤õ墙拦ºI¤F连±µ请¨Dªº话¡A过¬q时间´N会ªð¦^10060错误¡]连±µ¶W时¡^¡C§Q¥Îªð¦^ªº错误类«¬§Ú们´N¥i¥H§P断该ºÝ¤f¬O§_为远µ{¥DÉ󨾤õ墙¤¹许开©ñªº¤F¡C¤£过这¨½ª`·N¡A¦pªG¥Ø标ip¤£¦s¦b¥DÉóªº话¤]会¶W时ªº®@¡C

­ì²z·dÀ´¤F写µ{§Ç¤]´N«Ü简单¤F¡A´N¬O调¥Îwinsockªºconnect¡C关¤_winsock编µ{参¦Ò¡mWINDOWSÊI络编µ{§Þ术¡n§a¡F¶â¡A¥t¥~ª`·N¥Î¦h线µ{¡A¤£µMªº话¡A¨þ¨þ¡A¤@¾ã¤Ñ³£扫¤£§¹¡C¦h线µ{­n¨Ï¥ÎCreateThread这个API¨ç数¡A¬Ý¬ÝMSDN§a¡C随«K¦bÊI¤W§ä¤F个扫´y¾¹¥N码参¦Ò¡A写¤F这个µ{§Ç¡A¥N码¦p¤U¡G


#include
#include
#include
#include
#include
#pragma comment(lib,"ws2_32.lib")

#define MAXThreadCount 100//设¸m³Ì¤j线µ{数
#define SumScanCount 65535//设¸m扫´yºÝ¤f总数
struct sockaddr_in server;
int ThreadCount=0;
int dwThrdParam = 1; //CreateThreadªº参数¡A´£¨ì«e­±¦n计ºâ

unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;

if((ip=inet_addr(name))==(-1))
{
if((he = gethostbyname(name))==0)
{
printf("ERROR: Don't find the %s .\n",name);
exit(0);
}
memcpy(&ip,he->h_addr,4);
}
return ip;
}

DWORD WINAPI Scan(LPVOID lpParam )
{
int mysock,code,port=(int)lpParam ;
mysock=socket(AF_INET,SOCK_STREAM,0);
if(mysock < 0) { printf("socket error!"); }

server.sin_port = htons(port);

if(connect(mysock,(struct sockaddr *) & server,sizeof(server))!=0)
{
code=GetLastError();
if(code==10061)printf("port %d allown open\n",port);
}
else
{
printf("port %d openning\n",port);
}
closesocket(mysock);
ThreadCount--;
return 0;
}
void thread(int port)
{
DWORD dwThreadId;
HANDLE hThread;
WSADATA ws;
if (WSAStartup( MAKEWORD(2,2), &ws )!=0)
{
printf(" [-] WSAStartup() error\n");
exit(0);
}

hThread = CreateThread(
NULL, // no security attributes
0, // use default stack size
Scan, // thread function
(LPVOID)port, // argument to thread function
0, // use default creation flags
&dwThreadId); // returns the thread identifier
if (hThread == NULL)
printf( "CreateThread failed." );
dwThrdParam++;
ThreadCount++;
Sleep(200); //©µ时¡A§_则CPU会¥Î满¡K¡K
CloseHandle(hThread);
}

void main(int argc, char* argv[])
{
if(argc!=2)
{
printf("\n- This program find port that firewall allow open -\n");
printf("- Only for test by lake2 - \n");
printf("Usage: %s IP\n",argv[0]);
exit(0);
}
server.sin_family = AF_INET;
server.sin_addr.s_addr = resolve( argv[1] );
printf("Starting and waiting..............\n");
while( dwThrdParam <= SumScanCount )
{
if( ThreadCount < MAXThreadCount ){ thread(dwThrdParam); }
}
while( ThreadCount!=0 ){ }
WSACleanup();
printf("Done!");
}

运¦æµ{§Ç¡A¶ñ¤Wip¥¦´N会¦Û动±´测©Ò¦³ºÝ¤f¡A¥Ñ¤_¨º¨Ç³Q过滤ªººÝ¤f¤j·§³£®t¤£¦h­nµ¥¤G¤Q¬í¡A³t«×¤ñ较ºC¡A¥i¥H¦Û¤v设个¶W时­È¥[§Ö³t«×¡F¥t¥~¤]¥i¥H­×§ï¤@¤U让¥Î户¦Û©w义扫´y­S围µ¥µ¥¡A现¦b¤£ºÞ¤F¡A¥Î±o°_´N¦æ¡C编译¦nªºµ{§Ç这¨½¥i¥H§ä¨ì¡Ghttp://lake2.512j.com/soft/PortScan.exe

µ{§Ç°µ¦n¤F当µM­n®³来¥Î°Õ¡A经过º©长ªº3¤p时¦hªº扫´y¤§¦Z¡A±o¨ì结ªG¡G¥Ø标¥DÉó_blank">¨¾¤õ墙¥u开©ñ80ºÝ¤f¡C当场晕¦º¡I­ü¡A¡§¸ôº©º©¨ä­×远¤¼¡A§^将¤W¤U¦Ó¨D¯Á¡¨¡K¡K