/*Credits to whoever coded the original script, I just took it and modifiedit

1. /*Credits to whoever coded the original script, I just took it and modified
2. it with the Portmap payload and port.
3. */
4. #include <pthread.h>
5. #include <unistd.h>
6. #include <stdio.h>
7. #include <stdlib.h>
8. #include <string.h>
9. #include <sys/socket.h>
10. #include <netinet/in.h>
11. #include <signal.h>
12. #include <sys/time.h>
13. #include <sys/types.h>
14. #include <math.h>
15. #include <ctype.h>
16. #include <errno.h>
17. #include <arpa/inet.h>
18. #include <netinet/ip.h>
19. #include <netinet/udp.h>
20.  
21. volatile int running_threads = 0;
22. volatile int found_srvs = 0;
23. volatile unsigned long per_thread = 0;
24. volatile unsigned long start = 0;
25. volatile unsigned long scanned = 0;
26. volatile int sleep_between = 0;
27. volatile int bytes_sent = 0;
28. volatile unsigned long hosts_done = 0;
29. FILE *fd;
30. char payload[] =
31. "\x00\x01\x2f\x78\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
32.  
33. size = sizeof(payload);
34.  
35. void *flood(void *par1)
36. {
37. running_threads++;
38. int thread_id = (int)par1;
39. unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
40. unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
41. unsigned long w;
42. int y;
43. unsigned char buf[65536];
44. memset(buf, 0x01, 1);
45. int sizeofpayload = 1;
46. int sock;
47. if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
48. perror("cant open socket");
49. exit(-1);
50. }
51. for(w=ntohl(start_ip);w<htonl(end);w++)
52. {
53. struct sockaddr_in servaddr;
54. bzero(&servaddr, sizeof(servaddr));
55. servaddr.sin_family = AF_INET;
56. servaddr.sin_addr.s_addr=htonl(w);
57. servaddr.sin_port=htons(69);
58. sendto(sock,payload,size,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
59. bytes_sent+=size;
60. scanned++;
61. hosts_done++;
62. }
63. close(sock);
64. running_threads--;
65. return;
66. }
67.  
68. void sighandler(int sig)
69. {
70. fclose(fd);
71. printf("\n");
72. exit(0);
73. }
74.  
75. void *recievethread()
76. {
77. printf("\n");
78. int saddr_size, data_size, sock_raw;
79. struct sockaddr_in saddr;
80. struct in_addr in;
81.  
82. unsigned char *buffer = (unsigned char *)malloc(65536);
83. sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
84. if(sock_raw < 0)
85. {
86. printf("Socket Error\n");
87. exit(1);
88. }
89. while(1)
90. {
91. saddr_size = sizeof saddr;
92. data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
93. if(data_size <0 )
94. {
95. printf("Recvfrom error , failed to get packets\n");
96. exit(1);
97. }
98. struct iphdr *iph = (struct iphdr*)buffer;
99. if(iph->protocol == 17)
100. {
101. unsigned short iphdrlen = iph->ihl*4;
102. struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
103. unsigned char* payload = buffer + iphdrlen + 8;
104. if(ntohs(udph->source) == 69)
105. {
106. int body_length = data_size - iphdrlen - 8;
107.  
108. if (body_length > 40)
109.  
110. {
111. found_srvs++;
112.  
113. fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);
114. fflush(fd);
115.  
116. }
117.  
118. }
119. }
120.  
121. }
122. close(sock_raw);
123.  
124. }
125.  
126. int main(int argc, char *argv[ ])
127. {
128.  
129. if(argc < 6){
130. fprintf(stderr, "Invalid parameters!\n");
131. fprintf(stdout, "Usage: %s <ip range start (192.0.0.0)> <ip range end (198.255.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);
132. exit(-1);
133. }
134. fd = fopen(argv[3], "a");
135. sleep_between = atoi(argv[5]);
136.  
137. signal(SIGINT, &sighandler);
138.  
139. int threads = atoi(argv[4]);
140. pthread_t thread;
141.  
142. pthread_t listenthread;
143. pthread_create( &listenthread, NULL, &recievethread, NULL);
144.  
145. char *str_start = malloc(18);
146. memset(str_start, 0, 18);
147. str_start = argv[1];
148. char *str_end = malloc(18);
149. memset(str_end, 0, 18);
150. str_end = argv[2];
151. start = inet_addr(str_start);
152. per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
153. unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
154. int i;
155. for(i = 0;i<threads;i++){
156. pthread_create( &thread, NULL, &flood, (void *) i);
157. }
158. sleep(1);
159. printf("Scan in Progress \n");
160. char *temp = (char *)malloc(17);
161. memset(temp, 0, 17);
162. sprintf(temp, "PortMap Found");
163. printf("%-16s", temp);
164. memset(temp, 0, 17);
165. sprintf(temp, "IP/s");
166. printf("%-16s", temp);
167. memset(temp, 0, 17);
168. sprintf(temp, "Bytes/s");
169. printf("%-16s", temp);
170. memset(temp, 0, 17);
171. sprintf(temp, "Threads");
172. printf("%-16s", temp);
173. memset(temp, 0, 17);
174. sprintf(temp, "Percent Done");
175. printf("%s", temp);
176. printf("\n");
177.  
178. char *new;
179. new = (char *)malloc(16*6);
180. while (running_threads > 0)
181. {
182. printf("\r");
183. memset(new, '\0', 16*6);
184. sprintf(new, "%s|%-15lu", new, found_srvs);
185. sprintf(new, "%s|%-15d", new, scanned);
186. sprintf(new, "%s|%-15d", new, bytes_sent);
187. sprintf(new, "%s|%-15d", new, running_threads);
188. memset(temp, 0, 17);
189. int percent_done=((double)(hosts_done)/(double)(toscan))*100;
190. sprintf(temp, "%d%%", percent_done);
191. sprintf(new, "%s|%s", new, temp);
192. printf("%s", new);
193. fflush(stdout);
194. bytes_sent=0;
195. scanned = 0;
196. sleep(1);
197. }
198. printf("\n");
199. fclose(fd);
200. return 0;
201. }