-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
170 lines (113 loc) · 4.75 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
Recurity Labs' PortBunny - README
=================================
PortBunny is a Port-Scanner designed to perform classic TCP-SYN
port-scans of large networks in as little time as possible. Its
development is focused on providing clean and sophisticated
timing-code rather than feature-richness.
The port-scan is performed in 2 steps: First the scanner tries to find
packets, which the target responds to ("triggers"). Second, the actual
port-scan is performed. During the scan, the triggers, which were
found in the first scanning-phase, are used to determine the optimal
speed at which the target may be scanned.
Installation
============
Requirements:
Make sure the following components are installed:
(1) Linux-kernel-headers for the kernel in use.
(2) GNU C Compiler and GNU Make.
(3) Python Version 2.4 or above if you want to use the
command-line-interface.
To build PortBunny, do the following:
(1) Make sure you are logged in as root.
(2) Unpack portbunny-VERSION.tar.gz by typing "tar xfz portbunny-VERSION.tar.gz"
(3) Enter PortBunny's directory by typing "cd portbunny-VERSION"
(4) Compile the module by typing "make"
(5) Install PortBunny by typing "make install".
Usage
=====
Basic usage is easy:
# portbunny HOST
to scan HOST which may either be a single IP-address, a range of
IP-addresses (in CIDR-notation) or a domain-name.
Please DO NOT load the module or create the device-file manually, the
UI will take care of this automatically. If you want to talk to
/dev/portbunny directly and not make use of the UI, do the following:
# modprobe portbunny
To scan multiple hosts, simply list them:
# portbunny HOST1 HOST2 ... HOSTn
By default, PortBunny will scan the same ports as NMAP does. This
means ports 1-1024 and ports above 1024 which are listed in the
services file (located in /usr/local/share/portbunny/services
after successful installation).
If you want to scan a different set of ports, use the -p flag:
For example
# portbunny HOST -p 1-65535
will scan all ports.
The -p flag also accepts single ports. For example, if you want to
scan only ports 22, 80 and 23 and 100 to 150 type:
# portbunny HOSTNAME -p 22,80,23,100-150
To perform a host-discovery, use the -d flag. For example
# portbunny 192.168.1.0/24 -d
will tell you which of the hosts in 192.168.1.0/24 were detectable by
PortBunny. Keep in mind that currently arp-pings are not supported so
in local-area-networks PortBunny sometimes discovers less hosts than
NMAP.
For more options, type
# portbunny --help
Once a scan is in progress (after host-discovery has been performed)
you can obtain information about the scan and change some of its
parameters using the following keys:
a: Abort the current group
+: Increase the number of jobs used in the next group.
- : Decrease the number of jobs used in the next group.
l : List active jobs
Any other key: View progress-report
By default, the number of jobs per group will be 1 which means that
one host is scanned at a time.
Triggers
========
The following triggers (ordered by quality) have been implemented:
TCP_SYN-$PORT:
Sends a TCP packet to $PORT with the SYN-flag set.
Awaits a TCP-packet with ACK- and RST- or SYN- and ACK- flags set.
TCP_ACK-$PORT:
Sends a TCP packet to $PORT with the ACK-flag set.
Awaits a TCP-packet with the RST-flag set.
ICMP_ER-0:
Sends an ICMP-Echo-Request (ping).
Awaits an ICMP-Echo-Reply.
ICMP_TS-0:
Sends an ICMP-Timestamp-Request.
Awaits an ICMP-Timestamp-Reply.
ICMP_ADDR-0:
Sends an ICMP-AddressMask-Request.
Awaits an ICMP-AddressMask-Reply.
UDP-$PORT:
Sends a UDP-datagram to $PORT.
Awaits an ICMP-destination-unreachable with code "Port-unreachable".
Note: ICMP-destination-unreachables are frequently rate-limited.
IP_PROT-$PROTOCOL:
Sends an IP-packet with the protocol-field set to $PROTOCOL.
Awaits an ICMP-destination-unreachable with code "Protocol-unreachable".
Note: ICMP-destination-unreachables are frequently rate-limited.
Hacking
=======
If you want to start hacking on the kernel-module, install doxygen and
generate the html-documentation from the source-code by typing:
# doxygen ./Doxyfile.in
in PortBunny's root-directory.
If you are interested in writing a user-interface, take a look at
UI/interface.py written which is an object-oriented python-interface
to PortBunny. A complete list of supported commands can also be found
in the Documentation generated by doxygen.
If you have any questions concerning the source-code, please write me
an e-mail directly.
We're also looking for people who would like to spend their free time
helping with the code, so feel free to contact me about that as well.
Bugs
====
If you can reproduce a bug, please perform the scan with the -l option
and send us the generated log-file "scan_log.txt".
Contact
=======
Fabian Yamaguchi <fabs@recurity-labs.com>