/* NetDDE Scanner by Gogu258 (gogu258[at]yahoo.com) - based on POC from .::[ houseofdabus]::. 2005 Jan. */ #define WIN32_LEAN_AND_MEAN #include #include #include #include char smb_negotiate[] = "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02" "\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e" "\x31\x32\x00"; char smb_sesreq[] = "\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45" "\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43" "\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45" "\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43" "\x41\x43\x41\x43\x41\x41\x41\x00"; char req1[] = "\x81\x00\x00\x44"; char req2[] = "CACACACACACACACACACACACACACACABP"; void usage(char *prog); void vargs(int argc, char **argv); char *netbios_encode(char *ndata, char service); int verifica(char *nume,char *ip); unsigned char *find_smbname(unsigned char *data, unsigned long len); unsigned char *smb_get_name(char *ip); int main (int argc, char **argv) { FILE *read; FILE *scrie; char extras[17]; char *nname = NULL; int raspuns; system("cls"); system("color 20"); printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n"); printf("NET DDE SCANNER BY GOGU258 - 2005 - gogu258[at]yahoo.com\t\n"); printf("BASED ON POC FROM .::[ houseofdabus]::.\t\n"); printf("FOR GSO MEMBERS - www.governmentsecurity.org\t\t\n"); printf("¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦\n"); vargs(argc, argv); #ifdef _WIN32 WSADATA wsa; #endif #ifdef _WIN32 WSAStartup(MAKEWORD(2,0), &wsa); #endif read = fopen(argv[1],"r"); scrie = fopen(argv[2],"w"); if(read==NULL) { printf("[-]IP FILE - NOT FOUND!\n"); return 0; } if(scrie==NULL) { printf("[-]RESULT FILE - NOT FOUND!\n"); return 0; } else { while (fscanf(read,"%s",extras) != EOF) { if (strlen(extras) > 256) { printf("[-]Check TARGET IP ADDRESS!! - %s \n",extras); return 0; } fprintf(scrie,"\n---------------------------\n"); fprintf(scrie,"[*] Working on IP: %s\n",extras); nname =smb_get_name(extras); raspuns=verifica(nname,extras); if (raspuns<1) fprintf(scrie,"[-] NetDDE not ENABLED!\n"); else fprintf(scrie,"[+] NetDDE ENABLED!\n"); free(nname); } } fclose(read); fclose(scrie); printf("\n\tJOB DONE\t\n"); system("pause"); system("color 07"); return 0; } unsigned char *find_smbname(unsigned char *data, unsigned long len) { unsigned char *ptr; unsigned long i = 0; ptr = data; ptr += 91; while (i <= len - 3) { if (ptr[i] == '\x00') if (ptr[i+1] == '\x00') if (ptr[i+2] == '\x00') return ptr+i+3; i++; } return NULL; } unsigned char *smb_get_name(char *ip) { int sock, r; unsigned long smbname_len; unsigned char *name = NULL, *smbname; struct sockaddr_in s; struct hostent *he; unsigned char buf[256]; if ((he = gethostbyname(ip)) == NULL) { printf("[-] Unable to resolve %s\n", ip); return NULL; } sock = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP); //sock = socket(AF_INET, SOCK_STREAM,0); if (sock < 0) return NULL; s.sin_family = AF_INET; s.sin_addr = *((struct in_addr *)he->h_addr); s.sin_port = htons(139); memset(&(s.sin_zero), '\0', 8); memset(buf, 0, 256); //printf("[*] Getting netbios name for %s \n", ip); r = connect(sock, (struct sockaddr *) &s, sizeof(struct sockaddr_in)); if (r > -1) { printf("OK\n[*] Fingerprinting... "); /* sending session request */ send(sock, smb_sesreq, sizeof(smb_sesreq)-1,0); Sleep(1000); r = recv(sock, (char *)buf, 256, 0); if (r < 0) goto err; memset(buf, 0, 256); /* sending negotiation request */ send(sock, smb_negotiate,sizeof(smb_negotiate)-1, 0); Sleep(1000); r = recv(sock, (char *)buf, 256, 0); if (r < 0) goto err; printf("OK\n"); smbname = find_smbname(buf, r); if (smbname == NULL) goto err; smbname_len = smbname - buf; name = (unsigned char *)calloc(smbname_len,1); /* decoding */ r = 0; while (smbname_len) { if (*smbname != '\x00') { name[r] = *smbname; r++; } smbname++; smbname_len--; } } else { printf("failed\n[-] Can't connect to %s:139\n", ip); return NULL; } err: shutdown(sock, 1); closesocket(sock); return name; } char *netbios_encode(char *ndata, char service) { char *tmpdata, *data, *nret; unsigned long dlen; char odiv, omod, o; int i; data = (char *)calloc(17, 1); memcpy(data, ndata, strlen(ndata)); dlen = strlen(data); while (dlen < 15) { strcat(data, "\x20"); dlen++; } memcpy(data+strlen(data), &service, 1); nret = (char *)calloc(strlen(data)*2+1, 1); tmpdata = nret; for (i=0; i<16; i++) { o = (char)data[i]; odiv = o / 16; odiv = odiv + 0x41; omod = o % 16; omod = omod + 0x41; *tmpdata++ = odiv; *tmpdata++ = omod; } free(data); return nret; } int verifica(char *nume,char *ip) { char *req; int len, sockfd; struct hostent *he; struct sockaddr_in their_addr; char rbuf[4096]; char *ses_req; char *data, *hname; char *hn, *hn2; unsigned long req_sz, hname_len, hn_len; hn=nume; ses_req = (char *)calloc(sizeof(req1)-1 + sizeof(req2)-1 + 114, 1); memcpy(ses_req, req1, sizeof(req1)-1); memcpy(ses_req+sizeof(req1)-1, "\x20", 1); hname = netbios_encode(hn, 0x1F); hname_len = strlen(hname); memcpy(ses_req+sizeof(req1)-1+1, hname,hname_len); memcpy(ses_req+sizeof(req1)-1+1+hname_len,"\x00\x20", 2); memcpy(ses_req+sizeof(req1)-1+1+hname_len+2,req2, sizeof(req2)-1); memcpy(ses_req+sizeof(req1)-1+1+hname_len+2+sizeof(req2)-1,"\x00", 1); req_sz =sizeof(req1)-1+sizeof(req2)-1+hname_len+4; if ((he = gethostbyname(ip)) == NULL) { // printf("[-] Unable to resolve %s\n", ip); return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) <0) { // printf("[-] Error: socket failed\n"); return 0; } req=req1; their_addr.sin_family = AF_INET; their_addr.sin_port = htons(139); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); /* connecting */ if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) < 0) { printf("[-] Error: connect failed\n"); return 0; } printf("OK"); if (send(sockfd, ses_req, req_sz, 0) < 0) { // printf("[-] Error: send failed\n"); return 0; } len = recv(sockfd, rbuf, 4096, 0); if (len < 0) return 0; if ((unsigned char)rbuf[0] != 0x82) { return 0; } else{ return 1; } } void vargs(int argc, char **argv) { if (argc < 2)usage(argv[0]); return; } void usage(char *prog) { printf("%s \n\n", prog); system("color 07"); exit(0); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß