CScanner Documentation

using namespace CScanner;

typedef unsigned int u32;
typedef unsigned short int u16;
typedef unsigned char u8;

Public Data Members

class scan_data {
  public:
  scan_data() { };
  scan_data(scan_data* in) : s1(in->s1), s2(in->s2), s3(in->s3), s4(in->s4),
  e1(in->e1), e2(in->e2), e3(in->e3), e4(in->e4)
  { };
  u8 s1;
  u8 s2;
  u8 s3;
  u8 s4;
  u8 e1;
  u8 e2;
  u8 e3;
  u8 e4;
  // this means:
  // scan hosts from s1.s2.s3.s4 to e1.e2.e3.e4
};
scan_data input_data;

This is the data member where the ip address that need to be scanned are kept.

bool ports_first;

If set to false ( default ), the first port is scanned on all hosts, then the next port is scanned on all hosts. If set to true all ports on a host are scanned then next host is scanned.

u32 scan_speed;

This is the number of microseconds to wait between sending out SYN packets. By default 25.

u32 wait_seconds;

This is the number of seconds to wait after sending out the last SYN packet. By default 3.

Public Functions

CScanner();

Basic constructor.

bool start_syn_scan();

Starts the SYN scan. Returns true on success, false otherwise.

bool start_ping_scan();

Starts the PING scan. Returns true on success, false otherwise.

void populate_port_list(const char*);

Parses a command line parameter and populates the port list. The command line should consist of port number separated by ',' like: 21,25,53,80. It can also contain a range of ports. The first and last port of the range should be separated by ':' or '-' like: 21-110 or 53:80. 

example:
    21-25,54,80,110,443,995

This means: scan ports 21 through 25 and ports 54, 80, 110, 443, 995

void populate_ip_addr(const char*);

Parses a command line parameter and populates the ip list. The command line should consist of an IPv4 address range. The first and last address should be separated by ':' or '-'. Like 213.167.0.1:213.167.255.255 or 66.217.213.1-66.217.222.255. If there is no ':' or '-' character included in the string only a the first IP address will be parsed. 

example:
    66.170.0.1:66.170.255.255

This means: scan IP addresses beginning from 66.170.0.1 to 66.170.255.255

example:
    217.12.102.64

This means: scan the IP address 217.12.102.64

void get_options(const char*);

Parses a command line parameter and sets basic options. These options are: 

-p scan all ports on single host then move to next host
   by default all hosts are scanned then the next port is checked
scanning with the -p option has proven to be significantlly faster in certain scenarios, due to a smaller amount of ARP requests that are performed if scanning IP addresses that aren't assigned to any host. 
-s seconds to wait after sending last packet, by default 3
-t delay between scanning packets in microseconds, by default 25
void set_output(void (*p)(char const*));

By default no output is produced. Use this to set an output function (like: void foo(const char *p) p - will be a pointer to a static buffer inside CScanner). When CScanner receives a reply (positive or negative) it passes a pointer to the header of the packet, to the function you set. To give you an idea, Colitas uses this output function when analyzing scanning responses. 

SYN scanning:

void syn_print_func(char const *buffer)
{
	iphdr *ip = (iphdr *)buffer;
	tcphdr *tcp = (tcphdr *)(buffer + sizeof(struct iphdr));
	u16 port = ntohs(tcp->source);
			
	if (tcp->ack && tcp->syn) {
		if (show_positive) {
			if (!simple) {
				printf("[open]");
				printf(" %-15s %5d ", inet_ntoa((in_addr&)ip->saddr), port);
							
				if (resolve_hostnames) {
					hostent *h = gethostbyaddr((const char*) &ip->saddr, 4, AF_INET );
					if (h)
						printf("[%s]", h->h_name);
				}
			} else {
				printf(" %-15s %5d ", inet_ntoa((in_addr&)ip->saddr), port);
				
			}
			printf("\n");
		}
	}
	if (tcp->rst && tcp->ack) {
		if (show_negative) {
			if (!simple) {
				printf("[closed]");
				printf(" %-15s %d ", inet_ntoa((in_addr&)ip->saddr), port);
							
				if (resolve_hostnames) {
					hostent *h = gethostbyaddr((const char*) &ip->saddr, 4, AF_INET );
					if (h)
						printf("[%s]", h->h_name);
				}
			} else {
				printf(" %-15s %5d ", inet_ntoa((in_addr&)ip->saddr), port);
			}
			printf("\n");
		}
	}
	fflush(stdout);
	return;
}

PING scanning:

void ping_print_func(char const *buffer)
{
	iphdr *ip = (iphdr *)buffer;
	
	if (!simple) {
		printf("[found]");
		printf(" %-15s replied ", inet_ntoa((in_addr&)ip->saddr));
							
		if (resolve_hostnames) {
			hostent *h = gethostbyaddr((const char*) &ip->saddr, 4, AF_INET );
			if (h)
				printf("[%s]", h->h_name);
		}
	} else {
		printf(" %-15s", inet_ntoa((in_addr&)ip->saddr));	
	}
	
	printf("\n");
	fflush(stdout);
	
	return;
}
u32 get_ports();

Returns the number of ports to scan on each host.

u32 get_hosts();

Returns the number of hosts.


"If you don't understand the risks don't play the game."

Last update: Wednesday, 11th October, 2023
Copyright © 2001-2024 by Lukasz Tomicki