Writeup by scriptmonkey:
Onesixtyone’s origional developer (phreedom.org – 404) produced the great piece of code that was modified by Portcullis here. Unfortunately onesixtyone has never supported obscure ports and insteads is fixed using UDP port 161.
We’ll modify the code the allow a custom port using the -p flag
Wanted to add it as a custom flag so added it to the structure which stores the command line options right at the top of the file.
1 2 3 4 5 6 7 8 9 | 73 struct { 74 int debug; 75 int log; 76 int quiet; 77 int port; 78 long wait; 79 80 FILE *log_fd; 81 } o; |
I don’t want to affect it if people don’t want to use the -p flag so I set the default to 161
1 2 3 4 5 6 7 8 9 | 175 o.debug = 0; 176 o.log = 0; 177 o.quiet = 0; 178 o.wait = 10; 179 o.port = 161; 180 input_file = 0; 181 community_file = 0; 182 183 o.log_fd = NULL; |
Now with it added to the structure if I want to customise it, I can access it using o.port so I look at the switch case statement which handles command line input.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | 185 while ((arg = getopt(argc, argv, "c:di:o:p:w:q")) != EOF) { 186 switch (arg) { 187 case 'c': 188 community_file = 1; 189 strncpy(community_filename, optarg, 190 sizeof(community_filename)); 191 break; 192 case 'd': 193 o.debug++; 194 break; 195 case 'i': 196 input_file = 1; 197 strncpy(input_filename, optarg, sizeof(input_filename)); 198 break; 199 case 'o': 200 o.log = 1; 201 strncpy(log_filename, optarg, sizeof(log_filename)); 202 break; 203 case 'w': 204 o.wait = atol(optarg); /* convert to nanoseconds */ 205 break; 206 case 'q': 207 o.quiet = 1; 208 break; 209 case 'p': 210 o.port = atoi(optarg); /*added ability to specify a port */ 211 break; 212 case '?': 213 usage(argv[0]); 214 exit(1); |
having a colon after an argument in the getopt function means that it has a value associated with it, the difference between -p and -p 8161
Then just handle it like a normal case statement (Dont forget the break!) only we have to convert a string (the default type of argument you get with a getopt call) into an integer, atoi does the job and so we can set o.port to be the new value.
Now we have to find where onesixtyone has hardcoded a value of 161 in the code. /161 in vim gets us the single hit so we change it.
1 | 897 remote_addr.sin_port = htons(o.port); |
Finally, changing the port is fine, but unless you’ve specified an easy to remember filename when you review the scans post test you’ll be like me and facedesking as to why you didn’t record the port number.
So lets get rid of that issue. When we’re using a non-standard port, lets include it in the output file.
A quick search through the code below the above snippet reveals lots of writes for when it finds a successful string. So lets use the same method of recording the port we’re scanning.
1 2 3 4 | 265 printf("Logging to file %s\n", log_filename); 266 if(o.port != 161){ 267 logfx("Non-standard port selected - scanning port: %d\n", o.port); 268 } |
and bobs your mothers brother. You’ve now got an updated onesixtyone that does custom ports. 🙂
Download the source and the binary from here:
phillips321.co.uk/downloads/onesixtyone-0.8.tar.gz
Leave a Reply
You must be logged in to post a comment.