I'm writing a port scanner in C and i want to detect what service is running on an open port and its version.I've already wrote the scanner code but now i have no idea about how to detect running service.
What can i do?
If you are determined to do it in your own code, you can connect to the port, see if you get any data on it, if nothing then send a few bytes, and check again.
Then match that against expected response.
to get an idea what you are looking for, you can connect manually to the port with telnet and poke at it. In many cases (a web server is an easy example) you must send some correctly formatted data in order to get a usable response.
nmap has done all this and much more (e.g. extensive checks such as looking for byte order and timing of arp traffic)
UPDATE: several people have mentioned well known ports, but that won't help you discover standard services running on nonstandard ports, such as ssh or http servers running on custom ports.
If server sends something first, use that to identify protocol.
If not, send something according to some protocol, such as http, and see what server sends back (valid response or error). You may need to make several attempts with different protocols, and a good order is important to minimize connection count.
Some protocols may be very hard to identify, and it is easy to make custom server with unique protocol you don't know about, or even hide real server under simple fake server of other proto such as http.
If you just want to know what the port usually is, check "well known ports" and official reserved ports.
Also check nmap source code.
Related
Please forgive me for being naive on the subject, however, I do not understand ports and how they work in the slightest. I am trying to make a program where two computers could communicate given their IP addresses and I am using TCP protocol. I don't, however, know what port(s) I would be able to use for this application, because when I look up TCP ports I get a list of ports each with their own function. Any help is useful.
P.S. I am using C to create my program
The short answer is you can choose any port you like - although the safe range is generally considered to be between 1024 and 65535. The only problem that you will encounter is when some other program installed on the device is already listening on that port. Unfortunately, there is no port that is guaranteed to be available to listen on.
One possible solution to this is to have a primary listening port and a fallback secondary port. You can then first try to connect on the primary port and, if a satisfactory response is not received, try to connect on the secondary port. However, even this is not infallible, as there is a chance that the secondary post could also be in use.
The easiest approach is to try to create your listener on the port that you have chosen, and if the port fails to create, let the user know that some other application is preventing execution of your application.
There's something that bothers me: I'd like to distinguish between a packet coming from Youtube and a packet coming from Wikipedia: they both travel on HTTPS and they both come from the port 443.
Since they travel on HTTPS, their payload is not understandable and I can't do a full Deep Packet Inspection: I can only look at Ethernet, IP and TCP struct headers. I may look at the IP address source of both packets and see where they actually come from, but to know if they are from Youtube or Wikipedia I should already know the IP addresses of these two sites.
What I'm trying to figure out is a way to tell from a streaming over HTTP (like Youtube does) and a simple HTML transport (Wikipedia) without investigating the payload.
Edit 1: in a Wireshark session started during a reproducing video I got tons of packets. Maybe I should start looking at the timeout between packets coming from the same address.
If you are just interested in following the data stream in Wireshark you can use the TCP stream index, filter would be something like tcp.stream == 12
The stream index starts at zero with the first stream that wireshark encounters and increments for each new stream (persistent connection).
So two different streams between the same IPs would have two different numbers. For example a video stream might be 12 and an audio stream, between the same IP addresses, might be 13.
If you started the capture before the stream was initiated you'll be able to see the original traffic setting up the SSL connection (much of this is in clear text)
You may consider looking at the server certificate. It will tell you whether it's youtube (google) or facebook.
That would give you an idea whether SSL connection is to youtube, which one is to facebook.
You can try looking at the TCP header options, but generally the traffic is encrypted for a reason... so that it wouldn't be seen by man-in-the-middle. If it were possible, it would be, by definition, a poor encryption standard. Since you have the capture and all the information known to the user agent, you are not "in-the-middle". But you will need to use the user agent info to do the decryption before you can really see inside the stream.
this link: Reverse ip, find domain names on ip address
indicates several methods.
Suggest running nslookup on the IP from within a C program.
And remembering that address/ip values can be nested within the data of the packet, it may (probably will) take some investigation of the packet data to get to the originator of the packet
Well, you have encountered a dilema. How to get the info users are interchanging with their servers when they have explicitly encrypted the information to get anonymity. The quick response is you can't. But only if you can penetrate on the SSL connection you'll get more information.
Even the SSL certificate interchanged between server and client will be of not help, as it only identifies the server (and not the virtual host you'll try behind this connecton), and more than one SSL server (with the feature known as HTTP virtual host) several servers can be listening for connections on the same port of the same address.
SSL parameters are negotiated just after connection, and virtual server is normally selected with the Host http header field of the request (see RFC-2616) but these ocurr after the SSL negotiation has been finished, so you don't have access to them.
The only thing you can do for sure is to try to identify connections for youtube by the amounts and connection patterns this kind of traffic exhibit.
I'm writing a program in C (on windows 32bit) that listening on a specific port. (using this guide)
The client connect in that way: "http://127.0.0.1:port/?param1=a¶m2=b..."
I (as a server) want to get all of the parameters he entered.
How can i do that?
The bind() function does not receive the parameters, or for that matter anything the client is specifying regarding your communication; it merely binds to the port. Once a port is bound to and an active connection eventually gets established, your application protocol (HTTP presumably, in your case) takes over in the sense of deciding what data to write() (or other higher level functions) to the port.
With that in mind, your question has actually nothing at all to do with sockets in any way. Rather, it has to do with understanding the application protocol you're using. I would suggest you either Google how to use the HTTP protocol, review one of the myriad open source HTTP libraries available, or for theat matter just printf() the input you receive from your client.
So, i am assuming that i will need to use sockets(i am a newbie to C).
The program will be for Windows(in pure C). And i shall be using these examples
http://cs.baylor.edu/~donahoo/practical/CSockets/winsock.html
My question is, instead of the client program connecting via TCP, i want the server to accept connections via a web browser i.e via HTTP.
So if the server program is running you type http://yourip:port/?gettemps and the server responds, but how do i do it?
As you might have guessed, this program will be for monitoring temps, remotely, via a web browser. But not for the CPU, for the GPU using AMD's ADL library(so yeah, only AMD cards).
The simplest option that is supported by most web servers is CGI - Common Gateway Interface.
Microsoft, of cource, has their own way of running web apps - ISAPI.
HTTP is quite a big standard, you might want to use some library such as libcurl to handle the details for you.
If you decide to code it yourself, HTTP is running over TCP so you first need to open a TCP socket at the standard HTTP port 80. Then simply listen on the socket and parse the incoming HTTP data - a great summary is given here: http://www.jmarshall.com/easy/http/.
Web browsers sends http get request to the server via tcp. If you are writing a web server from scratch than, you will need to parse data from web browser. http get request are string like for example GET /images/logo.png HTTP/1.1. So tokenize that string as it comes through tcp and get the command.
As you received your commands to the server call appropriate functions to handle your request.
Here is an great example of simple http server. You might want to make server multi-threaded as you may have multiple simultaneous users.
If you have already set up your web server to run the app on the appropriate port you can use getenv("QUERY_STRING") to access the web equivalent of command line parameters.
It would be better to call your program directly rather than just using the server to access a single default program as your example does, thus you could use http://yourip:port/yourprogram?cmd=gettemps. In this example getenv("QUERY_STRING") would return 'cmd=gettemps'.
I need to detect the presence/absence of internet connection. More precisely, let us suppose that the application is broken up into 2 parts - A and B.
A is responsible for checking whether or not the system is connected to the internet. If it finds that there is no connection, it starts up part B. And as soon as it detects that there is a network connection, it kills B and continues its own work.
What would be the best way to do the A part of the application? Continual pings sounds hideous. There has to be a better way of doing this (preferably in C).
With sufficient privilege you can test the various network interfaces and examine their state. This would tell you if any of the interfaces was connected to a network and operating. However, this won't tell you if the connection is actually usable, i.e., connected to the internet (or your local net if that's all you need). I don't know of anyway to do that short of actually using it.
Using ICMP (ping) can be useful at a low level, but presumably what you need is a connection to an actual endpoint via TCP/IP to do real work. I would say that you should change the design of your application so that B is responsible for indicating when it is unable to continue due to the absence of resources that it relies on -- network or otherwise. A and B should communicate so that A is aware of the situation and is able to either kill B or respond to B terminating itself and thus continuing its work.
A lot of companies have measures in place to prevent outgoing ICMP requests, TCP connections to ports other than 80/443 for example, or even to prevent you from reaching the internet directly by (transparently) proxying your traffic.
Under an internet connection I would understand any way to contact the outside, be it UDP, TCP or ICMP. Depending on what your application needs to contact the internet for, I would suggest to check over the same protocol, as that is the only thing that matters to your app.
If your application uses HTTP to communicate to an external source, try to connect to a few sites you would suspect to not be blacklisted and that have a reliable uptime. Like google.com, microsoft.com, apple.com, and so on...
Edit:
I am unsure what the specifics are, so let me give you an example with a hypothetical situation.
Application A collects data on the system it is running on and forwards it to a Web Service listening on yourserverhost.yourcompany.com:80
Application B would basically take over the job of the Web Service when it is down and log everything so no data is lost.
When all is well, App A will be sending the data to your web service
Once this connection drops, you immediatly launch App B (the obvious remark here would be, why not keep App B running as a failsafe)
App A connects to App B and forwards what it had been buffering
App A continues to try to reestablish the connection to your Web Service and once it is back up will request App B to stop
If the problem you are facing is nothing like this, please provide a more concrete description of what App A and App B are supposed to be doing. I will be more than happy to help.
In your code, you have to check whether the internet connection exists by using a socket to open a connection to a website.
Firstrun: Ask user to input the network parameters, like proxy settings. Save this info.
Next runs: Use these settings to check for the Internet connection. You may simply do a DNS search.
If results are negative, ask user to check settings.
Check whether the cable is connected , if so ping your internet connection to any host as google.com.
ping google.com