« Latest adventures with libnet | Main | Yavar source code is now online! »
December 03, 2005
while( updates == 0 ) { progress++; }
It's been a while since my last update, but there's been a LOT of progress in the last month. I've revamped my scanning code to be much easier to use and more moduler, (however it's still not in it's final form :) ). This has made adding features and probe types fairly trivial.
At the moment I'm able to scan both internal and external subnets. What's the difference you ask? Well, when building a packet you start from the Ethernet header, then onto the IP header, then the TCP header, (assuming we're creating a TCP/IP packet). In order to write an Ethernet header you need the MAC address of the remote host. For local subnets, this is the MAC address of the remote machine itself, and this information can be retrieved by sending broadcast ARP requests and then sniffing for the replies that contain the remote hosts MAC address. However, on external subnets, the MAC address to the remote host that gets entered into the Ethernet header if the MAC address of the sending hosts default gateway!
So I needed to find a way to get the sending hosts default gateway IP address. Once I have that, I can send an ARP request for that IP address in order to get it's MAC address. This was easier said than done, (well, it's only currently working on Windows, I'll be working on Linux soon). However, stepping through the Nmap source code was a big help. Thanks Fyodor!
I've also added the ability to send a ping request to external subnets in order to find all the live hosts before actually sending the probe packets that test port status. This makes it so I'm not sending SYN, (or other probe types), packets to every host in the scan range. Why this is a good idea, I'm not quite sure yet. :) I've only done this for external subnets for now at least, since ARPing for the hosts on the local subnet seems to fill this function already.
So at this moment, this VNC scanner is enormously faster than the old VNCAdmin. However when comparing scan results to the old scanner and Nmap scans, I noticed I wasn't finding the same number of results. So I thought I'd throttle the rate at which I sent probe packets a little bit since I had been sending them to the network card as fast I could generate them. Adding a few milliseconds of sleep time between each probe gave me perfect results that now matched my old scanner and Nmap. w00t!
However using this kind of timing mechanism makes me a little uneasy for some reason, so I'm wondering if there's a better way to throttle sends...
Posted by Casey at December 3, 2005 02:04 PM