sockets and a "banner" scan

This is a discussion on sockets and a "banner" scan within the Networking/Device Communication forums, part of the General Programming Boards category; Since I work with network security i often use bannerscanners to check what service runs on open ports. And since ...

  1. #1
    Registered User
    Join Date
    Oct 2005
    Posts
    12

    sockets and a "banner" scan

    Since I work with network security i often use bannerscanners to check what service runs on open ports. And since i now am way into the prosess of learning c++, read a book and know it good(basic c++), but that dossent cover sockets so all i know about that if from examples and beejs

    I did some googling and i found this example of a bannerscanner:
    http://www.pscode.com/URLSEO/vb/scri...!3/anyname.htm

    This works with most banners, and i was planning to rewrite it to fit my needs more.

    But, when i scanned one of my windows servers running MySQL, it dident get banner. I just got the first byte of the banner.
    Tools like scanline finds this banner, but this dont.
    Googled and searched forum alot, tested some while loops and stuff i found posted here, still dident work.

    So does anybody know how to connect to and get the banner of a MySQL server? Its running on a windows pc, MySQL version 4.0.15-nt.

    Maybe some have other bannerscanner source codes?

  2. #2
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    What is a bannerscanner?

  3. #3
    Registered User
    Join Date
    Oct 2005
    Posts
    12
    Its a scan that grabs the first thing a port sends you. When i "scan" my own ip on port 21 i get: 220 Serv-U FTP Server v6.0 for WinSock ready...

    Meaning that i run a ServU FTP server on this port.
    Its very usefull when u want to check what service that runs on a open port since most services have a logic reply like servu has.

  4. #4
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    Well the first thing you need to do is check and see how many bytes you receive from the mysql port when you connect. To do this, check and see what the recv() function returns. It's possible that it is sending you more than one byte, but the second byte is NULL. Then when you print the string, you only see the first byte. This could happen if the mysql connection sends you a wide character string. Every other byte would be NULL, and unless you were aware of it, you would only print the first character.

  5. #5
    Registered User
    Join Date
    Oct 2005
    Posts
    12
    Quote Originally Posted by bithub
    Well the first thing you need to do is check and see how many bytes you receive from the mysql port when you connect. To do this, check and see what the recv() function returns. It's possible that it is sending you more than one byte, but the second byte is NULL. Then when you print the string, you only see the first byte. This could happen if the mysql connection sends you a wide character string. Every other byte would be NULL, and unless you were aware of it, you would only print the first character.
    Thats what i thougth, and iw read around alot on this forum, found some "tricks" to figure it out, but i dident get any of em to work...

    Can u give me a nice example on how to remove that NULL so i can get the whole string?

    Thnx for the help btw Nice to see some replys

  6. #6
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    Can u give me a nice example on how to remove that NULL so i can get the whole string?
    Well before you try that, just check how many bytes you are receiving. Print out the return value from your recv() call.

  7. #7
    Registered User
    Join Date
    Oct 2005
    Posts
    12
    when i do:
    Code:
    cout << recv(sock, recvbuff, sizeof(recvbuff), 0);
    i get result: 62

    Then if i do:
    Code:
    cout << recvbuff << endl;
    and it only prints a ":" (without quotes).

    This works on a ftp server..same command but i cahnge the port from 3306 to 21. Same code, and i get this in recvbuff:
    220 Serv-U FTP Server v6.1 for WinSock ready...

  8. #8
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    Ok, now write those 62 bytes to a file so we can see what you are actually getting:
    Code:
    FILE *f = fopen("myfile","wb");
    fwrite(recvbuff,1,nBytes,f);
    fclose(f);
    Now open up that file with a text editor, and see if it's readable. You can also open it up with a hex editor. If every other bytes is 0x00, then we can safely assume that the received buffer is unicode, and I will show you how to convert it. If it is random non-ASCII bytes, then it sounds like you are receiving a binary data stream.

  9. #9
    Registered User
    Join Date
    Oct 2005
    Posts
    12
    This i get in a text editor:
    + 3.23.38-nt ' \Vvs]X!8 , 

    And this in a hex editor:
    2B 00 00 00 0A 33 E 32 33 2E 33 38 2D 6E 74 00
    and more...

    So..If i get this correct:

    1. It first send a +(hex:2B).
    2. Then 3 NULLS.
    3. Then the verison number i need.
    4. And then send some crap i dont realy need.

    So how do i remove the three NULLS so i can cout the version number?

    Im at work now so cant play around and figure that out myself atm.

    Thnx for the help. Iw learned alot from you
    Last edited by Tuborgrules; 01-19-2006 at 03:48 AM.

  10. #10
    Registered User
    Join Date
    Oct 2005
    Posts
    12
    I had some free time at work and i figured out i could use:
    Code:
    strcpy(recvbuff,&recvbuff[5]);

    If there is any better way post please

    Thnx for your time and help bithub! i realy appreciate it
    Last edited by Tuborgrules; 01-19-2006 at 04:33 AM.

  11. #11
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    Well, I suggest you do something like this:

    Code:
    char *p;
    n = recv(...);
    recvbuff[n] = 0;
    for(i = 0; i < n; i++)
    {
        if(p[i] == 0)
          p[i] = ' ';
    }
    printf("%s\n",recvbuff);
    This will turn all those zeros into spaces, but will still leave a null terminator at the end of the string. This will allow your application to handle different types of input.

Popular pages Recent additions subscribe to a feed

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21