[prev in list] [next in list] [prev in thread] [next in thread]
List: best-of-security
Subject: BoS: strobe v1.03 released
From: Julian Assange <proff () suburbia ! net>
Date: 1995-11-27 9:51:06
[Download RAW message or body]
This is strobe1.03 an small update to strobe1.02.
I (proff@suburbia.net) have moved on to other projects of this type (e.g
GoSH) and was not intending to release another version of strobe.
However this month a few people (most notably edturka@statt.ericsson.se)
sent in some important bug fixes (ugh) and some minor new features. When I
applied their patches, I broke my vows about not working on strobe any
more and hacked in a just a few more features that really should have
been there in the first place.
strobe is available from ftp://suburbia.net/pub/strobe.tgz
-Proff
+----------------------------------+-----------------------------------------+
|Julian Assange | "if you think the United States has |
|FAX: +61-3-9819-9066 | has stood still, who built the largest |
|EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+
STROBE 1.03(1) STROBE 1.03(1)
NAME
strobe - Super optimized TCP port surveyor
SYNOPSIS
strobe [ -vVmdbepPAtnSilfsaM ] [host1 ... [hostn]]
DESCRIPTION
strobe is a network/security tool that locates and
describes all listening tcp ports on a (remote) host or on
many hosts in a bandwidth utilisation maximising, and pro-
cess resource minimizing manner.
strobe approximates a parallel finite state machine inter-
nally. In non-linear multi-host mode it attempts to appor-
tion bandwidth and sockets amoung the hosts very effi-
ciently. This can reap appreciable gains in speed for
multiple distinct hosts/routes.
On a machine with a reasonable number of sockets, strobe
is fast enough to port scan entire Internet sub domains.
It is even possible to survey an entire small country in a
reasonable time from a fast machine on the network back-
bone, provided the machine in question uses dynamic socket
allocation or has had its static socket allocation
increased very appreciably (check your kernel options). In
this very limited application strobe is said to be faster
than ISS2.1 (a high quality commercial security scanner by
cklaus@iss.net and friends) or PingWare (also comercial).
OPTIONS
-v Verbose output.
-V Verbose statistical output.
-m Minimise output. Only print hostname, port tuples.
Implies -d. Useful for automated output parsing.
-d Delete duplicate entries for port descriptions. i.e
use only the first definition.
-g Disable usage of getpeername(2). On solaris 2.3
machines this causes a core dump, for reasons
unknown. This behavior is fixed with solaris 2.4.
Under Linux, HP and perhaps other unix implimenta-
tions, false tcp connection positives may occurr
when this option is activated.
-s Statistical information describing the average of
all hosts surveyed is sent to stderr on completion.
-q Quiet mode. Don't print non-fatal errors or the (c)
message.
-d Display only the first description in the port
services entry file (Cf. -B).
-o file
Direct output (but not any messages which can be
affected by -q) to file.
-b number
Beginning (starting) port number.
-e number
Ending port number.
-p number
Port number if you intend to scan a single port.
-P number
Local port to bind outgoing connection requests to.
(you will normally need super-user privileges to
bind ports smaller than 1024)
-A address
Interface address to send outgoing connection
requests from for multi-homed machines.
-t number
Time after which a connection attempt to a com-
pletely unresponsive host/port is aborted.
-n number
Use this number of sockets in parallel (defaults to
64). strobe attempts to figure out if number is
greater than the quantity of available sockets at
any point in time -- and if so, only use the amount
found. On some UNIX implimentations such as
Solaris, this appears not to work correctly and you
may find yourself with unusual errors such as NO
ROUTE TO HOST when you hit the socket ceiling.
Remember that strobe probably isn't the only pro-
cess on the system desiring a socket or two. Having
strobe pilfer all the spare sockets away from
inetd(8) and other daemons and clients isn't such a
crash hot idea, unless you want to stop all new
incoming and outgoing connections.
-S file
Change the default port services description file
to file. Note that if -S is not specified port
services are loaded from one of strobe.services,
/usr/local/lib/strobe.services, or /etc/services.
-i file
Obtain hostnames to strobe from file rather than
from the command line. Note that only the first
white-space seperated word in each line of file is
used, so one can feed in files such as /etc/hosts.
If filename is '-' , stdin will be used.
-l Probe hosts linearly (sequentually) rather than in
parallel. The actual ports on each host are still
checked in a parallel manner (with a parallelism of
-n (defaults to 64)).
-f Fast mode, probe only the tcp ports detailed in the
port services file (see -S).
-a number
Abort and skip to the next host after ports upto to
number have been probed and still no connections
have occurred. Due to the parallel nature of the
probing, reply packets for n+m may return before
those relating to n. What this means is that ports
> number may be probed. If strobe see's a connec-
tion on any one of these higher ports before its
negated all possibility of a service listening on
ports <= number then despite the fact that all
ports up to and including number may turn out to be
connectionless, strobe will `abort the abort'. This
is considered optimal, if unusual behavior.
-M Mail a bug report, or tcp/udp port description to
the current source maintainer.
EXAMPLES
strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services -o
out
strobe all entries in /etc/hosts (identical ip addresses
are skipped automagically) using 120 sockets in parallel,
but only check the individual tcp ports mentioned in ser-
vices. If we have probed up to port 80 on a host and have
still not yet evidenced a connection, then skip that host.
Display speed/time statistics for each host and for the
totality of hosts to stderr. Place the regular output in
out.
ypcat hosts | strobe -p 80 -t 2 -A 203.4.184.1 -P 53
strobe all hosts in your hosts YP/NIS-table for WWW-
servers. Use a timeout of two seconds. Set the source
address to the 203.4.184.1 interface. Make all connection
requests appear to come from port 53 (DNS).
BUGS
Strobe performs no other security functions (yet) and does
not verify route blocking against UDP or TCP handshake
sequence guessing one-way IP spoofing attacks.
AUTHOR
Julian Assange
EMAIL:
strobe@suburbia.net
proff@suburbia.net
OFFICAL DISTRIBUTION
ftp://suburbia.net:/pub/strobe.tgz
COPYRIGHT
Copyright (c) Julian Assange 1995, All rights reserved.
This software maybe distributed only freely, in full and
without modification. It may not be bundled with any sort
of hardware or software if a fee is charged for that hard-
ware or software directly or indirectly, in whole or in
part. If you would like to include this software in such a
distribution then please contact the author to negotiate
reasonable (possibly free) terms.
The author shall not under any circumstances accept any
liability for this software, for its use, misuse, or any
failings it may have. Your on your own.
The author reserves the right to alter the aformentioned
conditions from time to time as he sees appropriate. The
author's most recent copyright notice and conditions for
this software always supersede any issued previously.
Use and or distribution of this software implies accep-
tance of the above.
So there.
SEE ALSO
nslookup(1), host(1), dig(1), socket(2), bind(2), con-
nect(2), iss(1).
--
+----------------------------------+-----------------------------------------+
|Julian Assange | "if you think the United States has |
|FAX: +61-3-9819-9066 | has stood still, who built the largest |
|EMAIL: proff@suburbia.net | shopping centre in the world?" - Nixon |
+----------------------------------+-----------------------------------------+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic