                                 DScan
                        Distributed Port Scanner


Intro
-----

DScan is a portscanner that distributes the scan among dozends of hosts. 

The scanner consists of two parts. One part is the client, initiating the
scan and calculating the work, in this case the portrange each server has to 
do. The only thing the server does is scan and return the result to the
client. 

Now the first question is, why would anyone want to distribute something as
simple as a portscan among multiple hosts, as it just takes some seconds 
to scan from one single host? The answer is simple. If you scan, you most 
probably don't want anyone to notice the scan. If dozends and hundrets of 
hosts connect to different ports, idealy only one port per host, nobody would 
think of a portscan. At least not in the past... maybe some people should 
update their firewall's way of reacting...  

Features provided by the scanner right now are scanning single and multiple
hosts or whole networks distributed among a lot of servers. 
Additional features will be added soon. 

Right now, DScan is still in beta state. Anybody willing to do a little bit 
betatesting, if possible in a 'real' environment would be appreciated. 



Features
--------

  - many-to-one or many-to-many portscans
  - connect(), syn, fin and xmas scan
  - authentication with des, md5 or cleartext password
  - multiple hosts and ipranges support
  - ipfile support
  - simple anti ids technics, like variable id field, random portscan etc.
  - support for linux and bsd


Installation
-----------

Download and install libpcap and libnet, if you haven't:
http://www.packetfactory.net/projects/libnet
http://www.tcpdump.org

If you compile on OpenBSD, decomment the LCRYPT define in both makefiles.
I suppose that libnet is installed in /usr/local/include, change LNETINC
and LLIBINC in server/Makefile if necessary. 


To compile the server:
  # cd dscan-*src/server
  # make

For the Client:
  # cd dscan-*src/client
  # make

You can copy the binaries wherever you want, but don't forget
the config files.

Now, configuring the Server.
Edit server.conf and change the debuglevel and port to your opinion.
Please set password and the authentication method, if used. If you
use dscan server on multiple operating systems, don't use md5.
Execute ./dscans, and that's it.

To configure the client, edit client.conf. You only should change
the DEBUGLEVEL if you have any problems. Also set the password and
authentication method to the same as the server. Set the server 
variable to your servers, and test it.

I successfully tested it on a FreeBSD 4.3 and 4.4, OpenBSD 2.9
and a Debian Linux 2.2 Box.


Usage
-----

Usage: client [options] <-p port1,port2-port3> <hosts>

  -p          Ports to Scan
              like: "22,23,50", or "1-100,600"
              Standard: 21,22,23,25,80,110,111

  -i <ipfile> Take the IPFile as input

  -t xx       wait xx seconds between ports

  -m xx       port timeout for stealthscans, in 1/10 seconds, max 255

  -s x        Scan Type
     0        Connect Scan 
     1        SYN Scan 
     2        FIN Scan
     3        XMAS Scan

  <host>      Host to scan
              "www.buenz.li,chaos,192.168.1.1" 
              OR "192.168.1-10.1-255", 
              OR "192.168.1.0/24"



Examples
-------- 

To scan www.microsoft.com, port 22, 23 and 80, connect() scan:
$ ./dscanc -p 22,23,80 www.microsoft.com

Scan whitehouse.gov and .com, port 1 to 200 and 6000, xmas scan, 3 sec timeout:
$ ./dscanc -s 3 -m 30 -p 1-200,6000 www.whitehouse.gov,www.whitehouse.com

Scan Class C Subnet port 110 (allowed subnets are 8, 16 and 24):
$ ./dscanc -p 110 192.168.1.0/24

Scan 192.168.1-10.1-100, port 22, synscan, 1sec timeout:
$ ./dscanc -s 1 -m 10 -p 22 192.168.1-10.1-100

Host descriptions can't be mixed, like "192.168.1.0/24,www.idiot.ch"!
The hostname(s) must be the last argument!
Ports and hosts must be seperated througt commas.

Scan with ipfile:
$ cat ipfile
192.168.1.1 1-200 300 6000
www.gmx.net 22,25,110,200-300
192.168.2.1-10 22,23
$ ./dscanc -i ipfile



Tipps
-----

Don't use very high port ranges or big subnets (like a class A).
I need for every port and host 36 bytes memory. If you have, say, 1024
ports, and a class c subnet, you need:
  36 * 1024 * 254 = 9'363'456 bytes ram, that are 10MB...

Use your brain, when you scan.. scan only really necessary ports, like
21, 22, 23, 80, 110 etc. This is better for you, for your box, for the
ids and for the bandwith...

The more dscan servers you have, the more stealthier you are. See, 
if you have 16 dscan servers, and want to scan 4 ports on 4 servers, 
every server see's 4 connection request's, but from 4 various ip's.
The point is, an IDS see's only 16 connection requests of 16 various
ip's... is this a hack? hmmmm :P
But if much ports are closed, many RST/ACK packets would be sended
back, which can attract attention on a IDS. Again, only scan necessary
ports!


Bugs
----
  - authtype 3 (md5) is not a good standard, doesn't work with both,
    a fbsd and a linux box
  - ack scanning is not fully implemented -> does not really work
  - stealth scanning of _localhost_ is also very buggy
  - null scan doesnt work, coz libnet don't allow a null header
    and turns the ACK flag on... damn


History
-------

27.10.2001 - Version 0.6:
This is a bugfix release. Stealthscanning works now perfectly.
Fixed bugs, cleaned up stuff, general speedup.
Next version will have a lot of features, like ping scan, random scan,
decoy hosts, encryption and more...


Authors
-------
  - Anthraxx <anthraxx@gmx.net>
    new protokoll, stealthscans and the rest

  - Kolrabi <kolrabi@gmx.de>
    core, connect() portscan, configuration 
