polarbearscan

Last updated: September 25th, 2017

Summary

polarbearscan is an attempt to do faster and more efficient banner grabbing and port scanning. It combines two different ideas which hopefully will make it somewhat worthy of your attention and time.

The first of these ideas is to use stateless SYN scanning using cryptographically protected cookies to parse incoming acknowledgements. To the best of the author's knowledge this technique was pioneered by Dan Kaminsky in scanrand. Scanrand was itself part of Paketto Keiretsu, a collection of scanning utilities, and it was released somewhere in 2001-2002. A mirror of this code can be found at Packet Storm [1].

The second idea is use a patched userland TCP/IP stack such that the scanner can restore state immediately upon receiving a cryptographically verified packet with both the SYN and ACK flags set. The userland stack being used here by polarbearscan is called libuinet [2]. Unlike some of the other userland TCP/IP stacks out there this one is very mature as it's simply a port of FreeBSD's TCP/IP stack.

By patching the libuinet stack one can then construct a socket and complete the standard TCP 3-way handshake by replying with a proper ACK. Doing it this way a fully functional TCP connection is immediately established. This as opposed to other scanners (such as nmap) who would have to, after noting that a TCP port is open, now perform a full TCP connect via the kernel to do things such as banner grabbing or version scanning. A full TCP connect leads leads to a whole new TCP 3-way handshake being performed. This completely discards the implicit state which was built up by the initial two packets being exchanged between the hosts. By avoiding this one can reduce bandwidth usage and immediately go from detecting that a port is open to connecting to it. This connection can then simply sit back and receive data in banner grab mode or it could send out an HTTP request.

Please note that the scanner right now only supports IPv4 based scanning and it will only work properly over Ethernet-type (wired or wireless) interfaces. There are no plans to support IPv6 or different interfaces in the near future.

Download

Latest release (v0.13).

The code can also be found at github. See here.

Compiling the code should be pretty straightforward. Just type make (assumes GNU make) and dependencies will be downloaded and the code will compile. The scanner was tested on recent releases of the x86 and x86-64 bit builds of Ubuntu (14, 15) Debian 8.1, Kali Linux 1.1 and Arch Linux distributions and it should compile cleanly with both gcc and clang. Needed dependencies are listed in the DEPENDENCIES file inside the tarball.

Contact

Feel free to contact me by email with bugs, suggestions and/or questions.

References