-
Notifications
You must be signed in to change notification settings - Fork 6
/
strobe.man
264 lines (161 loc) · 9.43 KB
/
strobe.man
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
STROBE 1.05(1) STROBE 1.05(1)
NNAAMMEE
strobe - Super optimised TCP port surveyor
SSYYNNOOPPSSIISS
ssttrroobbee [ -vVmdbepPAtnSilfsaM ] [host1 ... [hostn]]
DDEESSCCRRIIPPTTIIOONN
_s_t_r_o_b_e is a network/security tool that locates and
describes all listening tcp ports on a (remote) host or on
many hosts in a bandwidth utilisation maximising, and pro-
cess resource minimising manner.
_s_t_r_o_b_e approximates a parallel finite state machine inter-
nally. In non-linear multi-host mode it attempts to appor-
tion bandwidth and sockets among the hosts very effi-
ciently. This can reap appreciable gains in speed for
multiple distinct hosts/routes.
On a machine with a reasonable number of sockets, _s_t_r_o_b_e
is fast enough to port scan entire Internet sub domains.
It is even possible to survey an entire small country in a
reasonable time from a fast machine on the network back-
bone, provided the machine in question uses dynamic socket
allocation or has had its static socket allocation
increased very appreciably (check your kernel options). In
this very limited application _s_t_r_o_b_e is said to be faster
than IISSSS22..11 (a high quality commercial security scanner by
[email protected] and friends) or PPiinnggWWaarree (also commercial).
OOPPTTIIOONNSS
--vv Verbose output.
--VV Verbose statistical output.
--mm Minimise output. Only print hostname, port tuples.
Implies --dd. Useful for automated output parsing.
--dd Delete duplicate entries for port descriptions. i.e
use only the first definition.
--gg Disable usage of ggeettppeeeerrnnaammee(2). On ssoollaarriiss 2.3
machines this causes a core dump, for reasons
unknown. This behaviour is fixed with ssoollaarriiss 2.4.
Under Linux, HP and perhaps other unix implementa-
tions, false tcp connection positives may occur
when this option is activated.
--ss Statistical information describing the average of
all hosts surveyed is sent to stderr on completion.
--qq Quiet mode. Don't print non-fatal errors or the (c)
message.
--dd Display only the first description in the port
1
STROBE 1.05(1) STROBE 1.05(1)
services entry file (Cf. --BB).
--oo ffiillee
Direct output (but not any messages which can be
affected by --qq) to file.
--bb nnuummbbeerr
Beginning (starting) port number.
--ee nnuummbbeerr
Ending port number.
--pp nnuummbbeerr
Port number if you intend to scan a single port.
--PP nnuummbbeerr
Local port to bind outgoing connection requests to.
(you will normally need super-user privileges to
bind ports smaller than 1024)
--AA aaddddrreessss
Interface address to send outgoing connection
requests from for multi-homed machines.
--tt nnuummbbeerr
Time after which a connection attempt to a com-
pletely unresponsive host/port is aborted.
--nn nnuummbbeerr
Use this number of sockets in parallel (defaults to
64). _s_t_r_o_b_e attempts to figure out if nnuummbbeerr is
greater than the quantity of available sockets at
any point in time -- and if so, only use the amount
found. On some UNIX implementations such as
Solaris, this appears not to work correctly and you
may find yourself with unusual errors such as NNOO
RROOUUTTEE TTOO HHOOSSTT when you hit the socket ceiling.
Remember that _s_t_r_o_b_e probably isn't the only pro-
cess on the system desiring a socket or two. Having
_s_t_r_o_b_e pilfer all the spare sockets away from
iinneettdd(8) and other daemons and clients isn't such a
crash hot idea, unless you want to stop all new
incoming and outgoing connections.
--SS ffiillee
Change the default port services description file
to ffiillee. Note that if --SS is not specified port
services are loaded from one of ssttrroobbee..sseerrvviicceess,
//uussrr//llooccaall//lliibb//ssttrroobbee..sseerrvviicceess, or //eettcc//sseerrvviicceess.
--ii ffiillee
Obtain hostnames to strobe from ffiillee rather than
from the command line. Note that only the first
white-space separated word in each line of ffiillee is
2
STROBE 1.05(1) STROBE 1.05(1)
used, so one can feed in files such as //eettcc//hhoossttss.
If filename is ''--'' , stdin will be used.
--ll Probe hosts linearly (sequentially) rather than in
parallel. The actual ports on each host are still
checked in a parallel manner (with a parallelism of
--nn (defaults to 64)).
--ff Fast mode, probe only the tcp ports detailed in the
port services file (see --SS).
--aa nnuummbbeerr
Abort and skip to the next host after ports upto to
nnuummbbeerr have been probed and still no connections
have occurred. Due to the parallel nature of the
probing, reply packets for n+m may return before
those relating to n. What this means is that ports
> nnuummbbeerr may be probed. If _s_t_r_o_b_e see's a connec-
tion on any one of these higher ports before its
negated all possibility of a service listening on
ports <= nnuummbbeerr then despite the fact that all
ports up to and including nnuummbbeerr may turn out to be
connectionless, _s_t_r_o_b_e will `abort the abort'. This
is considered optimal, if unusual behaviour.
--MM Mail a bug report, or tcp/udp port description to
the current source maintainer.
EEXXAAMMPPLLEESS
strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services -o
out
_s_t_r_o_b_e all entries in //eettcc//hhoossttss (identical ip addresses
are skipped automagically) using 120 sockets in parallel,
but only check the individual tcp ports mentioned in sseerr--
vviicceess. If we have probed up to port 80 on a host and have
still not yet evidenced a connection, then skip that host.
Display speed/time statistics for each host and for the
totality of hosts to stderr. Place the regular output in
oouutt.
ypcat hosts | strobe -p 80 -t 2 -A 203.4.184.1 -P 53
_s_t_r_o_b_e all hosts in your hosts YP/NIS-table for WWW-
servers. Use a timeout of two seconds. Set the source
address to the 203.4.184.1 interface. Make all connection
requests appear to come from port 53 (DNS).
BBUUGGSS
_S_t_r_o_b_e performs no other security functions (yet) and does
not verify route blocking against UDP or TCP handshake
sequence guessing one-way IP spoofing attacks.
3
STROBE 1.05(1) STROBE 1.05(1)
AAUUTTHHOORR
_J_u_l_i_a_n _A_s_s_a_n_g_e
EMAIL:
OOFFFFIICCAALL DDIISSTTRRIIBBUUTTIIOONN
ftp://suburbia.net:/pub/strobe.tgz
CCOOPPYYRRIIGGHHTT
Copyright (c) Julian Assange 1995-1999, All rights
reserved.
This software has only three copyright restrictions.
Firstly, this copyright notice must remain intact and
unmodified. Secondly, the Author, Julian Assange, must be
appropriately and prominantly credited in any documenta-
tion associated with any derived work. Thirdly unless
otherwise negotiated with the author, you may not sell
this program commercially, reasonable distribution costs
excepted.
Use and or distribution of this software implies accep-
tance of the above.
SSoo tthheerree.
SSEEEE AALLSSOO
nnssllooookkuupp(1), hhoosstt(1), ddiigg(1), ssoocckkeett(2), bbiinndd(2), ccoonn--
nneecctt(2), iissss(1).
4