. Contiene firmas actualizadas para detectar la ultima versión publica de
/*
* Hacker Defender Remote Scanner (updated)
* Based on binary Signatures
*
* Author: Andres Tarasco Acuña
* Email: atarasco _@_ 514.es
* URL:
http://www.514.es*
* rkdscan is able to remotely detect Comprimised computers with the rootkit
* Hacker Defender
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <process.h>
#include <time.h>
#pragma comment(lib, "ws2_32.lib")
#define NTHREADS 100
#define CONNECT 8
#define RECV 8
#define sleep(a) Sleep(a)
struct KEY {
unsigned char masterkey[32];
char banner[256];
} key[] = {
{
//Hacker defender v1.00 final
0x02, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11,
0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a,
0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf,
0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00,
"HACKER Defender v1.0.0 FINAL",
},
{ //unsigned char masterkey084 - v1.0.0
0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11,
0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a,
0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf,
0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00,
"HACKER Defender v0.84 - v1.0.0",
},
{ //unsigned char masterkey083[]
0x01, 0x38, 0x45, 0x69, 0x3a, 0x1f, 0x44, 0x12,
0x89, 0x55, 0x7f, 0xaa, 0xc0, 0x9f, 0xee, 0x61,
0x3f, 0x9a, 0x7e, 0x84, 0x32, 0x04, 0x4e, 0x1d,
0xd7, 0xe4, 0xa8, 0xc4, 0x48, 0xe8, 0x9e, 0x00,
"HACKER DEFENDER v0.82 - 0.83",
},
{ //masterkey for hxdef 051 - 073 - 080 and 081 and 082 beta
0x01, 0x1e, 0x3c, 0x6c, 0x6a, 0xff, 0x99, 0xa8,
0x34, 0x83, 0x38, 0x24, 0xa1, 0xa4, 0xf2, 0x11,
0x5a, 0xd3, 0x18, 0x8d, 0xbc, 0xc4, 0x3e, 0x40,
0x07, 0xa4, 0x28, 0xd4, 0x18, 0x48, 0xfe, 0x00,
"HACKER DEFENDER v0.51 - 0.82b",
}
} ;
int RPORT,salir=0,threads=0;
int ip1[4],ip2[4];
CRITICAL_SECTION cs,css,csshell;
FILE *vuln;
char *givemeip(char *ip);
/******************************************************************************/
void checkea(void *larala){
int sock;
int j,k=0;
char ip[16];
char buf[10],cadena[256];
struct sockaddr_in target_ip;
int puerto=0;
fd_set fds;
u_long tmp=1;
struct timeval tv;
int scanports[]= {1025,80,443,3389,21,25,1443,8080,7};
EnterCriticalSection(&css);
threads++;
sleep(1);
LeaveCriticalSection(&css);
while (givemeip(ip)!=NULL){
puerto=0;
for(k=0;k<(sizeof(scanports)/sizeof(int));k++) {
for(j=0;j< sizeof(key)/sizeof(struct KEY);j++) {
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = inet_addr(ip);
target_ip.sin_port = htons(scanports[k]);
if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1){
tmp=1;
ioctlsocket( sock, FIONBIO, &tmp);
tv.tv_sec = CONNECT;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock, &fds);
connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
if(select(sock+1,0,&fds,0,&tv)>0){
//printf("Conected to %s:%i\n",ip,scanports[k]);
tv.tv_sec = RECV;
send(sock,key[j].masterkey,sizeof(key[j].masterkey),0);
if(select(sock +1, &fds, NULL, NULL, &tv) > 0){
if (j==0) printf("Checking %s \tport: %i...\n",ip,scanports[k]);
if (recv (sock, buf, sizeof (buf),0)==1) {
sprintf(cadena,"
- IP: %s port: %i INFECTED with %s\n",ip,scanports[k],key[j].banner);
printf("%s",cadena);
fputs(cadena,vuln);
j=k=99999;
}
}
}
closesocket(sock);
sleep(100);
}
}
}
}
EnterCriticalSection(&css);
threads--;
sleep(1);
LeaveCriticalSection(&css);
_endthread();
}
/******************************************************************************/
char *givemeip(char *ip)
{
EnterCriticalSection(&cs);
if (ip1[3]!=254)
ip1[3]++;
else{
ip1[2]++;
ip1[3]=1;
}
if (ip1[2]==255){
ip1[2]++; ip1[1]++;}
LeaveCriticalSection(&cs);
if (ip1[2]>ip2[2]) { return(NULL); }
if (ip1[2]==ip2[2])
if (ip1[3]>ip2[3]) { return(NULL); }
sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);
if (ip1[3]==1) printf(" + %s\n",ip);
return(ip);
}
/******************************************************************************/
int main(int argc,char *argv[])
{
int i,total=NTHREADS;
WSADATA ws;
printf(" Remote hxdef Scanner $Revision: 1.2 $\n");
printf("
atarasco@514.es -
http://www.514.es\n\n"); if (argc!=3) {
printf(" Usage: rkdscan.exe xx.xx.xx.xx yy.yy.yy.yy\n");
exit(1);
}
if (WSAStartup(MAKEWORD(2,0),&ws)!=0) {
exit(1);
}
sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]);
sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);
for(i=0;i<4;i++){
if ( (ip1
>255) || (ip1<0) ) exit(1);
if ( (ip2>255) || (ip2<0) ) exit(1);
}
InitializeCriticalSection(&cs);
InitializeCriticalSection(&css);
InitializeCriticalSection(&csshell);
printf(" - Targets: %s-%s with %i Threads\n",argv[1],argv[2],total);
vuln=fopen("vuln.txt","a");
for(i=0;i<total;i++)
{ _beginthread(checkea,8192,(void *)i); sleep(1); }
while(threads>0) sleep(100);
fclose(vuln);
return(1);
}
Autor
En línea
