strobe
is a network/security tool that locates and describes all listening tcp ports on a
(remote) host or on many hosts in a bandwidth utilisation maximising, and
process resource minimising manner.
strobe
approximates a parallel finite state machine internally. In non-linear multi-host
mode it attempts to apportion bandwidth and sockets among the hosts very efficiently.
This can reap appreciable gains in speed for multiple distinct hosts/routes.
On a machine with a reasonable number of sockets,
strobe
is fast enough to port scan entire Internet sub domains. It is even possible to survey
an entire small country in a reasonable time from a fast machine on the network backbone,
provided the machine in question uses dynamic socket allocation or has had its static
socket allocation increased very appreciably (check your kernel options). In this
very limited application
strobe
is said to be faster than
ISS2.1
(a high quality commercial security scanner by cklaus@iss.net and friends) or
PingWare
(also commercial).
OPTIONS
-v
Verbose output.
-V
Verbose statistical output.
-m
Minimise output. Only print hostname, port tuples. Implies
-d.
Useful for automated output parsing.
-d
Delete duplicate entries for port descriptions. i.e use only the first definition.
-g
Disable usage of
getpeername(2).
On
solaris
2.3 machines this causes a core dump, for reasons unknown. This behaviour is fixed with
solaris
2.4. Under Linux, HP and perhaps other unix implementations, false tcp connection positives
may occur when this option is activated.
-s
Statistical information describing the average of all hosts surveyed is sent to
stderr on completion.
-q
Quiet mode. Don't print non-fatal errors or the (c) message.
-d
Display only the first description in the port services entry file (Cf.
-B).
-o file
Direct output (but not any messages which can be affected by
-q)
to file.
-b number
Beginning (starting) port number.
-e number
Ending port number.
-p number
Port number if you intend to scan a single port.
-P number
Local port to bind outgoing connection requests to.
(you will normally need super-user privileges to bind ports smaller than 1024)
-A address
Interface address to send outgoing connection requests from for multi-homed machines.
-t number
Time after which a connection attempt to a completely unresponsive host/port is
aborted.
-n number
Use this number of sockets in parallel (defaults to 64).
strobe
attempts to figure out if
number
is greater than the quantity of available sockets at any point in time -- and
if so, only use the amount found. On some UNIX implementations such as Solaris,
this appears not to work correctly and you may find yourself with unusual errors
such as
NO ROUTE TO HOST
when you hit the socket ceiling. Remember that
strobe
probably isn't the only process on the system desiring a socket or two. Having
strobe
pilfer all the spare sockets away from
inetd(8)
and other daemons and clients isn't such a crash hot idea, unless you want
to stop all new incoming and outgoing connections.
-S file
Change the default port services description file to
file.
Note that if
-S
is not specified port services are loaded from one of
strobe.services,
/usr/local/lib/strobe.services,
or
/etc/services.
-i file
Obtain hostnames to strobe from
file
rather than from the command line. Note that only the first white-space
separated word in each line of
file
is used, so one can feed in files such as
/etc/hosts.
If filename is
'-'
, stdin will be used.
-l
Probe hosts linearly (sequentially) rather than in parallel. The actual
ports on each host are still checked in a parallel manner (with a parallelism
of
-n
(defaults to 64)).
-f
Fast mode, probe only the tcp ports detailed in the port services file (see
-S).
-a number
Abort and skip to the next host after ports upto to
number
have been probed and still no connections have occurred. Due to the parallel
nature of the probing, reply packets for n+m may return before those relating
to n. What this means is that ports >
number
may be probed. If
strobe
see's a connection on any one of these higher ports before its negated all
possibility of a service listening on ports <=
number
then despite the fact that all ports up to and including
number
may turn out to be connectionless,
strobe
will `abort the abort'. This is considered optimal, if unusual behaviour.
-M
Mail a bug report, or tcp/udp port description to the current source maintainer.
EXAMPLES
strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services -o out
strobe
all entries in
/etc/hosts
(identical ip addresses are skipped automagically)
using 120 sockets in parallel, but only check the individual tcp ports mentioned
in
services.
If we have probed up to port 80 on a host
and have still not yet evidenced a connection, then skip that host. Display speed/time
statistics for each host and for the totality of hosts to stderr. Place the regular
output in
out.
strobe
all hosts in your hosts YP/NIS-table for WWW-servers. Use a timeout of two seconds.
Set the source address to the 203.4.184.1 interface. Make all connection requests
appear to come from port 53 (DNS).
BUGS
Strobe
performs no other security functions (yet) and does not verify route blocking against
UDP or TCP handshake sequence guessing one-way IP spoofing attacks.
Copyright (c) Julian Assange 1995-1999, All rights reserved.
This software has only three copyright restrictions. Firstly, this
copyright notice must remain intact and unmodified. Secondly, the
Author, Julian Assange, must be appropriately and prominantly
credited in any documentation associated with any derived work.
Thirdly unless otherwise negotiated with the author, you may not
sell this program commercially, reasonable distribution costs
excepted.
Use and or distribution of this software implies acceptance of the above.