Hack Like a Pro: Perl Scripting for the Aspiring Hacker, Part 2 (Building a Port Scanner)

Welcome back, my fledgling hackers!

Scripting skills are essential is ascending to the upper echelons of the hacker clique. Without scripting skills, you are dependent upon others to develop your tools. When others develop your tools, you will always be behind the curve in the battle against security admins.

Remember, there is an ongoing chess match between the security admins and hackers. Sometimes having a just a few weeks advantage can be the difference between a huge success and bitter failure.

In my previous tutorial on scripting with Perl, we developed a simple script to demonstrate the basic Perl syntax. In this tutorial, we will delve a bit deeper and further develop your skills toward our goal of first developing a port scanner similar to nmap, and ultimately, developing our own exploits.

Before we proceed further, though, we need to examine some important programming and Perl concepts and constructs.

Arguments

Very often we will need to pass data (data, not gas) into the script and out of the script. In many of the tools I have demonstrated here on Null Byte, we have needed to provide a target IP, maybe a port, a file (say, maybe a wordlist), etc.

Each of these would be an argument that gets passed to the tool when we run it. We can do this by using an array to hold this data when it is entered after the script file is invoked. We'll try this with our new port scanner we build here.

Control Statements

Like in any scripting or programming language, sometimes we need to make a decision. If a value is true, then do this; if it is not true, then do something else. These decisions are made by control statements.

The most fundamental of these control statements is the IF, THEN, ELSE statement. We will look at how Perl implements the IF, THEN, ELSE in our port scanner when we need to make decisions as to what approach to take or what output to print.

Looping

Many times, we need to do an action repeatedly. For this purpose, we can use FOR loops or WHILE loops. FOR loops will continue the action for a specified number of iterations. On the other hand, a WHILE continues while a particular condition evaluates to true.

In our port scanner we are creating here, we need to scan each port until we come to the last port or the last port specified by the user in the parameters passed to the script. We will use a FOR statement to accomplish this.

Step 1: Creating Our Port Scanner

So, now that we have a bit more Perl background, let's start to create our port scanner, something very similar to nmap. In it's most basic use, nmap is able to tell us what ports are open and which are closed. The port scanner we are creating should be able to manage this same task.

I've displayed the port scanner below, in three screenshots, with line numbers to help you follow along. You can copy it into any text editor, but here I am using the graphical text editor built into Kali, Leafpad.

Before we do, we need to look at line #4.

There you will see a command:

use Socket;

This call has the following syntax:

socket( SOCKET, DOMAIN, TYPE, PROTOCOL );

We will using it to establish a connection between our scanning system and the target system. As you can imagine, it is a very powerful function to a hacker and we will be using it in other Perl hacking scripts, so its important to become familiar with it now.

Now, let's go through our script line by line.

1. Defines what interpreter we want to use - /usr/bin/perl.
2. Comments giving our script a name.

4. Described above already.

6. Makes certain that the carriage return work correctly.

8. Declares our necessary variables for this script.

10. Defines the protocol we will use for scanning.

12. Defines the arguments that are passed to the script.

14. Says that if the user passes -h instead of an IP address, then run the usage information.

18. Says set the variable $ip to localhost if no value passed, otherwise use the argument passed.
19. Says set the port variable $port to 1 if no argument is passed.
20. Says set the variable $port_stop to 65535 if no argument is passed.
21. Says set the $log variable to qsopenports.txt if no argument is passed.

23. Says open the LOGFILE and append (>>) the file or print an error message if it can't be opened.

27. A comment explaining that the log buffer is flushed after every write.
28. Says select the first record in the log file.

30. Contains a print message.

32. Contains a print message.

34. Begins our FOR loop. It says use the value in the $port variable, and if it is less than the variable $port_stop variable, then do the following actions and increment the port number by 1.
35. Calls the socket() to connect using the parameters defined.

41. Begins a conditional if statement. It checks if the port is not open, then print a statement if is closed, else if it is open print that it is open and then close the connection.

50. Then closes the log file.
51. Simply a print message relaying the necessary info to the end user
52. Same as 51.

54. Begins the usage instructions that are printed when the user uses the -h switch.

Step 2: Change Permissions

Now that we have created our scanner, saved it, and named it as nullbyteportscanner, we need to give ourselves execute permissions. Type:

chmod 755 nullbyteportscanner

Step 3: Run It with the -H Switch

Let's try running it with the -h switch now. That should give us the usage info before running it. This would likely be the first step that a new user would do to understand how our tool works.

As you can see, it worked quite well giving us basic information on how to use our script to the end user.

Step 4: Scan with Defaults

Now, let's use our scanner with the default settings.

./nullbyteportscanner

As you can see, it scanned the localhost (default) for all ports between 1 and 65535 (the defaults) and found just two ports open.

Step 5: Scan with Arguments

Finally, let's use our port scanner against another system by passing arguments to the our scanner. In our case here, we will run it against 192.168.1.102 starting with port 1 and ending at port 2000.

./nullbyteportscanner 192.168.1.102 1 2000

As you can see, our nullbyteportscanner works! It found and reported to us on the open ports on the target system between port 1 and port 2000, just like nmap.

Make certain you save this script, my fledgling hackers, as we will adding additional capabilities in future tutorials as we continue to grow and develop our scripting skills to be among the elite of the hacking profession.