NAME
strobe - Super optimised TCP port surveyor
SYNOPSIS
strobe [ -vVmdbepPAtnSilfsaM ] [host1 ... [hostn]]
DESCRIPTION
strobe is a network/security tool that locates and describes all
listening tcp ports on a (remote) host or on many hosts in a bandwidth
utilisation maximising, and process resource minimising manner.
strobe approximates a parallel finite state machine internally. In non-
linear multi-host mode it attempts to apportion bandwidth and sockets
among the hosts very efficiently. This can reap appreciable gains in
speed for multiple distinct hosts/routes.
On a machine with a reasonable number of sockets, strobe is fast enough
to port scan entire Internet sub domains. It is even possible to survey
an entire small country in a reasonable time from a fast machine on the
network backbone, provided the machine in question uses dynamic socket
allocation or has had its static socket allocation increased very
appreciably (check your kernel options). In this very limited
application strobe is said to be faster than ISS2.1 (a high quality
commercial security scanner by cklaus@iss.net and friends) or PingWare
(also commercial).
OPTIONS
-v Verbose output.
-V Verbose statistical output.
-m Minimise output. Only print hostname, port tuples. Implies -d.
Useful for automated output parsing.
-d Delete duplicate entries for port descriptions. i.e use only the
first definition.
-g Disable usage of getpeername(2). On solaris 2.3 machines this
causes a core dump, for reasons unknown. This behaviour is fixed
with solaris 2.4. Under Linux, HP and perhaps other unix
implementations, false tcp connection positives may occur when
this option is activated.
-s Statistical information describing the average of all hosts
surveyed is sent to stderr on completion.
-q Quiet mode. Don’t print non-fatal errors or the (c) message.
-d Display only the first description in the port services entry
file (Cf. -B).
-o file
Direct output (but not any messages which can be affected by -q)
to file.
-b number
Beginning (starting) port number.
-e number
Ending port number.
-p number
Port number if you intend to scan a single port.
-P number
Local port to bind outgoing connection requests to. (you will
normally need super-user privileges to bind ports smaller than
1024)
-A address
Interface address to send outgoing connection requests from for
multi-homed machines.
-t number
Time after which a connection attempt to a completely
unresponsive host/port is aborted.
-n number
Use this number of sockets in parallel (defaults to 64). strobe
attempts to figure out if number is greater than the quantity of
available sockets at any point in time -- and if so, only use
the amount found. On some UNIX implementations such as Solaris,
this appears not to work correctly and you may find yourself
with unusual errors such as NO ROUTE TO HOST when you hit the
socket ceiling. Remember that strobe probably isn’t the only
process on the system desiring a socket or two. Having strobe
pilfer all the spare sockets away from inetd(8) and other
daemons and clients isn’t such a crash hot idea, unless you want
to stop all new incoming and outgoing connections.
-S file
Change the default port services description file to file. Note
that if -S is not specified port services are loaded from one of
strobe.services, /usr/local/lib/strobe.services, or
/etc/services.
-i file
Obtain hostnames to strobe from file rather than from the
command line. Note that only the first white-space separated
word in each line of file is used, so one can feed in files such
as /etc/hosts. If filename is ’-’ , stdin will be used.
-l Probe hosts linearly (sequentially) rather than in parallel. The
actual ports on each host are still checked in a parallel manner
(with a parallelism of -n (defaults to 64)).
-f Fast mode, probe only the tcp ports detailed in the port
services file (see -S).
-a number
Abort and skip to the next host after ports upto to number have
been probed and still no connections have occurred. Due to the
parallel nature of the probing, reply packets for n+m may return
before those relating to n. What this means is that ports >
number may be probed. If strobe see’s a connection on any one of
these higher ports before its negated all possibility of a
service listening on ports <= number then despite the fact that
all ports up to and including number may turn out to be
connectionless, strobe will ‘abort the abort’. This is
considered optimal, if unusual behaviour.
-M Mail a bug report, or tcp/udp port description to the current
source maintainer.
EXAMPLES
strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services -o out
strobe all entries in /etc/hosts (identical ip addresses are skipped
automagically) using 120 sockets in parallel, but only check the
individual tcp ports mentioned in services. If we have probed up to
port 80 on a host and have still not yet evidenced a connection, then
skip that host. Display speed/time statistics for each host and for the
totality of hosts to stderr. Place the regular output in out.
ypcat hosts | strobe -p 80 -t 2 -A 203.4.184.1 -P 53
strobe all hosts in your hosts YP/NIS-table for WWW-servers. Use a
timeout of two seconds. Set the source address to the 203.4.184.1
interface. Make all connection requests appear to come from port 53
(DNS).
BUGS
Strobe performs no other security functions (yet) and does not verify
route blocking against UDP or TCP handshake sequence guessing one-way
IP spoofing attacks.
AUTHOR
Julian Assange
EMAIL:
strobe@suburbia.net
proff@suburbia.net
OFFICAL DISTRIBUTION
ftp://suburbia.net:/pub/strobe.tgz
COPYRIGHT
Copyright (c) Julian Assange 1995-1999, All rights reserved.
This software has only three copyright restrictions. Firstly, this
copyright notice must remain intact and unmodified. Secondly, the
Author, Julian Assange, must be appropriately and prominantly credited
in any documentation associated with any derived work. Thirdly unless
otherwise negotiated with the author, you may not sell this program
commercially, reasonable distribution costs excepted.
Use and or distribution of this software implies acceptance of the
above.
So there.
SEE ALSO
nslookup(1), host(1), dig(1), socket(2), bind(2), connect(2), iss(1).
STROBE 1.05(1)