/*								*/
/* Z3RO-FLAG SC4NN3R v0.0001 = DEVELOPED BY VECT0R-X 		*/
/* Grad.. this is not a circulating file.. please keep it that  */
/* way =].. It scans ports via sending a "0" flag.  Meaning     */
/* tcplog and other connection/attempt loggers will not pick it */
/* up.  You can see it with tcpdump/other anaylyzers but that's */
/* about it.							*/
/* Under Solaris try:						*/
/*	gcc x.c -lsocket -lnsl -L/usr/ucblib -lucb		*/

#include "tcpip.c"

unsigned long sourceport   = 1995;
unsigned long dest, idle, sense, current, src, nseq, startport, stopport, temp; 
unsigned long accurate = 0, antitcpdump = 0;
char str[255], *string;
char buf[4096];
int len, rec, sen, i=1, adder=128000, stringlen=0;
struct sockaddr_in addr;
struct hostent *host;

void main(int argc, char *argv[])
{

	unsigned long fakesequence = 408618+getpid();
	sourceport+=getpid();
	printf("Zero-Scan v1.0 by vect0rx.\n\n");fflush(stdout);
	if (argc < 5) {		
	        fprintf(stderr,"Usage: %s <site> <startport> <stopport> <sensitivity>\n",argv[0]);
		exit(1);
	}
	startport = atoi(argv[2]);
	stopport = atoi(argv[3]);
	sense = atoi(argv[4]);
	for (i=4;i<argc;i++) switch(argv[i][1]) {
		case 'd' : accurate++; break;
		case 'a' : antitcpdump++; break;
		default : break;
	}
	if (accurate) printf("- Using delays for increased accuracy.\r\n");
	if (antitcpdump) printf("- Using LONG delays for anti-tcp-dumping.\r\n");
	memset(&addr,0,sizeof(addr));
	addr.sin_family = AF_INET;
	if ((addr.sin_addr.s_addr = inet_addr(argv[1])) == -1) {
		if ((host = gethostbyname(argv[1])) == NULL) {
			printf("Unknown host %s.\n",argv[1]);
			exit(1);
		}
		addr.sin_family = host->h_addrtype;
		memcpy((caddr_t) &addr.sin_addr,host->h_addr,host->h_length);
	}
	memcpy(&dest,(char *)&addr.sin_addr.s_addr,4);

	if ((rec = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) {
		perror("error: recv socket");
		exit(1);
	}

	if ((sen = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
		perror("error: send socket");
		exit(1);
	}

/*	
	sen = openintf("ppp0");
*/	 


	gethostname(buf, 128);
	if ((host=gethostbyname(buf))==NULL) {
		fprintf(stderr, "Can't get my hostname!?\n");
		exit(1);
	}
	memcpy(&src,host->h_addr,4);

	for (current=startport;current<stopport+1;current++) {
	    idle = 0;
		usleep(500);
		sendtcppacket(sen, src, dest, &addr, 0, sourceport,
			current, fakesequence, 0, NULL, 0);
	  for (;;) {
	    idle++;
	    if (idle>sense) {
		    printf("Site: %s; Port %d open.\r\n", argv[1], current); 
		    fflush(stdout);
		    break;
		}
	    gettcppacket(rec,buf,sizeof(buf));
	    ip = (struct iphdr *) buf;
	    if (ip->saddr != dest) continue;
	    len = ip->ihl << 2;
	    tcp = (struct tcphdr *) (buf+len);
            if (ntohs(tcp->th_dport)==sourceport && ntohs(tcp->th_sport)==current) {
                    temp=htonl(tcp->th_seq);
		    nseq=temp; 
		    break;
            }
	}
}
}
/*
*/