Article
About the Author
Jason Perkins
Jason's been involved with Web development since 1996 and currently resides in Chicago, IL. Visit his personal site at www.somebodydial911.com.
UDP Portscanning in PHP
Portscanning serves a legitimate role in system administration/ownership. By confirming exactly what ports a computer accepts connections on, it's possible to ensure that an operating system hasn't opened unnecessary ports to the world at large as part of a default install. It also allows us to check that our system hasn't been compromised and had ports opened to allow a cracker to send remote commands to our machine via the Internet.
While TCP port scanning of one's own ports is common, many underestimate the potential hazards of open UDP ports -- this can lead to compromise, or indicate that a compromise has occurred. As the nmap manpage says:
"There is also the cDc Back Orifice backdoor program which hides on a configurable UDP port on Windows machines. Not to mention the many commonly vulnerable services that utilize UDP such as snmp, tftp, NFS, etc."
The single largest impediment to the average home user conducting port scans of their own machines is the lack of simple software to conduct the scan for them. Don't get me wrong -- nmap is one of the best portscanning tools available -- but how comfortable is Joe Average User going to be using a *nix command line tool? It seems to me that a tool that only requires Mr. Average User to go to a specific URL and wait while a PHP script runs a TCP and UDP scan against their machine, and then returns the results of the scan to them, is just what the doctor ordered.
With this in mind, I started searching the Internet and found an implementation of a TCP port scanner that Jim Barcelona had coded and made available at php wizard
Great! With half of the work done, I should be able to whip out a UDP port scanner in no time. I mean, how much harder could coding a UDP port scanner be? Considerably harder, as it turns out.
TCP Portscanning in PHP
When a TCP socket is created using the fsockopen function, you specify the IP address of the remote machine and the port number to which you want to connect. Using the underlying socket functionality, PHP will then attempt to create a virtual circuit to the remote machine on the specified port, in order to allow further communication to occur. If the destination port is unavailable, then the TCP provider on the remote machine will reject the connection request and the fsockopen function will be return a boolean value of failed.
So we now have an easy to understand and implement TCP portscanner. We set up a loop that specifies the minimum and maximum port numbers that we wish to scan, and within the loop, attempt to open a connection at the current value of the loop's index. If the attempt to open the port fails, there's no service at that port. If we're able to successfully open a socket to that port, then there's a service at that port which we log in our array of open ports as a key. We then insert the value for that key with a call to getservbyport, which will return the unix service that's normally registered at that port. Lastly, we close the open socket and move onto the next iteration of our loop.