Code a port scanner in C | linux

Tcp connect port scanning

Tcp connect port scanner works by trying to establish a connection with every port that is to be scanned. If a connection is established then the port is open otherwise closed. This technique of port scanner is the most basic form of port scanning. However it is the slowest and not very stealthy and easily caught by firewalls or other intrusion detection systems.

Tcp connect port scanning establishes a full connection which involves a 3-way handshake between the 2 hosts. Due to this it is the slowest and consumes the maximum time. The steps involved in the 3 way handshake are

Local system ----> sends tcp syn packet -----> Remote system
Local system <---- replies with a syn+ack packet <----- Remote system
Local system ----> sends ack packet -----> Remote system

After all the 3 steps are done, the connection is fully established and ready for further communication.

In real scenarios are different port scanning technique called "tcp syn port scanning" is used. It does not establish a full 3 way handshake but establishes the connection only partially to detect the open port. The 3 step shown above is not there in syn scanning and hence a full connection is not established and discarded midway. Therefore tcp syn scanning is much faster.

In this post we shall be coding such a tcp connect port scanner using sockets. The code samples shown are for linux. If you want to code the same thing on windows then check out the post on port scanner code in winsock.

Code

To implement tcp connect port scanning the simple steps are

1. Create a socket
2. Run a Loop to connect with each port on the remote system ; if connection established then port open otherwise closed.

Here is the full program.

/*
	Port scanner code in c
*/
#include<stdio.h>
#include<sys/socket.h>
#include<errno.h>
#include<netdb.h>
#include<string.h>
#include<stdlib.h>

int main(int argc , char **argv)
{
	struct hostent *host;
	int err, i , sock ,start , end;
	char hostname[100];
	struct sockaddr_in sa;
	
	//Get the hostname to scan
	printf("Enter hostname or IP : ");
	gets(hostname);
	
	//Get start port number
	printf("\nEnter start port number : ");
	scanf("%d" , &start);
	
	//Get end port number
	printf("Enter end port number : ");
	scanf("%d" , &end);

	//Initialise the sockaddr_in structure
	strncpy((char*)&sa , "" , sizeof sa);
	sa.sin_family = AF_INET;
	
	//direct ip address, use it
	if(isdigit(hostname[0]))
	{
		printf("Doing inet_addr...");
		sa.sin_addr.s_addr = inet_addr(hostname);
		printf("Done\n");
	}
	//Resolve hostname to ip address
	else if( (host = gethostbyname(hostname)) != 0)
	{
		printf("Doing gethostbyname...");
		strncpy((char*)&sa.sin_addr , (char*)host->h_addr , sizeof sa.sin_addr);
		printf("Done\n");
	}
	else
	{
		herror(hostname);
		exit(2);
	}
	
	//Start the port scan loop
	printf("Starting the portscan loop : \n");
	for( i = start ; i <= end ; i++) 
	{
		//Fill in the port number
		sa.sin_port = htons(i);
		//Create a socket of type internet
		sock = socket(AF_INET , SOCK_STREAM , 0);
		
		//Check whether socket created fine or not
		if(sock < 0) 
		{
			perror("\nSocket");
			exit(1);
		}
		//Connect using that socket and sockaddr structure
		err = connect(sock , (struct sockaddr*)&sa , sizeof sa);
		
		//not connected
		if( err < 0 )
		{
			//printf("%s %-5d %s\r" , hostname , i, strerror(errno));
			fflush(stdout);
		}
		//connected
		else
		{
			printf("%-5d open\n",  i);
		}
		close(sock);
	}
	
	printf("\r");
	fflush(stdout);
	return(0);
} 






Run the program

First compile the program using gcc. Its simple.

# gcc portscanner.c

Now run the program and provide the necessary input

# ./a.out 
Enter hostname or IP : google.com

Enter start port number : 75
Enter end port number : 85
Doing gethostbyname...Done
Starting the portscan loop : 
80    open
#

So the above program scanned ports 75 to 85 on google.com and found only port 80 to be open, which is the webserver port.

Last Updated On : 20th May 2013

Subscribe to get updates delivered to your inbox

About Silver Moon

Php developer, blogger and Linux enthusiast. He can be reached at [email protected]. Or find him on

2 Comments + Add Comment

  • Takes long long time to run……

  • you actually should avoid using strncpy to copy or free structures, since strncpy stops on the very first zero; use memset and memcpy instead.

Leave a comment