/*
* Rkdetector - Hacker Defender <=v1.0.0 Remote Scanner
*
* Author:
* Andr Tarasc Acu
* atarasco@sia.es http://www.siainternational.com
*
* rkdscan is able to remotely detect Comprimised computers with the rootkit
* Hacker Defender
*
*
* Greets to: Javier Olascoaga (Nessus Plugin )
* Sia - Tiger Team
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL SIA . BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
* CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
* THIS SOFTWARE
*
*
* usage: rkdscan.exe xx.yy.zz.0 xx.yy.zz.255
*
* C:\rkdscan>rkdscan.exe xx.yy.zz.0 xx.yy.zz.255
* ROOTKIT SCANNER by Andres Tarasco. atarasco@sia.es
* [+] Targets: xx.yy.zz.43-xx.yy.zz.48 with 100 Threads
* Checking xx.yy.zz.44 port: 80...
* Checking xx.yy.zz.47 port: 80...
* Checking xx.yy.zz.48 port: 80...
* [+] IP: xx.yy.zz.47 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0
*
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <process.h>
#include <time.h>

#define NTHREADS 150
#define CONNECT 8 //Connect Timeout
#define RECV 8 //recv Timeout

#define sleep(a) Sleep(a)

struct {
 unsigned char masterkey[32];
 char banner[256];
 } key[] = {
 { //unsigned char masterkey084 - v1.0.0
        0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11,
        0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a,
        0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf,
        0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00,
        "HACKER Defender v0.84 - v1.0.0",
 },
 { //unsigned char masterkey083[]
        0x01, 0x38, 0x45, 0x69, 0x3a, 0x1f, 0x44, 0x12,
        0x89, 0x55, 0x7f, 0xaa, 0xc0, 0x9f, 0xee, 0x61,
        0x3f, 0x9a, 0x7e, 0x84, 0x32, 0x04, 0x4e, 0x1d,
        0xd7, 0xe4, 0xa8, 0xc4, 0x48, 0xe8, 0x9e, 0x00,
        "HACKER DEFENDER v0.82 - 0.83",
 },

 { //masterkey for hxdef 051 - 073 - 080 and 081 and 082 beta
        0x01, 0x1e, 0x3c, 0x6c, 0x6a, 0xff, 0x99, 0xa8,
        0x34, 0x83, 0x38, 0x24, 0xa1, 0xa4, 0xf2, 0x11,
        0x5a, 0xd3, 0x18, 0x8d, 0xbc, 0xc4, 0x3e, 0x40,
        0x07, 0xa4, 0x28, 0xd4, 0x18, 0x48, 0xfe, 0x00,
        "HACKER DEFENDER v0.51 - 0.82b",
 }
};



int RPORT,salir=0,threads=0;
int ip1[4],ip2[4];
CRITICAL_SECTION cs,css,csshell;
FILE *vuln;
char *givemeip(char *ip);
int infectado(int sock, char *ip, int port,int j);

/******************************************************************************/

void checkea(void *larala){

int sock;
int i,j,k=0;
char ip[16];
struct sockaddr_in target_ip;
int puerto=0;
fd_set fds;
u_long tmp=1;
struct timeval tv;
int scanports[]= {1025,80,3389,21,25,7,65536};


 EnterCriticalSection(&css);
 threads++;
 sleep(1);
 LeaveCriticalSection(&css);
 while (givemeip(ip)!=NULL){
  puerto=0;
                k=0;
          while(scanports[k]!=65536) {
              for(j=0;j<3;j++) {
      target_ip.sin_family = AF_INET;
       target_ip.sin_addr.s_addr = inet_addr(ip);
                  target_ip.sin_port = htons(scanports[k]);
           if ((sock=socket(AF_INET,SOCK_STREAM,0)) != -1){
   tmp=1;
   ioctlsocket( sock, FIONBIO, &tmp);
   tv.tv_sec = CONNECT;
   tv.tv_usec = 0;
   FD_ZERO(&fds);
   FD_SET(sock, &fds);
                        connect(sock,(struct sockaddr *)&target_ip, sizeof(target_ip));
     if((i=select(sock+1,0,&fds,0,&tv))>0){
    if (infectado(sock,ip,scanports[k],j)==1)
                                        puerto=65536;
                                        j=3;
   } else j=3;
   closesocket(sock);
   sleep(100);

  }
             }
          k++;
   }
 }
 EnterCriticalSection(&css);
 threads--;
 sleep(1);
 LeaveCriticalSection(&css);
 _endthread();
}
/******************************************************************************/
int infectado(int sock, char *ip, int port, int j){
char cadena[256];
 int recividos=0;
 char buf[10];
 fd_set fds;
 u_long tmp=1;
 struct timeval tv;

 tmp=1;
 ioctlsocket( sock, FIONBIO, &tmp);
 tv.tv_sec = RECV;
 tv.tv_usec = 0;
 FD_ZERO(&fds);
 FD_SET(sock, &fds);

        send(sock,key[j].masterkey,sizeof(key[j].masterkey),0);
 if(select(sock +1, &fds, NULL, NULL, &tv) > 0){
                if (j==0) printf("Checking %s \tport: %i...\n",ip,port);
  recividos=recv (sock, buf, sizeof (buf),0);
  //closesocket(sock);
  if (recividos==1){
   sprintf(cadena," [+] IP: %s port: %i INFECTED with %s\n",ip,port,key[j].banner);
                        printf("%s",cadena);
                        fputs(cadena,vuln);
   return(1);
  }
 }
 return(0);
}


/******************************************************************************/
char *givemeip(char *ip)
{

 EnterCriticalSection(&cs);
 if (ip1[3]!=254)
   ip1[3]++;
 else{
  ip1[2]++;
  ip1[3]=1;
 }
 if (ip1[2]==255){
  ip1[2]++; ip1[1]++;}
 LeaveCriticalSection(&cs);
 if (ip1[2]>ip2[2]) { return(NULL); }
 if (ip1[2]==ip2[2])
  if (ip1[3]>ip2[3]) { return(NULL); }

 sprintf(ip,"%d.%d.%d.%d",ip1[0],ip1[1],ip1[2],ip1[3]);
        if (ip1[3]==1) printf(" + %s\n",ip);
 return(ip);
}
/******************************************************************************/




int main(int argc,char *argv[])
{


 int i,total=NTHREADS;
 WSADATA ws;

 printf(" Remote hxdef Scanner $Revision: 1.0 $\n");
 printf(" atarasco@sia.es http://www.siainternational.com\n\n");
 if (argc!=3) {
  printf(" Usage: rkdscan.exe xx.xx.xx.xx yy.yy.yy.yy\n");
  exit(1);
 }

 if (WSAStartup(MAKEWORD(2,0),&ws)!=0) {
  exit(1);
 }

 sscanf (argv[1], "%d.%d.%d.%d", &ip1[0],&ip1[1],&ip1[2],&ip1[3]);
 sscanf (argv[2], "%d.%d.%d.%d", &ip2[0],&ip2[1],&ip2[2],&ip2[3]);

 for(i=0;i<4;i++){
        if ( (ip1[i]>255) || (ip1[i]<0) ) exit(1);
        if ( (ip2[i]>255) || (ip2[i]<0) ) exit(1);
 }
 InitializeCriticalSection(&cs);
 InitializeCriticalSection(&css);
 InitializeCriticalSection(&csshell);

 printf(" [+] Targets: %s-%s with %i Threads\n",argv[1],argv[2],total);
 vuln=fopen("vuln.txt","a");
 for(i=0;i<total;i++)
        { _beginthread(checkea,8192,(void *)i); sleep(1); }
 while(threads>0) sleep(100);
 fclose(vuln);
 return(1);
}