


STROBE 1.05(1)					   STROBE 1.05(1)


NAME
       strobe - Super optimised TCP port surveyor

SYNOPSIS
       strobe [ -vVmdbepPAtnSilfsaM ] [host1 ... [hostn]]

DESCRIPTION
       strobe	is  a  network/security	 tool  that  locates  and
       describes all listening tcp ports on a (remote) host or on
       many hosts in a bandwidth utilisation maximising, and pro-
       cess resource minimising manner.

       strobe approximates a parallel finite state machine inter-
       nally. In non-linear multi-host mode it attempts to appor-
       tion bandwidth and sockets  among  the  hosts  very  effi-
       ciently.	  This	can  reap  appreciable gains in speed for
       multiple distinct hosts/routes.

       On a machine with a reasonable number of	 sockets,  strobe
       is  fast	 enough to port scan entire Internet sub domains.
       It is even possible to survey an entire small country in a
       reasonable  time	 from a fast machine on the network back-
       bone, provided the machine in question uses dynamic socket
       allocation   or	has  had  its  static  socket  allocation
       increased very appreciably (check your kernel options). In
       this  very limited application strobe is said to be faster
       than ISS2.1 (a high quality commercial security scanner by
       cklaus@iss.net and friends) or PingWare (also commercial).

OPTIONS
       -v     Verbose output.

       -V     Verbose statistical output.

       -m     Minimise output. Only print hostname, port  tuples.
	      Implies -d.  Useful for automated output parsing.

       -d     Delete duplicate entries for port descriptions. i.e
	      use only the first definition.

       -g     Disable usage of getpeername(2).	 On  solaris  2.3
	      machines	this  causes  a	 core  dump,  for reasons
	      unknown. This behaviour is fixed with solaris  2.4.
	      Under  Linux, HP and perhaps other unix implementa-
	      tions, false tcp	connection  positives  may  occur
	      when this option is activated.

       -s     Statistical  information	describing the average of
	      all hosts surveyed is sent to stderr on completion.

       -q     Quiet mode. Don't print non-fatal errors or the (c)
	      message.

       -d     Display only the	first  description  in	the  port



								1





STROBE 1.05(1)					   STROBE 1.05(1)


	      services entry file (Cf.	-B).

       -o file
	      Direct  output  (but  not any messages which can be
	      affected by -q) to file.

       -b number
	      Beginning (starting) port number.

       -e number
	      Ending port number.

       -p number
	      Port number if you intend to scan a single port.

       -P number
	      Local port to bind outgoing connection requests to.
	      (you  will  normally  need super-user privileges to
	      bind ports smaller than 1024)

       -A address
	      Interface	 address  to  send  outgoing   connection
	      requests from for multi-homed machines.

       -t number
	      Time  after  which  a  connection attempt to a com-
	      pletely unresponsive host/port is aborted.

       -n number
	      Use this number of sockets in parallel (defaults to
	      64).   strobe  attempts  to figure out if number is
	      greater than the quantity of available  sockets  at
	      any point in time -- and if so, only use the amount
	      found.  On  some	UNIX  implementations	such   as
	      Solaris, this appears not to work correctly and you
	      may find yourself with unusual errors  such  as  NO
	      ROUTE  TO	 HOST  when  you  hit the socket ceiling.
	      Remember that strobe probably isn't the  only  pro-
	      cess on the system desiring a socket or two. Having
	      strobe pilfer  all  the  spare  sockets  away  from
	      inetd(8) and other daemons and clients isn't such a
	      crash hot idea, unless you want  to  stop	 all  new
	      incoming and outgoing connections.

       -S file
	      Change  the  default port services description file
	      to file.	Note that if -S	 is  not  specified  port
	      services	are  loaded  from one of strobe.services,
	      /usr/local/lib/strobe.services, or /etc/services.

       -i file
	      Obtain hostnames to strobe from  file  rather  than
	      from  the	 command  line.	 Note that only the first
	      white-space separated word in each line of file  is



								2





STROBE 1.05(1)					   STROBE 1.05(1)


	      used,  so one can feed in files such as /etc/hosts.
	      If filename is '-' , stdin will be used.

       -l     Probe hosts linearly (sequentially) rather than  in
	      parallel.	 The  actual ports on each host are still
	      checked in a parallel manner (with a parallelism of
	      -n (defaults to 64)).

       -f     Fast mode, probe only the tcp ports detailed in the
	      port services file (see -S).

       -a number
	      Abort and skip to the next host after ports upto to
	      number  have  been  probed and still no connections
	      have occurred. Due to the parallel  nature  of  the
	      probing,	reply  packets	for n+m may return before
	      those relating to n. What this means is that  ports
	      >	 number	 may be probed. If strobe see's a connec-
	      tion on any one of these higher  ports  before  its
	      negated  all  possibility of a service listening on
	      ports <= number then  despite  the  fact	that  all
	      ports up to and including number may turn out to be
	      connectionless, strobe will `abort the abort'. This
	      is considered optimal, if unusual behaviour.

       -M     Mail  a  bug report, or tcp/udp port description to
	      the current source maintainer.

EXAMPLES
       strobe -n 120 -a 80 -i /etc/hosts -s -f -V -S services  -o
       out

       strobe  all  entries in /etc/hosts (identical ip addresses
       are skipped automagically) using 120 sockets in	parallel,
       but  only check the individual tcp ports mentioned in ser-
       vices.  If we have probed up to port 80 on a host and have
       still not yet evidenced a connection, then skip that host.
       Display speed/time statistics for each host  and	 for  the
       totality	 of  hosts to stderr. Place the regular output in
       out.

       ypcat hosts | strobe -p 80 -t 2 -A 203.4.184.1 -P 53

       strobe all hosts	 in  your  hosts  YP/NIS-table	for  WWW-
       servers.	 Use  a	 timeout  of two seconds.  Set the source
       address to the 203.4.184.1 interface. Make all  connection
       requests appear to come from port 53 (DNS).


BUGS
       Strobe performs no other security functions (yet) and does
       not verify route blocking against  UDP  or  TCP	handshake
       sequence guessing one-way IP spoofing attacks.




								3





STROBE 1.05(1)					   STROBE 1.05(1)


AUTHOR
       Julian Assange

	      EMAIL:
		   strobe@suburbia.net
		   proff@suburbia.net

OFFICAL DISTRIBUTION
       ftp://suburbia.net:/pub/strobe.tgz

COPYRIGHT
       Copyright   (c)	 Julian	 Assange  1995-1999,  All  rights
       reserved.

       This  software  has  only  three	 copyright  restrictions.
       Firstly,	 this  copyright  notice  must	remain intact and
       unmodified. Secondly, the Author, Julian Assange, must  be
       appropriately  and  prominantly credited in any documenta-
       tion associated with any	 derived  work.	  Thirdly  unless
       otherwise  negotiated  with  the	 author, you may not sell
       this program commercially, reasonable  distribution  costs
       excepted.

       Use  and	 or  distribution of this software implies accep-
       tance of the above.

       So there.


SEE ALSO
       nslookup(1), host(1),  dig(1),  socket(2),  bind(2),  con-
       nect(2), iss(1).

























								4


