/* 
  kamikaze.c v0.4 : small, simple, http scanning tool by Interstellar Overdrive (interdrive@home.com)
 
  the reason why i wrote such a piece of code is simply because all cgi/http scanners
  floating around SUCK! !!Execpt whisker by rfp(it kicks ass)!!, greets to rfp anyways, the reason why 
  those scanners suck, (like cgichk1_xx.c, Neon_xx.c, twwwscan..etc) is that their authors 
  just copy cat the vuln strings from each others, store them in a fscking array, and let 
  the proggie request the each array member form http server and each time a new cgi vulnerability
  is discovered at Bugtraq, the author just adds a new array member to his code and comment it with
  "Now updated with xxx scans !", the more hilarious thing is that they only scan in /cgi-bin/*,
   regardless where the remote server's cgi's are stored. So as a consclusion, they are limited to
   what is written in the silly  code, you can't customize the scan eg: you are obliged to scan
   for /scripts/iisadmin/, /iisadmpwd/*, /msadcs/* ...etc even if you are scanning a Unix-based server! 
 
   now this one i wrote (kamikaze.c) is customizable, ie the vulns you want to scan are upon what you
   input in the config file, like /cgi-bin/phf
				  /cgi-bin/php.cgi....etc
 
    Or check for existing users via a dictionary attack like
	   	/~admin
   		/~root
   		/~hax0r
   		/~ftp ...etc 

   Or even brute force to check for misconfigured left files like :
   /passwd.txt, /passwd.asc, /passwd.bat, /passwd, /passwd.admin....etc 

*/


#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>

main(int argc, char *argv[])
{
	struct sockaddr_in r;
	struct hostent *http;
	int s;
	FILE *users;
	char string[1024];
	char buff[1024];
	char tempo[1024];
	
	if (argc < 4)
	{ fprintf(stderr, "Kamikaze v0.4 by Interstellar Overdrive (interdrive@home.com)\n");
	  fprintf(stderr, "usage : %s <host> <port> [file]\n", argv[0]);
	  fprintf(stderr, "	 host	:	http server to scan\n");
	  fprintf(stderr, "	 port   :       the port httpd is listening on (usually 80)\n");
	  fprintf(stderr, "	 file   :       local file that contains request strings\n");
	  fprintf(stderr, "\n");
	  exit(1); } 
		
	if((http=gethostbyname(argv[1])) == NULL)	
	{ printf("%s : hostname doesn't exist\n", argv[1]);
	  exit(1); }	

         r.sin_family = AF_INET;
	 r.sin_port = htons(atoi(argv[2]));
	 r.sin_addr=*(struct in_addr *)http->h_addr;
 	 
	
	if((users=fopen(argv[3], "r")) == NULL)
	{ printf("%s : File Not Found !\n", argv[3]);
	  exit(1); }
	
	printf("\nStarting Scan against %s\n", argv[1]);
	printf("Config File : %s\n\n", argv[3]); 
	while (!feof(users)){
        fscanf(users, "%s", string);
        strcpy(tempo, "HEAD ");
	strcat(tempo, string);
        strcat(tempo, " HTTP/1.0\n\n");
        s=socket(AF_INET, SOCK_STREAM, 0);
	if((connect(s, (struct sockaddr *)&r, sizeof(r))) == -1)
	{ perror("connect"); 
	  exit(1); }
	send(s, tempo , sizeof(tempo) , 0);
        recv(s, buff, sizeof(buff), 0);
	close(s);
        if (strstr(buff, "403 Forbidden"))
	{ printf("[403] %s \tExists\n", string); }
		
	if(strstr(buff, "200 OK")) 
	{ printf("[200] %s \tExists\n", string); }
	
	}
}

/* EOF  */