Today's Build: A Stealth TCP Port Prober

We are building a tool that checks if a specific port is open by attempting a connection at the syscall level. If the connect syscall returns 0, the port is open. If it returns a negative value (like -111 for Connection Refused), it's closed.

The Code: This code is based on the logic in Lesson 35 of the Lwanga tutorial. It uses syscall 41 (socket) and 42 (connect).

// Lwanga Port Prober

// Goal: Check if port 80 is open on localhost (127.0.0.1)

fn main() -> u64 {

let socket_fd: i64;

let result: i64;

// 1. Initialize Socket

// socket(AF_INET: 2, SOCK_STREAM: 1, Protocol: 0)

unsafe {

socket_fd = syscall(41, 2, 1, 0);

}

if (socket_fd < 0) {

return 1; // Failed to create socket

}

// 2. Connection Attempt

// Note: In a full implementation, you'd define the sockaddr_in struct.

// For this snippet, we assume 'addr_ptr' points to a pre-configured

// struct for 127.0.0.1:80.

unsafe {

result = syscall(42, socket_fd, addr_ptr, 16);

}

// 3. Evaluate and Report

if (result == 0) {

let open_msg: str = "Status: Port 80 is OPEN\n";

unsafe {

syscall(1, 1, open_msg, 24);

}

} else {

let closed_msg: str = "Status: Port 80 is CLOSED\n";

unsafe {

syscall(1, 1, closed_msg, 26);

}

}

// 4. Cleanup

unsafe {

syscall(3, socket_fd); // close()

}

return 0;

}

Why this is superior for Red-Teaming:

• Anti-Forensics: By using direct syscalls instead of connect() from libc, your binary doesn't show up in standard user-mode API logs used by many EDRs.

• Static Binaries: Lwanga produces binaries that don't need a dynamic linker. You can drop this 8KB file onto a target system and it will run without needing any libraries installed.

• Raw Memory Control: You are manually managing the sockaddr structure, allowing you to craft non-standard packets for advanced scanning techniques later.