最近开始一步步地学习Python,后面将会把各种Python的学习笔记再整合一下,现在先补上上次端口扫描的脚本,因为原理几乎都是利用scapy的一句话所以重复的地方这里就不多说了,有注意点就再说~
udp_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import time
import sys
if len(sys.argv)!=4:
print "Usage : ./udp_scan.py [IP] [First Port] [End Port]"
sys.exit()
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])
for port in range(start,end):
a=sr1(IP(dst=ip)/UDP(dport=port),timeout=5,verbose=0)
time.sleep(1)
if a==None:
print port
else:
pass
verbose参数指定为0则表示在返回给变量a的包中先不显示内容。
tcp_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
ip=sys.argv[1]
port=int(sys.argv[2])
SYN=IP(dst=str(ip))/TCP(dport=port,flags='S')
print "-- SENT --"
SYN.display()
print "\n\n-- RECEIVED --"
response=sr1(SYN,timeout=1,verbose=0)
response.display()
if int(response[TCP].flags)==18:
print "\n\n-- SENT --"
A=IP(dst=str(ip))/TCP(dport=port,flags='A',ack=(response[TCP].seq+1))
A.display()
print"\n\n-- RECEIVED --"
response2=sr1(A,timeout=1,verbose=0)
response2.display()
else:
print "SYN/ACK not returned"
这里先显示发送的SYN包,在发送之后再显示接收到的包的内容,如果收到的是SYN/ACK包即收到的包中TCP的flags为18则再发送ACK包来确认。整个过程是通过三次握手来确定的。
syn_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv)!=4:
print "Usage : ./syn_scan.py [IP] [First Port] [End Port]"
sys.exit()
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])
for port in range(start,end):
a=sr1(IP(dst=ip)/TCP(dport=port),timeout=1,verbose=0)
if a==None:
pass
else:
if int(a[TCP].flags)==18:
print port
else:
pass
使用默认的TCP扫描即可。
可以看到Flags为SA,即Syn和Ack位都为1其它位都为0,将000000010010这个二进制数转化为十进制数刚好为10,所以通过int()函数将该二进制数转化为十进制数从而来进行判断是否是SA包从而推测端口是否开放。
zombie.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def ipid(zombie):
reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)
reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
if reply2[IP].id==(reply1[IP].id+2):
print "IPID sequence is incremental and target appears to be idle. ZOMBIE LOCATED"
response=raw_input("Do you want to use this zombie to perform a scan? (Y or N): ")
if response=="Y":
target=raw_input("Enter the IP address of the target system: ")
zombiescan(target,zombie)
else:
print "Either the IPID sequence is not incremental or the target is not idle. NOT A GOOD ZOMBIE"
def zombiescan(target,zombie):
print "\nScanning target "+target+" with zombie "+zombie
print "\n-----Open Ports on Target-----\n"
for port in range(1,1000):
try:
start_val=sr1(IP(dst=zombie)/TCP(flags="SA",dport=port),timeout=2,verbose=0)
send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)
end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
if end_val[IP].id==(start_val[IP].id+2):
print port
except:
pass
print "-----Zombie Scan Suite-----\n"
print "1 - Identify Zombie Host \n"
print "2 - Perform Zombie Scan \n"
ans=raw_input("Select an Option (1 or 2) : ")
if ans=="1":
zombie=raw_input("Enter IP address to test IPID sequence : ")
ipid(zombie)
else:
if ans=="2":
zombie=raw_input("Enter IP address for zombie system : ")
target=raw_input("Enter IP address for scan target : ")
zombiescan(target.zombie)
程序分为两个部分,先是询问是否要进行Zombie机的测试,然后再利用Zombie机来扫描目标主机。原理在上一篇已经说得差不多了这里就不多讲了。
往后会接着写更多关于Python的学习笔记,望各位指导指导~