1、基于ICMP的主机发现
python实现主机探测
from scapy.all import *
from scapy.layers.inet import IP, ICMP
from random import randint
from argparse import ArgumentParser
# 主函数
def main():
# 输出帮助信息
usage = 'python %(prog)s -i <target host>'
parser = ArgumentParser(usage=usage)
# 获取IP地址参数
parser.add_argument('-i', '--ip', dest='targetIP', type=str, required=True)
# 对输入参数进行解析
options = parser.parse_args()
print("Scan report for: " + options.targetIP + "\n")
# 判断是单台主机还是多台主机
# IP中存在-,说明是要扫描多台主机
if '-' in options.targetIP:
# 代码举例:192.168.1.1-120
# 通过'-'进行分隔,把192.168.1.1和120分开
# 把192.168.1.1通过‘.' 进行分隔,去最后一个数作为range函数的start,然后把120 + 1作为range函数的stop
# 循环遍历出需要扫描的IP地址
for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
time.sleep(0.2)
else:
Scan(options.targetIP)
print("\nScan fininshed!...\n")
# 扫描主机
def Scan(ip):
ip_id = randint(1, 65535)
icmp_id = randint(1, 65535)
icmp_seq = randint(1, 65535)
packet = IP(dst=ip, ttl=64, id=ip_id)/ICMP(id=icmp_id, seq=icmp_seq)/b'rootkit'
result = sr1(packet, timeout=1, verbose=False)
if result:
for rcv in result:
scan_ip = rcv[IP].src
print(scan_ip + '--->' 'Host is up')
else:
print(ip + '--->' 'Host is down')
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print("interrupte by user, killing all threads...")
通过nmap实现主机探测
import nmap
import argparse
def main():
usage = 'python %(prog)s -i <target host>'
parser = argparse.ArgumentParser(usage=usage)
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
if '-' in options.targetIP:
for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
NmapScan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
else:
NmapScan(options.targetIP)
def NmapScan(targetIP):
# 实例化portScanner对象
nm = nmap.PortScanner()
try:
# hosts为目标IP地址,argusments为Nmap的扫描参数
# -sn:使用ping进行扫描
# -PE:使用ICMP的echo请求包(-PP:使用timestamp请求包 -PM:netmask请求包)
result = nm.scan(hosts=targetIP, arguments='-sn -PE')
# 对结果进行切片,提取主机状态信息
state = result['scan'][targetIP]['status']['state']
print("[{}] is [{}]".format(targetIP, state))
except Exception as e:
pass
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('interrupte by user, killing all threads...')
2、基于TCP的主机发现
python通过ACK包探测主机
import argparse
from random import randint
from scapy.layers.inet import IP, TCP
from scapy.all import *
def main():
usage = 'usage: python %(prog)s -i <target host>'
parser = argparse.ArgumentParser(usage=usage)
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
if '-' in options.targetIP:
for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
else:
Scan(options.targetIP)
def Scan(targetIP):
try:
dport = randint(1, 65535)
packet = IP(dst=targetIP)/TCP(flags='A', dport=dport)
response = sr1(packet, timeout=1.0, verbose=False)
if response:
if int(response[TCP].flags) == 4:
time.sleep(0.5)
print(targetIP + ' ' + 'is up')
else:
print(targetIP + ' ' + 'is down')
else:
print(targetIP + ' ' + 'is down')
except:
pass
if __name__ == '__main__':
try:
main()
except Exception as e:
print('interrupter by user, killing all threads...')
python通过nmap模块实现TCP主机探测
# 作者:wang
# 时间:2023/12/8 13:50
import nmap
import argparse
def main():
usage = 'usage:python %(prog)s -i <target IP>'
parser = argparse.ArgumentParser(usage=usage)
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
if '_' in options.targetIP:
for i in range(int(options.taregetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
NmapScan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
else:
NmapScan(options.targetIP)
def NmapScan(ip):
nm = nmap.PortScanner()
try:
result = nm.scan(hosts=ip, arguments='-sT')
state = result['scan'][ip]['status']['state']
print("[{}] is [{}]".format(ip, state))
except Exception as e:
pass
if __name__ == '__main__':
main()
3、基于UDP的主机发现
python实现UDP主机探测
import argparse
from random import randint
from scapy.all import *
from scapy.layers.inet import IP, UDP
def main():
parser = argparse.ArgumentParser(usage='usage:python %(prog)s -i <target host>')
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
if '-' in options.targetIP:
for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
else:
Scan(options.targetIP)
def Scan(ip):
try:
dport = randint(1, 65535)
packet = IP(dst=ip)/UDP(dport=dport)
response = sr1(packet, timeout=1, verbose=0)
if response:
if int(response[IP].proto) == 1:
time.sleep(0.5)
print(ip + ' ' + 'is up')
else:
print(ip + ' ' + 'is down')
else:
print(ip + ' ' + 'is down')
except:
pass
if __name__ == '__main__':
try:
main()
except Exception as e:
print('interrupter by user, killing all threads...')
python通过nmap模块实现UDP主机探测
result = nm.scan(hosts=targetIP, arguments='-PU')
4、基于ARP的主机发现
python实现ARP主机探测
import os
import re
import argparse
from scapy.all import *
from scapy.layers.inet import IP
from scapy.layers.l2 import Ether, ARP
# 获取本机IP地址和MAC地址
def HostAddress(iface):
# os.popen执行后返回执行结果
ipData = os.popen('ifconfig' + iface)
# 对ipData进行类型转换,在用正则进行匹配
dataLine = ipData.readlines()
# re.search利用正则匹配返回第一个成功匹配的结果,存在结果则为true
# 取MAC地址
if re.search('\w\w:\w\w:\w\w:\w\w:\w\w:\w\w', str(dataLine)):
# 取出匹配的结果
MAC = re.search('\w\w:\w\w:\w\w:\w\w:\w\w:\w\w', str(dataLine)).group(0)
# 取IP地址
if re.search(r'((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)', str(dataLine)):
IP = re.search(r'((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)', str(dataLine))
addressInfo = (IP, MAC)
return addressInfo
# ARP扫描函数
def ArpScan(iface='eth0'):
# 通过HostAddress返回的元组取出MAC地址
mac = HostAddress(iface)[1]
# 取出本机IP地址
ip = HostAddress(iface)[0]
# 对本机IP地址进行分隔并作为依据元素,用于生成需要扫描的IP地址
ipSplit = ip.split('.')
# 需要扫描的IP地址列表
ipList = []
# 根据本机IP生成IP扫描范围
for i in range(1, 255):
ipItem = ipSplit[0] + '.' + ipSplit[1] + '.' + ipSplit[2] + '.' + str(i)
ipList.append(ipItem)
'''
发送ARP包
因为要用到OSI的二层和三层,所以要写成Ether/ARP.
因为最底层用到了二层,所以要用srp()发包
'''
packet = Ether(src=mac, dst='FF:FF:FF:FF:FF:FF')/ARP(op=1, hwsrc=mac, hwdst='00:00:00:00:00:00', pdst=ipList, iface=iface, timeout=2, verbose=False)
result = srp(packet)
# 读取result中的应答包和应答包内容
resultAns = result[0].res
# 存活主机列表
liveHost = []
# number为接收到的应答总数
number = len(resultAns)
print("==============================")
print('ARP 探测结果 ')
print("本机IP地址: " + ip)
print("本机MAC地址:" + mac)
print("==============================")
for x in range(number):
IP = resultAns[x][1][1].fields['psrc']
MAC = resultAns[x][1][1].fields['hwsrc']
liveHost.append([IP, MAC])
print("IP:" + IP + "\n\n" + "MAC" + MAC)
print("===========================")
# 把存活主机IP写入文件
resultFile = open("result", "w")
for i in range(len(liveHost)):
resultFile.write(liveHost[i][0] + '\n')
resultFile.close()
def main():
parser = argparse.ArgumentParser(usage='usage:python %(prog)s -i interface \n'
'Example: python %(prog)s -i eth0\n')
# 添加网卡参数 -i
parser.add_argument('-i', '--iface', dest='iface', required=True, help='interface name')
options = parser.parse_args()
ArpScan(options.iface)
if __name__ == '__main__':
try:
main()
except Exception as e:
print('Error...')
python通过nmap模块实现ARP扫描
result = nm.scan(hosts=targetIP, arguments='-PR')
5、端口探测
python实现端口探测
import sys
import socket
import argparse
import threading
import queue
# 端口扫描类,集成threading.Thread
class PortScaner(threading.Thread):
# 需要传入端口队列、目标IP,探测超时时间
def __init__(self, portqueue, ip, timeout=3):
threading.Thread.__init__(self)
self._portqueue = portqueue
self._ip = ip
self._timeout = timeout
def run(self):
while True:
# 判断端口队列是否为空
if self._portqueue.empty():
# 端口队列为空,说明已经扫描完毕,跳出循环
break
# 从端口队列取出端口,超时时间为1s
port = self._portqueue.get(timeout=0.5)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(self._timeout)
result_code = s.connect_ex((self._ip, port))
# sys.stdout.write("[%d]Scan\n" % port)
# 若端口开放,则会返回0
if result_code == 0:
sys.stdout.write("[%d] OPEN\n" % port)
except Exception as e:
print(e)
finally:
s.close()
def StartScan(targetip, port, threadNum):
# 端口列表
portList = []
portNumb = port
# 判断是单个端口还是范围端口
if '-' in port:
for i in range(int(port.split('-')[0]), int(port.split('-')[1]) + 1):
portList.append(i)
else:
portList.append(int(port))
# 目标IP地址
ip = targetip
# 线程列表
threads = []
# 线程数量
threadNumber = threadNum
# 端口队列
portQueue = queue.Queue()
# 生成端口,加入端口队列
for port in portList:
portQueue.put(port)
for t in range(threadNumber):
threads.append(PortScaner(portQueue, ip, timeout=3))
# 启动线程
for thread in threads:
thread.start()
# 阻塞线程
for thread in threads:
thread.join()
if __name__ == '__main__':
try:
parser = argparse.ArgumentParser()
# 目标IP参数-i
parser.add_argument('-i', '--ip', dest='targetIP', help='target IP', required=True)
# 添加端口参数-p
parser.add_argument('-p', '--port', dest='port', help='Scann port', required=True)
# 线程数量参数-t
parser.add_argument('-t', '--thread', dest='threadNum', default=100, help='scann thread number')
options = parser.parse_args()
StartScan(options.targetIP, options.port, options.threadNum)
except:
pass
python通过nmap模块实现端口探测
import nmap
import argparse
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
parser.add_argument('-p', '--port', dest='PORT', default='80')
options = parser.parse_args()
for i in range(0, len(options.PORT.split(','))):
NmapScan(options.targetIP, options.PORT.split(',')[i])
def NmapScan(ip, port):
nm = nmap.PortScanner()
try:
result = nm.scan(hosts=ip, arguments='-p' + str(port))
# 对结果进行切片,提取端口信息
# 这里需要注意的是,提取信息时需要把端口转化为int型
port_infor = result['scan'][ip]['tcp'][int(port)]
print("[{}] :[{}]".format(port, port_infor['state']))
except:
pass
if __name__ == '__main__':
try:
main()
except:
pass
6、服务识别
python实现服务识别
import argparse
import socket
import re
import time
SIGNS = (
# 协议 | 版本 | 关键字
b'FTP|FTP|^220.*FTP',
b'MySQL|MySQL|mysql_native_password',
b'oracle-https|^220- ora',
b'Telnet|Telnet|Telnet',
b'Telnet|Telnet|^\r\n%connection closed by remote host!\x00$',
b'VNC|VNC|^RFB',
b'IMAP|IMAP|^\* OK.*?IMAP',
b'POP|POP|^\+Ok.*?',
b'SMTP|SMTP|^220.*?SMTP',
b'Kangle|Kangle|HTTP.*kangle',
b'SMTP|SMTP|^554 SMTP',
b'SSH|SSH|^SSH-',
b'HTTPS|HTTPS|Location: https',
b'HTTP|HTTP|HTTP/1.1',
b'HTTP|HTTP|HTTP/1.0'
)
def main():
parser = argparse.ArgumentParser()
# 获取IP地址参数
parser.add_argument('-i', '--ip', dest='IP', type=str, help='specity target host',required=True)
# 获取端口参数
parser.add_argument('-p', '--port', dest='PORT', type=str, help='specity target port',required=True)
options = parser.parse_args()
ip = options.IP
port = options.PORT
print("Scan report for" + ip + "\n")
for line in port.split(','):
request(ip, line)
time.sleep(0.2)
print("\nScan finished!...\n")
def request(ip, port):
response = ''
PROBE = 'GET / HTTP/1.0\r\n\r\n'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
result = sock.connect((ip, int(port)))
if result == 0:
try:
sock.sendall(PROBE.encode())
response = sock.recv(256)
if response:
regex(response, port)
except(ConnectionResetError, socket.timeout):
pass
else:
pass
sock.close()
def regex(response, port):
text = ""
if re.search(b'<title>502 Bad Gateway', response):
proto = {"Service failed to access!!"}
for pattern in SIGNS:
pattern = pattern.split(b'|')
if re.search(pattern[-1], response, re.IGNORECASE):
proto = "[" + port + "]" + " open " + pattern[1].decode()
break
else:
proto = "[" + port + "]" + " open " + "Unrecognized"
print(proto)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('interrupted by user, killing all threads...')
python通过nmap模块实现服务识别
import nmap
import argparse
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
parser.add_argument('-p', '--port', dest='PORT', default='80')
options = parser.parse_args()
for i in range(0, len(options.PORT.split(','))):
NmapScan(options.targetIP, options.PORT.split(',')[i])
def NmapScan(ip, port):
nm = nmap.PortScanner()
try:
# hosts为目标IP地址,argusments为Nmap的扫描参数
# -p:对指定端口进行扫描
# -sV:对端口进行服务程序探测
result = nm.scan(hosts=ip, arguments='-sV -p' + str(port))
# 对结果进行切片,提取端口信息
# 这里需要注意的是,提取信息时需要把端口转化为int型
port_infor = result['scan'][ip]['tcp'][int(port)]
# 分别显示 端口号:端口状态 端口服务:端口服务程序
print("[{}:{}] : [{}:{}]".format(port, port_infor['state'], port_infor['name'], port_infor['product']))
except Exception as e:
print(e)
if __name__ == '__main__':
try:
main()
except:
pass
7、系统识别
主动探测:向目标主机发送一段特定的数据包,根据目标主机对数据包做出的回应进行分析,判断目标主机中可能得操作系统。与被动探测相比,结果更加精确,但也容易触发目标安全系统的警报。
被动探测:通过工具嗅探、记录、分析数据包流。根据数据包信息来分析目标主机的操作系统。与主动探测相比不够精确,但不容易被目标主机安全系统察觉。
python通过ttl返回值判断主机操作系统
import os
import re
import argparse
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
ip = options.targetIP
ttl_scan(ip)
def ttl_scan(ip):
ttlstrmatch = re.compile(r'ttl=\d+')
ttlnummatch = re.compile(r'\d+')
result = os.popen("ping -c 1 " + ip)
res = result.read()
for line in res.splitlines():
result = ttlstrmatch.findall(line)
if result:
ttl = ttlnummatch.findall(result[0])
if int(ttl[0]) <= 64:
print("%s is Linux/UNIX" %ip)
else:
print("%s is Windows" %ip)
else:
pass
if __name__ == '__main__':
main()
python通过nmap模块识别主机操作系统
import nmap
import argparse
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--ip', dest='targetIP', required=True)
options = parser.parse_args()
NmapScan(options.targetIP)
def NmapScan(ip):
nm = nmap.PortScanner()
try:
result = nm.scan(hosts=ip, arguments='-O')
os = result["scan"][ip]['osmatch'][0]['name']
print("=" * 20)
print("ip:{} \nos:{}".format(ip, os))
print("=" * 20)
except:
pass
8、敏感目录探测
python实现基于字典的敏感目录探测
import requests
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}
url = input("url: ")
# 输入字典
txt = input('php.txt')
url_list = []
if txt == "":
txt = "php.txt"
try:
with open(txt, 'r') as f:
for a in f:
a = a.replace('\n', '')
url_list.append(a)
except:
print("error! ")
for li in url_list:
conn = "http://" + url + "/" + li
try:
response = requests.get(conn, headers=headers)
print("%s----------%s" % (conn, response))
except Exception as e:
print('%s----------%s' % (conn, response))