本文主要是介绍主动信息收集之端口扫描的一些脚本,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
最近开始一步步地学习Python,后面将会把各种Python的学习笔记再整合一下,现在先补上上次端口扫描的脚本,因为原理几乎都是利用scapy的一句话所以重复的地方这里就不多说了,有注意点就再说~
udp_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import time
import sysif len(sys.argv)!=4:print "Usage : ./udp_scan.py [IP] [First Port] [End Port]"sys.exit()ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])for port in range(start,end):a=sr1(IP(dst=ip)/UDP(dport=port),timeout=5,verbose=0)time.sleep(1)if a==None:print portelse:passverbose参数指定为0则表示在返回给变量a的包中先不显示内容。
tcp_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sysip=sys.argv[1]
port=int(sys.argv[2])SYN=IP(dst=str(ip))/TCP(dport=port,flags='S')print "-- SENT --"
SYN.display()print "\n\n-- RECEIVED --"
response=sr1(SYN,timeout=1,verbose=0)
response.display()if int(response[TCP].flags)==18:print "\n\n-- SENT --"A=IP(dst=str(ip))/TCP(dport=port,flags='A',ack=(response[TCP].seq+1))A.display()print"\n\n-- RECEIVED --"response2=sr1(A,timeout=1,verbose=0)response2.display()
else:print "SYN/ACK not returned"这里先显示发送的SYN包,在发送之后再显示接收到的包的内容,如果收到的是SYN/ACK包即收到的包中TCP的flags为18则再发送ACK包来确认。整个过程是通过三次握手来确定的。
syn_scan.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sysif len(sys.argv)!=4:print "Usage : ./syn_scan.py [IP] [First Port] [End Port]"sys.exit()ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])for port in range(start,end):a=sr1(IP(dst=ip)/TCP(dport=port),timeout=1,verbose=0)if a==None:passelse:if int(a[TCP].flags)==18:print portelse:pass使用默认的TCP扫描即可。
可以看到Flags为SA,即Syn和Ack位都为1其它位都为0,将000000010010这个二进制数转化为十进制数刚好为10,所以通过int()函数将该二进制数转化为十进制数从而来进行判断是否是SA包从而推测端口是否开放。
zombie.py:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *def ipid(zombie):reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)if reply2[IP].id==(reply1[IP].id+2):print "IPID sequence is incremental and target appears to be idle. ZOMBIE LOCATED"response=raw_input("Do you want to use this zombie to perform a scan? (Y or N): ")if response=="Y":target=raw_input("Enter the IP address of the target system: ")zombiescan(target,zombie)else:print "Either the IPID sequence is not incremental or the target is not idle. NOT A GOOD ZOMBIE"def zombiescan(target,zombie):print "\nScanning target "+target+" with zombie "+zombieprint "\n-----Open Ports on Target-----\n"for port in range(1,1000):try:start_val=sr1(IP(dst=zombie)/TCP(flags="SA",dport=port),timeout=2,verbose=0)send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)if end_val[IP].id==(start_val[IP].id+2):print portexcept:passprint "-----Zombie Scan Suite-----\n"
print "1 - Identify Zombie Host \n"
print "2 - Perform Zombie Scan \n"
ans=raw_input("Select an Option (1 or 2) : ")
if ans=="1":zombie=raw_input("Enter IP address to test IPID sequence : ")ipid(zombie)
else:if ans=="2":zombie=raw_input("Enter IP address for zombie system : ")target=raw_input("Enter IP address for scan target : ")zombiescan(target.zombie)程序分为两个部分,先是询问是否要进行Zombie机的测试,然后再利用Zombie机来扫描目标主机。原理在上一篇已经说得差不多了这里就不多讲了。
往后会接着写更多关于Python的学习笔记,望各位指导指导~
这篇关于主动信息收集之端口扫描的一些脚本的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
