主动信息收集之端口扫描的一些脚本

最近开始一步步地学习Python，后面将会把各种Python的学习笔记再整合一下，现在先补上上次端口扫描的脚本，因为原理几乎都是利用scapy的一句话所以重复的地方这里就不多说了，有注意点就再说~

udp_scan.py：

#!/usr/bin/pythonimport logginglogging.getLogger("scapy.runtime").setLevel(logging.ERROR)from scapy.all import *import timeimport sysif len(sys.argv)!=4:print "Usage : ./udp_scan.py [IP] [First Port] [End Port]"sys.exit()ip=sys.argv[1]start=int(sys.argv[2])end=int(sys.argv[3])for port in range(start,end):a=sr1(IP(dst=ip)/UDP(dport=port),timeout=5,verbose=0)time.sleep(1)if a==None:print portelse:pass

verbose参数指定为0则表示在返回给变量a的包中先不显示内容。

tcp_scan.py：

#!/usr/bin/pythonimport logginglogging.getLogger("scapy.runtime").setLevel(logging.ERROR)from scapy.all import *import sysip=sys.argv[1]port=int(sys.argv[2])SYN=IP(dst=str(ip))/TCP(dport=port,flags='S')print "-- SENT --"SYN.display()print "\n\n-- RECEIVED --"response=sr1(SYN,timeout=1,verbose=0)response.display()if int(response[TCP].flags)==18:print "\n\n-- SENT --"A=IP(dst=str(ip))/TCP(dport=port,flags='A',ack=(response[TCP].seq+1))A.display()print"\n\n-- RECEIVED --"response2=sr1(A,timeout=1,verbose=0)response2.display()else:print "SYN/ACK not returned"

这里先显示发送的SYN包，在发送之后再显示接收到的包的内容，如果收到的是SYN/ACK包即收到的包中TCP的flags为18则再发送ACK包来确认。整个过程是通过三次握手来确定的。

syn_scan.py：

#!/usr/bin/pythonimport logginglogging.getLogger("scapy.runtime").setLevel(logging.ERROR)from scapy.all import *import sysif len(sys.argv)!=4:print "Usage : ./syn_scan.py [IP] [First Port] [End Port]"sys.exit()ip=sys.argv[1]start=int(sys.argv[2])end=int(sys.argv[3])for port in range(start,end):a=sr1(IP(dst=ip)/TCP(dport=port),timeout=1,verbose=0)if a==None:passelse:if int(a[TCP].flags)==18:print portelse:pass

使用默认的TCP扫描即可。

这里用Wireshark来分析为啥值要等于18，打开扫描80端口时返回的包：

可以看到Flags为SA，即Syn和Ack位都为1其它位都为0，将000000010010这个二进制数转化为十进制数刚好为10，所以通过int()函数将该二进制数转化为十进制数从而来进行判断是否是SA包从而推测端口是否开放。

zombie.py：

#!/usr/bin/pythonimport logginglogging.getLogger("scapy.runtime").setLevel(logging.ERROR)from scapy.all import *def ipid(zombie):reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)if reply2[IP].id==(reply1[IP].id+2):print "IPID sequence is incremental and target appears to be idle. ZOMBIE LOCATED"response=raw_input("Do you want to use this zombie to perform a scan? (Y or N): ")if response=="Y":target=raw_input("Enter the IP address of the target system: ")zombiescan(target,zombie)else:print "Either the IPID sequence is not incremental or the target is not idle. NOT A GOOD ZOMBIE"def zombiescan(target,zombie):print "\nScanning target "+target+" with zombie "+zombieprint "\n-----Open Ports on Target-----\n"for port in range(1,1000):try:start_val=sr1(IP(dst=zombie)/TCP(flags="SA",dport=port),timeout=2,verbose=0)send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)if end_val[IP].id==(start_val[IP].id+2):print portexcept:passprint "-----Zombie Scan Suite-----\n"print "1 - Identify Zombie Host \n"print "2 - Perform Zombie Scan \n"ans=raw_input("Select an Option (1 or 2) : ")if ans=="1":zombie=raw_input("Enter IP address to test IPID sequence : ")ipid(zombie)else:if ans=="2":zombie=raw_input("Enter IP address for zombie system : ")target=raw_input("Enter IP address for scan target : ")zombiescan(target.zombie)

程序分为两个部分，先是询问是否要进行Zombie机的测试，然后再利用Zombie机来扫描目标主机。原理在上一篇已经说得差不多了这里就不多讲了。

往后会接着写更多关于Python的学习笔记，望各位指导指导~