TCP Scan for Linux-python-scapy

Source: Internet
Author: User
Tags ack sprintf stateful firewall

  • TCP Connection Scan:
    Client and server establish a TCP connection to do a three-time handshake, if a successful three-time handshake, the port is open;
  • TCP SYN Scan (also known as semi-open scan or stealth scan):
    This technique is very similar to a TCP connection scan. Similarly, the client sends a packet with a SYN ID and port number to the server, and if the target port is developed, a TCP packet with a SYN and ACK identification is returned;
  • TCP Christmas tree (Xmas tree) Scan:
    In a Christmas tree scan, the client sends a packet with the Psh,fin,urg ID and port number to the server to the server. If the destination port is open, then there will be no response from the server. If the server returns a TCP packet with the RST ID, the port is closed
  • TCP FIN Scan:
    The fin scan sends a TCP packet with the Fin ID and port number to the server. If there is no server-side response, the port is open. If the server returns an RST packet, the destination port is closed.
  • TCP NULL scan (NULL):
    In an empty scan, the TCP packets sent by the client only contain the port number without any other identifying information. If the destination port is open, no information will be returned. If the server returns an RST packet, the destination port is closed.
  • TCP ACK Scan: The ACK scan is not used to discover the port on or off state, but is used to discover if there is a stateful firewall on the server. Its result can only indicate whether the port is filtered. Again, the ACK scan cannot discover whether the port is on or off. The client sends a packet with an ACK ID and port number to the server. If the server returns a TCP packet with the RST ID, the port is not filtered and there is no stateful firewall. If the destination server does not respond or returns ICMP error type 3 and the code is 1,2,3,9,10 or 13, then the port is filtered and there is a stateful firewall.
  • TCP window Scan:
    The process of TCP window scanning is similar to an ACK scan, where the client sends a TCP packet with an ACK ID and port number to the server, but the scan can be used to discover the status of the destination server port. Returning the RST in an ACK scan indicates that it is not filtered, but in a window scan, when the returned RST packet is received, it checks the window size value. If the window size value is a non-0 value, the target port is open.
    One, SYN Scan:

    >> I=ip ()
    >> t=tcp ()
    >> i.dst= ' 10.202.32.0/24 '/continuous address segment
    >> t.sport=8888
    >> t.dport=[3389,80,21,22,23,443,445,137,138,139]/(1,1024)
    [] represents multiple ports, () indicates contiguous ports
    >> repose= (i/t)
    >> repose= (i/t)
    >> t.flags= ' S '/generate flag bit can also write data such as ACK write 16

  • From bottom to top Fin-syn-rst-psh-ack-urg
    1 2 4 8 16 32

    >> ANS,UNANS=SR (respose)
    > Ans.show ()
    0000 ip/tcp 192.168.80.250:8888 > 10.202.32.1:ssh S ==> ip/tcp 10.202.32.1:ssh > 192.168.80.250:8888 sa/pad Ding
    0001 ip/tcp 192.168.80.250:8888 > 10.202.32.74:microsoft_ds S ==> ip/tcp 10.202.32.74:microsoft_ds > 192.168. 80.250:8888 sa/padding
    0002 ip/tcp 192.168.80.250:8888 > 10.202.32.74:netbios_ns S ==> ip/tcp 10.202.32.74:netbios_ns > 192.168.80.2 50:8888 ra/padding
    0003 ip/tcp 192.168.80.250:8888 > 10.202.32.74:netbios_ssn S ==> ip/tcp 10.202.32.74:netbios_ssn > 192.168.80 .250:8888 sa/padding
    Monitor your data:
    >> Sniff (iface= "eth0", Prn=lambda x:x.show ())
    To view data for processing:
    Ans.summary (Lambda (s,r): r.sprintf ("%ip.src% \ t%tcp.sport% \ t%tcp.flags%"))
    10.200.230.1 SSH SA
    10.200.230.11 3389 SA
    10.200.230.11 Loc_srv SA
    10.200.230.11 Microsoft_ds SA
    10.200.230.12 3389 SA
    10.200.230.12 HTTPS SA
    10.200.230.40 3389 SA
    10.200.230.41 3389 SA
    10.200.230.42 Loc_srv SA
    10.200.230.42 Microsoft_ds SA
    10.200.230.50 3389 SA
    Second, the TCP ACK scan;
    >> I=ip ()
    >> i.dst= ' 10.200.193.0/24 '
    >> t=tcp ()
    >> t.flags= ' A '
    >> t.sport=9999
    >> t.dport=[3389,21,22,23,80,443]
    >> respose= (i/t)
    ANS,UNANS=SR (Respose)
    >> Ans.show ()
    0000 ip/tcp 192.168.80.250:9999 > 10.200.193.0:3389 A ==> ip/tcp 10.200.193.0:3389 > 192.168.80.250:9999 R/ Padding
    0001 ip/tcp 192.168.80.250:9999 > 10.200.193.0:ftp A ==> ip/tcp 10.200.193.0:ftp > 192.168.80.250:9999 r/pa Dding
    0002 ip/tcp 192.168.80.250:9999 > 10.200.193.0:ssh A ==> ip/tcp 10.200.193.0:ssh > 192.168.80.250:9999 r/pa Dding
    0003 ip/tcp 192.168.80.250:9999 > 10.200.193.0:telnet A ==> ip/tcp 10.200.193.0:telnet > 192.168.80.250:9999 R/padding
    If the server returns a TCP packet with the RST ID, the port is not filtered and there is no stateful firewall.
    Monitor your data:
    >> Sniff (iface= "eth0", Prn=lambda x:x.show ())
    To view data for processing:
    Ans.summary (Lambda (s,r): r.sprintf ("%ip.src% \ t%tcp.sport% \ t%tcp.flags% \ t%icmp.type%"))
    10.200.193.1 3389 R??
    10.200.193.1 ftp R??
    10.200.193.1 ssh R??

    TCP Scan for Linux-python-scapy

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.