Reprint Please note: @ small Wuyi: http://www.cnblogs/xiaowuyi
After scapy is installed (the first two notes are described), run sudo scapy in linux.
1. Simple sending package
1. send () sends data packets on the third layer, but does not receive data packets. For example:
>>> send(IP(dst=,ttl=)/ packets.
This is equivalent to pinging Baidu, ttl = 1
2. sendp (), which sends data packets on the second layer, also has no receiving function. For example:
>>> sendp(Ether()/IP(dst=,ttl=)/>>> sendp(Ether()/IP(dst=,ttl=)/ packets.
3. sr (), which sends data packets on the third layer and has the receiving function. For example:
>>> p=sr(IP(dst=,ttl=)/* packets, got answers, remaining >>><Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> p[<Results: TCP: UDP: ICMP: Other:>>>> p[ IP / ICMP . > . echo-request ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
For example, if the ttl is set to 1, 2, 3, and 4 packets consecutively
>>> p=sr(IP(dst=,ttl=(,))/*.*.*.* packets, got answers, remaining >>><Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> p[ IP / ICMP . > . echo-request ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / IP / ICMP . > . echo-request ==> IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror />>>
4. sr1 (), which sends data packets on the third layer. It has the receiving function, but only receives the first packet. The preceding four packages are used as an example:
>>> q=sr1(IP(dst=,ttl=(,))/*.*.*.* packets, got answers, remaining >>><IP version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMP type=time-exceeded code=ttl-zero-during-transit chksum= unused= |<IPerror version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMPerror type=echo-request code= chksum= id= seq= |>>>>>>>= = = = = == = == = .= .= time-= ttl-zero-during-= = = = = = = == = == = .= .= echo-= = = =
5. srloop:
>>> p=srloop(IP(dst=,ttl=)/: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /^ packets, received packets. %>>> p=srloop(IP(dst=,ttl=)/ICMP(),inter=,count=: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror /: IP / ICMP . > . time-exceeded ttl-zero-during-transit / IPerror / packets, received packets. % hits.
Here, when the first statement is executed, it will continuously ping Baidu. When the second statement is executed, it will ping every 3 seconds and run twice in total. Inter indicates the interval, count the number of records.
6. srp (), srp1 (), and srploop () are the same as 3, 4, and 5, but work on the second layer.
Ii. SYN Scanning
SYN scan: Also called half-open scanning, because it does not complete a complete TCP connection. This method sends a SYN group (packet) to the target port. If the target port returns SYN/ACK, it is sure that the port is in the listening status; otherwise, RST/ACK is returned.
>>> sr1(IP(dst=)/TCP(dport=,flags=* packets, got answers, remaining <IP version= ihl= tos= len= id= flags= frag= ttl= proto=tcp chksum= src=. dst=. options=[] |<TCP sport=http dport=ftp_data seq= ack= dataofs= reserved= flags=SA window= chksum= urgptr= |>>>>> sr1(IP(dst=)/TCP(dport=,flags=* packets, got answers, remaining <IP version= ihl= tos= len= id= flags= frag= ttl= proto=icmp chksum= src=. dst=. options=[] |<ICMP type=dest-unreach code=communication-prohibited chksum= unused= |<IPerror version= ihl= tos= len= id= flags= frag= ttl= proto=tcp chksum= src=. dst=. options=[] |<TCPerror sport=ftp_data dport= seq= |>>>>
According to the results, when scanning port 80 of Baidu (61.135.169.105), ACK = 1 or flags = SA in the returned packet indicates that the port is in the listening status. When scanning port 81, if no ACK is set to 1 or flags is set to 1, it indicates that it is not listening.
To scan multiple ports, run the following statement, for example, scan port 80-83 of Baidu:
>>>sr(IP(dst=)/TCP(dport=(,),flags=))
To scan ports 3389, 80, and:
>>>sr(IP(dst=)/TCP(dport=[,,],flags=))
The result must be displayed in a simple way:
>>>ans,unans=>>>ans.summary(lambda(s,r):r.sprintf( RA
When I scan for 80-83, I always scan continuously. After I stop using ctrl + C, I can only get two results. I have not figured out why. As follows:
>>> sr(IP(dst=,ttl=)/TCP(dport=(,),flags=*.*^ packets, got answers, remaining <Results: TCP: UDP: ICMP: Other:>, <Unanswered: TCP: UDP: ICMP: Other:>>>> ans,unans=>>>/ TCP .:ftp_data > .:http S ==> IP / TCP .:http > ./ TCP .:ftp_data > .: S ==> IP / ICMP . > . dest-unreach communication-prohibited / IPerror />>> ans.summary(lambda(s,r):r.sprintf(?? ??
Iii. TCP traceroute
Traceroute: used to track the path from the starting point to the destination. With Traceroute, we can know the path of information from your computer to the host on the other end of the Internet. Of course, the path for each packet to arrive at the same destination from a certain source may be different, however, most of the time the routes are the same.
>>> ans,unans=sr(IP(dst=,ttl=(,),id=RandShort())/TCP(flags=*.*.*.*.*.*.*.*.*.*.*Finished to send *.*.*.*.*.*.*.*.*.*....^ packets, got answers, remaining >>> snd,rcv . . . . . . . . . . . . . . . . . . . . . True