TCP Scan for Linux-python-scapy

Last Update:2018-04-01 Source: Internet

Author: User

Tags ack sprintf stateful firewall

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

TCP Connection Scan:
Client and server establish a TCP connection to do a three-time handshake, if a successful three-time handshake, the port is open;

TCP SYN Scan (also known as semi-open scan or stealth scan):
This technique is very similar to a TCP connection scan. Similarly, the client sends a packet with a SYN ID and port number to the server, and if the target port is developed, a TCP packet with a SYN and ACK identification is returned;

TCP Christmas tree (Xmas tree) Scan:
In a Christmas tree scan, the client sends a packet with the Psh,fin,urg ID and port number to the server to the server. If the destination port is open, then there will be no response from the server. If the server returns a TCP packet with the RST ID, the port is closed

TCP FIN Scan:
The fin scan sends a TCP packet with the Fin ID and port number to the server. If there is no server-side response, the port is open. If the server returns an RST packet, the destination port is closed.

TCP NULL scan (NULL):
In an empty scan, the TCP packets sent by the client only contain the port number without any other identifying information. If the destination port is open, no information will be returned. If the server returns an RST packet, the destination port is closed.

TCP ACK Scan: The ACK scan is not used to discover the port on or off state, but is used to discover if there is a stateful firewall on the server. Its result can only indicate whether the port is filtered. Again, the ACK scan cannot discover whether the port is on or off. The client sends a packet with an ACK ID and port number to the server. If the server returns a TCP packet with the RST ID, the port is not filtered and there is no stateful firewall. If the destination server does not respond or returns ICMP error type 3 and the code is 1,2,3,9,10 or 13, then the port is filtered and there is a stateful firewall.

TCP window Scan:
The process of TCP window scanning is similar to an ACK scan, where the client sends a TCP packet with an ACK ID and port number to the server, but the scan can be used to discover the status of the destination server port. Returning the RST in an ACK scan indicates that it is not filtered, but in a window scan, when the returned RST packet is received, it checks the window size value. If the window size value is a non-0 value, the target port is open.
One, SYN Scan:

>> I=ip ()
>> t=tcp ()
>> i.dst= ' 10.202.32.0/24 '/continuous address segment
>> t.sport=8888
>> t.dport=[3389,80,21,22,23,443,445,137,138,139]/(1,1024)
[] represents multiple ports, () indicates contiguous ports
>> repose= (i/t)
>> repose= (i/t)
>> t.flags= ' S '/generate flag bit can also write data such as ACK write 16

From bottom to top Fin-syn-rst-psh-ack-urg
1 2 4 8 16 32

>> ANS,UNANS=SR (respose)
> Ans.show ()
0000 ip/tcp 192.168.80.250:8888 > 10.202.32.1:ssh S ==> ip/tcp 10.202.32.1:ssh > 192.168.80.250:8888 sa/pad Ding
0001 ip/tcp 192.168.80.250:8888 > 10.202.32.74:microsoft_ds S ==> ip/tcp 10.202.32.74:microsoft_ds > 192.168. 80.250:8888 sa/padding
0002 ip/tcp 192.168.80.250:8888 > 10.202.32.74:netbios_ns S ==> ip/tcp 10.202.32.74:netbios_ns > 192.168.80.2 50:8888 ra/padding
0003 ip/tcp 192.168.80.250:8888 > 10.202.32.74:netbios_ssn S ==> ip/tcp 10.202.32.74:netbios_ssn > 192.168.80 .250:8888 sa/padding
Monitor your data:
>> Sniff (iface= "eth0", Prn=lambda x:x.show ())
To view data for processing:
Ans.summary (Lambda (s,r): r.sprintf ("%ip.src% \ t%tcp.sport% \ t%tcp.flags%"))
10.200.230.1 SSH SA
10.200.230.11 3389 SA
10.200.230.11 Loc_srv SA
10.200.230.11 Microsoft_ds SA
10.200.230.12 3389 SA
10.200.230.12 HTTPS SA
10.200.230.40 3389 SA
10.200.230.41 3389 SA
10.200.230.42 Loc_srv SA
10.200.230.42 Microsoft_ds SA
10.200.230.50 3389 SA
Second, the TCP ACK scan;
>> I=ip ()
>> i.dst= ' 10.200.193.0/24 '
>> t=tcp ()
>> t.flags= ' A '
>> t.sport=9999
>> t.dport=[3389,21,22,23,80,443]
>> respose= (i/t)
ANS,UNANS=SR (Respose)
>> Ans.show ()
0000 ip/tcp 192.168.80.250:9999 > 10.200.193.0:3389 A ==> ip/tcp 10.200.193.0:3389 > 192.168.80.250:9999 R/ Padding
0001 ip/tcp 192.168.80.250:9999 > 10.200.193.0:ftp A ==> ip/tcp 10.200.193.0:ftp > 192.168.80.250:9999 r/pa Dding
0002 ip/tcp 192.168.80.250:9999 > 10.200.193.0:ssh A ==> ip/tcp 10.200.193.0:ssh > 192.168.80.250:9999 r/pa Dding
0003 ip/tcp 192.168.80.250:9999 > 10.200.193.0:telnet A ==> ip/tcp 10.200.193.0:telnet > 192.168.80.250:9999 R/padding
If the server returns a TCP packet with the RST ID, the port is not filtered and there is no stateful firewall.
Monitor your data:
>> Sniff (iface= "eth0", Prn=lambda x:x.show ())
To view data for processing:
Ans.summary (Lambda (s,r): r.sprintf ("%ip.src% \ t%tcp.sport% \ t%tcp.flags% \ t%icmp.type%"))
10.200.193.1 3389 R??
10.200.193.1 ftp R??
10.200.193.1 ssh R??

TCP Scan for Linux-python-scapy

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More