This article to share is the use of PYTHON3 implementation of the TCP full-connection port scanner production process, including ideas and code, very simple to understand, recommended to everyone
In the initial phase of penetration testing, we usually need to gather information about the target, and port scanning is a crucial step in information gathering. With port scanning we can see which services are open to the target host, and can even guess some vulnerabilities based on the service. TCP port scanning is generally divided into the following types:
TCP Connect Scan: Also known as full-connection scan, this way directly connected to the target port, the completion of the TCP three handshake process, this way the scan results are more accurate, but the speed is relatively slow and can easily be detected by the target system.
TCP SYN Scan: Also known as semi-open scan, this way sends a SYN packet, initiates a TCP session, and waits for the target response packet. If you receive an RST package, the port is closed, and if you receive a syn/ack packet, the corresponding port is open.
TCP FIN Scan: This way sends a FIN packet that represents the removal of an active TCP connection and lets the other person close the connection. If an RST package is received, the corresponding port is closed.
TCP Xmas Scan: This method is set to 1 packets by sending the PSH, FIN, URG, and TCP flag bits. If an RST package is received, the corresponding port is closed.
Below we will use Python3 to implement the TCP full-port scanner, the following into the programming link.
Coding combat
全连接扫描
The core of the approach is to make a TCP connection for different ports and to determine if the port is open based on the success of the connection, now let's implement one of the simplest port scanners:
#!/usr/bin/python3#-*-coding:utf-8-*-from Socket import *def Portscanner (host,port): try: s = socket (af_inet , Sock_stream) S.connect ((host,port)) print (' [+]%d open '% port) s.close () except: print (' [-]% D Close '% Port ' def main (): setdefaulttimeout (1) for p in range (1,1024): portscanner (' 192.168.0.100 ', p) if Name = = ' main ': Main ()
The core of this code is the portScanner
function, from which the content can be seen, just a simple TCP connection, if the connection is successful is determined to open the port, otherwise considered closed. Let's look at the results of the operation:
This kind of scan looks too inefficient, and actually very slow, because we set the default timeout of 1 seconds, this scan 10,000 ports, not to wait for the flowers to thank? The simplest way is to use it 多线程
to improve efficiency, although Python's multithreading is a bit too weak, but at least we can use the time we wait to do something else. In addition, before scanning the port more, the information displayed we look inconvenient, this time we only show what we care about 打开的端口
, and will open the number of ports at the end of the scan display.
#!/usr/bin/python3#-*-coding:utf-8-*-from socket import *import Threadinglock = Threading. Lock () opennum = 0threads = []def portscanner (host,port): global Opennum try: s = socket (af_inet,sock_ STREAM) S.connect ((host,port)) Lock.acquire () opennum+=1 print (' [+]%d open '% port) Lock.release () s.close () except: passdef Main (): setdefaulttimeout (1) for p in range (1,1024 ): t = Threading. Thread (target=portscanner,args= (' 192.168.0.100 ', p)) Threads.append (t) T.start () for T in Threads: t.join () print (' [*] the scan is complete! ') Print (' [*] A total of%d open port '% (opennum)) if name = = ' main ': Main ()
Run a look at the effect, such as:
Does this look much more convenient? At this point the efficiency of the problem solved, and now we also need to add a parameter resolution for the scanner function, so as to look like, can not always change the code to modify the scan target and port bar!
Parameter parsing we will use the standard module of Python3 argparse
, so we can save ourselves the trouble of parsing the string! Here's a look at the code:
#!/usr/bin/python3#-*-coding:utf-8-*-from socket import *import threadingimport Argparselock = Threading. Lock () opennum = 0threads = []def portscanner (host,port): global Opennum try: s = socket (af_inet,sock_ STREAM) S.connect ((host,port)) Lock.acquire () opennum+=1 print (' [+]%d open '% port) Lock.release () s.close () except: passdef Main (): p = argparse. Argumentparser (description= ' Port scanner!. ') P.add_argument ('-h ', dest= ' hosts ', type=str) args = P.parse_args () hostList = Args.hosts.split (', ') Setdefaulttimeout (1) for host in hostList: print (' Scanning the host:%s ... '% (host)) for p in range ( 1,1024): t = Threading. Thread (target=portscanner,args= (host,p)) threads.append (t) T.start () for T in Threads: t.join () print (' [*] The host:%s scan is complete! '% (host)) print (' [*] A total of%d open port '% (opennum)) if name = = ' main ': Main ()
Look at the effect of the operation, such as:
At this point our port scanner is basically completed, although the function is relatively simple, designed to express the basic implementation of port scanners ideas! As for the more detailed function can be based on this basic structure to gradually improve!
Summary
This section mainly explains the Python3 implementation of a simple port scanner process, the experiment using the TCP full connection, and constantly try to connect the host port to determine the port opening, although there are some shortcomings, but this way is best for beginners to learn, It will not be difficult to learn in more complicated ways. Want to extrapolate friends can be based on the protocol and port control relationship to complete the scan at the same time the output of the protocol, so it will look better, as for the more detailed features left for you to do the exercise!