Created
October 21, 2013 07:38
-
-
Save zypeh/7079970 to your computer and use it in GitHub Desktop.
A simple snippets from [Infosec Institute]("http://resources.infosecinstitute.com/port-scanning-using-scapy/")
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # !/usr/python | |
| # The FIN scan utilizes the FIN flag inside the TCP packet, | |
| # along with the port number to connect to on the server. | |
| # If there is no response from the server, then the port is open. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| fin_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="F"),timeout=10) | |
| if (str(type(fin_scan_resp))=="<type 'NoneType'>"): | |
| print "Open|Filtered" | |
| # If the server responds with an RST flag set in the TCP packet for the FIN scan | |
| # request packet, then the port is closed on the server. | |
| elif(fin_scan_resp.haslayer(TCP)): | |
| if(fin_scan_resp.getlayer(TCP).flags == 0x14): | |
| print "Closed" | |
| # An ICMP packet with ICMP type 3 and code 1, 2, 3, 9, 10, or 13 in response to | |
| # the FIN scan packet from the client means that the port is filtered and the port state cannot be found. | |
| elif(fin_scan_resp.haslayer(ICMP)): | |
| if(int(fin_scan_resp.getlayer(ICMP).type)==3 and int(fin_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): | |
| print "Filtered" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/python | |
| # In a NULL scan, no flag is set inside the TCP packet. The TCP packet is | |
| # sent along with the port number only to the server. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| null_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags=""),timeout=10) | |
| # If the server sends no response to the NULL scan packet, then that particular port is open. | |
| if (str(type(null_scan_resp))=="<type 'NoneType'>"): | |
| print "Open|Filtered" | |
| # If the server responds with the RST flag set in a TCP packet, then the port is closed on the server. | |
| elif(null_scan_resp.haslayer(TCP)): | |
| if(null_scan_resp.getlayer(TCP).flags == 0x14): | |
| print "Closed" | |
| # An ICMP error of type 3 and code 1, 2, 3, 9, 10, or 13 means the port is filtered on the server. | |
| elif(null_scan_resp.haslayer(ICMP)): | |
| if(int(null_scan_resp.getlayer(ICMP).type)==3 and int(null_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): | |
| print "Filtered" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # The TCP ACK scan is not used to find the open or closed state of a port; | |
| # It is used to find if a stateful firewall is present on the server or not. | |
| # It only tells if the port is filtered or not. This scan type cannot find the open/closed state of the port. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| ack_flag_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=10) | |
| # A TCP packet with the ACK flag set and the port number to connect to is sent to the server. | |
| # If the server responds with the RSP flag set inside a TCP packet, then the port is unfiltered and a stateful firewall is absent. | |
| if (str(type(ack_flag_scan_resp))=="<type 'NoneType'>"): | |
| print "Stateful firewall present\n(Filtered)" | |
| # If the server doesn’t respond to our TCK ACK scan packet or if it responds with a TCP packet with ICMP type 3 or code 1, 2, 3, 9, 10, or 13 set, | |
| # then the port is filtered and a stateful firewall is present. | |
| elif(ack_flag_scan_resp.haslayer(TCP)): | |
| if(ack_flag_scan_resp.getlayer(TCP).flags == 0x4): | |
| print "No firewall\n(Unfiltered)" | |
| elif(ack_flag_scan_resp.haslayer(ICMP)): | |
| if(int(ack_flag_scan_resp.getlayer(ICMP).type)==3 and int(ack_flag_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): | |
| print "Stateful firewall present\n(Filtered)" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # This script sends the first handshake using the SYN flag and port to connect to the server in a TCP packet. | |
| # If the server responds with a RST instead of a SYN-ACK, then that particular port is closed on the server. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| tcp_connect_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=10) | |
| if(str(type(tcp_connect_scan_resp))=="<type 'NoneType'>"): | |
| print "Closed" | |
| elif(tcp_connect_scan_resp.haslayer(TCP)): | |
| if(tcp_connect_scan_resp.getlayer(TCP).flags == 0x12): | |
| send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="AR"),timeout=10) | |
| print "Open" | |
| elif (tcp_connect_scan_resp.getlayer(TCP).flags == 0x14): | |
| print "Closed" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # !/usr/python | |
| # Similar to the TCP connect scan. This time we sends a TCP packet with the | |
| # SYN flag set and the port number to connect to. If the port is open, the | |
| # server responds with the SYN and ACK flags inside a TCP packet. | |
| # But this time the client sends a RST flag in a TCP packet and not RST+ACK, | |
| # which was the case in the TCP connect scan. | |
| #! /usr/bin/python | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| stealth_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=10) | |
| if(str(type(stealth_scan_resp))=="<type 'NoneType'>"): | |
| print "Filtered" | |
| elif(stealth_scan_resp.haslayer(TCP)): | |
| if(stealth_scan_resp.getlayer(TCP).flags == 0x12): | |
| send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="R"),timeout=10) | |
| print "Open" | |
| elif (stealth_scan_resp.getlayer(TCP).flags == 0x14): | |
| print "Closed" | |
| elif(stealth_scan_resp.haslayer(ICMP)): | |
| if(int(stealth_scan_resp.getlayer(ICMP).type)==3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): | |
| print "Filtered" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # A TCP window scan uses the same technique as that of TCP ACK scan. It also sends a TCP packet with the ACK | |
| # flag set and the port number to connect to. But this scan type can be used to find the state of the port on the | |
| # server. In a TCP ACK scan, an RST indicates an unfiltered state. But in a TCP windows scan, when an RST is | |
| # received from the server, it then checks the value of the windows size. If the value of window size is positive, | |
| # then the port is open on the server. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| window_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=10) | |
| if (str(type(window_scan_resp))=="<type 'NoneType'>"): | |
| print "No response" | |
| # If the windows size of the TCP packet with the RST flag set to zero, then the port is closed on the server. | |
| elif(window_scan_resp.haslayer(TCP)): | |
| if(window_scan_resp.getlayer(TCP).window == 0): | |
| print "Closed" | |
| elif(window_scan_resp.getlayer(TCP).window > 0): | |
| print "Open" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=53 | |
| dst_timeout=10 | |
| def udp_scan(dst_ip,dst_port,dst_timeout): | |
| udp_scan_resp = sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout) | |
| # If the server sends no response to the client’s UDP request packet for that port, | |
| # it can be concluded that the port on the server is either open or filtered. No final state of the port can be decided. | |
| if (str(type(udp_scan_resp))=="<type 'NoneType'>"): | |
| retrans = [] | |
| for count in range(0,3): | |
| retrans.append(sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout)) | |
| for item in retrans: | |
| if (str(type(item))!="<type 'NoneType'>"): | |
| udp_scan(dst_ip,dst_port,dst_timeout) | |
| return "Open|Filtered" | |
| # The client sends a UDP packet with the port number to connect to. | |
| # If the server responds to the client with a UDP packet, then that particular port is open on the server. | |
| elif (udp_scan_resp.haslayer(UDP)): | |
| return "Open" | |
| # The client sends a UDP packet and the port number it wants to connect to, but the server responds with an ICMP | |
| # port unreachable error type 3 and code 3, meaning that the port is closed on the server. | |
| elif(udp_scan_resp.haslayer(ICMP)): | |
| if(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code)==3): | |
| return "Closed" | |
| # If ICMP error type 3 and code 1, 2, 9, 10, or 13, then that port on the server is filtered. | |
| elif(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code) in [1,2,9,10,13]): | |
| return "Filtered" | |
| udp_scan(dst_ip,dst_port,dst_timeout) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # In the XMAS scan, a TCP packet with the PSH, FIN, and URG flags set, along with | |
| # the port to connect to, is sent to the server. | |
| # If the port is open, then there will be no response from the server. | |
| import logging | |
| logging.getLogger("scapy.runtime").setLevel(logging.ERROR) | |
| from scapy.all import * | |
| dst_ip = "10.0.0.1" | |
| src_port = RandShort() | |
| dst_port=80 | |
| xmas_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="FPU"),timeout=10) | |
| if (str(type(xmas_scan_resp))=="<type 'NoneType'>"): | |
| print "Open|Filtered" | |
| # If the server responds with the RST flag set inside a TCP packet, | |
| # the port is closed on the server. | |
| elif(xmas_scan_resp.haslayer(TCP)): | |
| if(xmas_scan_resp.getlayer(TCP).flags == 0x14): | |
| print "Closed" | |
| # If the server responds with the ICMP packet with an ICMP unreachable error type 3 and ICMP code 1, 2, 3, 9, 10, or 13, | |
| # then the port is filtered and it cannot be inferred from the response whether the port is open or closed. | |
| elif(xmas_scan_resp.haslayer(ICMP)): | |
| if(int(xmas_scan_resp.getlayer(ICMP).type)==3 and int(xmas_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]): | |
| print "Filtered" | |
Oh wow, I didn't realize I did share this. Anyway, thanks.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for sharing, it's quite useful.