自己动手编程实现并讲解TCP connect scan/TCP stealth scan/TCP XMAS scan/UDP scan

其他 2018-11-18 13:02:26 阅读次数: 0

实验5 自己动手编程实现并讲解TCP connect scan/TCP stealth scan/TCP XMAS scan/UDP scan

实验工具

  • scapy version 2.4.0
  • ipython version 5.5.0
  • netcat version 1.10-41.1

实验背景

  • 实验中可能用到的指令

    • 使用netcat监听tcp:80端口
      nc -nvlp 80
    • 使用netcat监听udp :9000端口,并回复payload为 hello的udp数据包
      echo -n "hello " | nc -nvulp 9000
    • 在kali scapy 中运行python源码
      run filepath
    • nmap 扫描 tcp服务
      nmap ip
    • nmap 扫描udp服务某端口
      nmap -sU ip - p 端口号

  • 实验中四种 scan 扫描源码 (转自此处,二次加工)

    • TCP connect scan source code

# -*-coding:utf-8 -*-
#! /usr/bin/python3

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)   # 设置 logger 用于记录错误
from scapy.all import *

dst_ip = "192.168.1.2"
src_ip = "192.168.1.1"
src_port = RandShort()
dst_port=80



tcp_connect_scan_resp = sr1(IP(src=src_ip,dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=10)    #SYN #只接受一个回复的数据包
if(str(type(tcp_connect_scan_resp))=="<type 'NoneType'>"):   #如果无回复就是关闭
	with open("/mnt/share/1.txt", "w") as file:
		file.write ("Closed1")
elif(tcp_connect_scan_resp.haslayer(TCP)):     #如果回复了tcp数据
	if(tcp_connect_scan_resp.getlayer(TCP).flags == 0x12):  #SYN-ACK
		send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="AR"),timeout=10)   #RST +ACK   sending packets and receiving answers

		with open("/mnt/share/1.txt", "w") as file:
			file.write("Open")
	elif (tcp_connect_scan_resp.getlayer(TCP).flags == 0x14): #RST
		with open("/mnt/share/1.txt", "w") as file:
			file.write ("Closed2")
  • TCP stealth scan

#! /usr/bin/python

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *

dst_ip = "192.168.1.2"
src_port = RandShort()
dst_port=80

stealth_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=10)
if(str(type(stealth_scan_resp))=="<type 'NoneType'>"):# no responce
	with open("/mnt/share/1.txt", "w") as file:
		file.write ("Filtered1")
elif(stealth_scan_resp.haslayer(TCP)):
	if(stealth_scan_resp.getlayer(TCP).flags == 0x12):  #receive SA  port open
		send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="R"),timeout=10)  #reply R
		with open("/mnt/share/1.txt", "w") as file:
			file.write("open")
	elif (stealth_scan_resp.getlayer(TCP).flags == 0x14):# receive RA port closed
		with open("/mnt/share/1.txt", "w") as file:
			file.write("closed")
elif(stealth_scan_resp.haslayer(ICMP)):  #receive ICMP and type Destination Unreachable (3)
	if(int(stealth_scan_resp.getlayer(ICMP).type)==3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
		with open("/mnt/share/1.txt", "w") as file:
			file.write("Filtered2")
  • TCP XMAS scan

#! /usr/bin/python

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *

dst_ip = "192.168.1.2"
src_port = RandShort()
dst_port=80

xmas_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="FPU"),timeout=10)
if (str(type(xmas_scan_resp))=="<type 'NoneType'>"):
	with open("/mnt/share/1.txt", "w") as file:
		file.write("Open|Filtered")
elif(xmas_scan_resp.haslayer(TCP)):
	if(xmas_scan_resp.getlayer(TCP).flags == 0x14):
		with open("/mnt/share/1.txt", "w") as file:
			file.write("Closed")
elif(xmas_scan_resp.haslayer(ICMP)):
	if(int(xmas_scan_resp.getlayer(ICMP).type)==3 and int(xmas_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
		with open("/mnt/share/1.txt", "w") as file:
			file.write("Filtered")
  • UDP scan
#! /usr/bin/python

import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *

dst_ip = "192.168.1.2"
src_port = RandShort()
dst_port= 9000
dst_timeout=10

def udp_scan(dst_ip,dst_port,dst_timeout):
	udp_scan_resp = sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout)
	if (str(type(udp_scan_resp))=="<type 'NoneType'>"): #no response
		with open("/mnt/share/1.txt", "w") as file:
			file.write("open|flitered")
	elif (udp_scan_resp.haslayer(UDP)): # response  open
		with open("/mnt/share/1.txt", "w") as file:
				file.write("open")
	elif(udp_scan_resp.haslayer(ICMP)): # response icmp
		if(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code)==3):#desination unreachable
			with open("/mnt/share/1.txt", "w") as file:
				file.write("closed")
		elif(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code) in [1,2,9,10,13]):#filter
			with open("/mnt/share/1.txt", "w") as file:
				file.write("closed")
	else:
		with open("/mnt/share/1.txt", "w") as file:
			file.write(str(type(udp_scan_resp)))


udp_scan(dst_ip,dst_port,dst_timeout)
  • 使用 python socket 编程临时开启 udp server,源码如下:
from socket import *
from time import ctime

host = ''
port = 9000
bufsize = 1024
addr = (host,port)

udpServer = socket(AF_INET,SOCK_DGRAM)
udpServer.bind(addr)

while True:
	#print('Waiting for connection...')
	data,addr = udpServer.recvfrom(bufsize)
	data  = data.decode(encoding='utf-8').upper()
	#data = "at %s :%s"%(ctime(),data)
	#print('recv', data)
	udpServer.sendto(data.encode(encoding='utf-8'),addr)
	break
udpServer.close()
print("yes")

实验内容
实验拓扑图结构如下:(沿用实验一配置)

tuopu

实验内容及结果如下:

  • 使用nc + scapy 测试四种扫描
    其中开启 tcp:80 服务使用 nc -nvlp 80
    开启udp:9000服务使用 echo -n "hello " | nc -nvulp 9000
    四种 scan 均为在kali 终端 scapy中运行上文中的脚本
扫描类型 扫描源 被扫描者 被扫描者提供的服务及端口 扫描源获取的扫描结果
TCP connect scan 网关 靶机 closed2 (RST)
TCP connect scan 网关 靶机 tcp:80 open (SYN-ACK)
TCP connect scan 攻击者 靶机 closed1 (no response)
TCP connect scan 攻击者 靶机 tcp:80 closed1 (no response)
TCP stealth scan 网关 靶机 closed
TCP stealth scan 网关 靶机 tcp:80 open
TCP stealth scan 攻击者 靶机 filter1 (no response)
TCP stealth scan 攻击者 靶机 tcp:80 filter1 (no response)
TCP XMAS scan 网关 靶机 closed
TCP XMAS scan 网关 靶机 tcp:80 open/filtered (no response)
TCP XMAS scan 攻击者 靶机 open/filtered (no response)
TCP XMAS scan 攻击者 靶机 tcp:80 open/filtered (no response)
UDP scan 网关 靶机 open/filtered (no response)
UDP scan 网关 靶机 udp:9000 open
UDP scan 攻击者 靶机 open/filtered (no response)
UDP scan 攻击者 靶机 udp:9000 open/filtered (no response)

实验完成结果和给定的查阅资料基本符合。
其中,当攻击者试图扫描靶机时,由于数据包根本无法到达靶机,所以攻击者对靶机的端口扫描都是无响应的。

  • 使用socket 编程开启udp:9000服务,并用 nmap测试结果
    扫描者 :网关 指令 nmap -sU 192.168.1.2 - p 9000
    被扫描者:靶机 指令 run /mnt/share/udpserver.py
    扫描者扫描结果
root@bogon:~# nmap -sU 192.168.1.2 -p 9000
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-18 12:01 EDT
Nmap scan report for localhost (192.168.1.2)
Host is up (0.00024s latency).

PORT     STATE SERVICE
9000/udp open  cslistener
MAC Address: 08:00:27:3C:0F:56 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

截图如下:
pic

参考资料

猜你喜欢

转载自blog.csdn.net/jackcily/article/details/83117884
今日推荐
NetBSD 禁止提交由 AI 生成的代码
Apache Doris 2.0.10 版本正式发布!
开源日报 | 大模型开战;大模型独角兽被曝卖身;周鸿祎建议谷歌开源所有产品;最大开源AI社区提供1000万美元共享GPU
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
周排行
女程序员是这样被恶搞的
B/S 和 C/S 的优缺点
vector一直申请会怎样?
座头鲸识别比赛(Humpback Whale Identification)总结
Linux高性能服务器编程——I/O复用 select
Mysql连接数据库(当包使用)
通过URI获取的文件路径为null的解决方法
1022-Primes on Interval(素数筛选+二分查找) ZCMU
Python出现: TypeError: expected string or buffer
bzoj2434: [Noi2011]阿狸的打字机 ac自动机+树状数组
每日归档
更多
2024-05-18(4)
2024-05-17(34)
2024-05-16(6)
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022