一、实验目的
(1) 理解网络端口扫描器的基本结构、工作原理与设计方法。
(2) 掌握TCP connect扫描、TCP SYN扫描、TCP FIN扫描、以及UDP扫描的基本原理、设计与实现方法。
二、实验要求
(1) 完成一个网络端口扫描程序。
(2) 要求程序能够实现TCP connect扫描、TCP SYN扫描、TCP FIN扫描、以及UDP扫描等4种基本的扫描方式。
三、实验思路
端口扫描的特征码:
Connect扫描(端口开放):
1、 客户端发送包:URG=0,ACK=0,PSH=0,RST=0,SYN=1,FIN=0
2、 服务端回包: URG=0,ACK=1,PSH=0,RST=0,SYN=1,FIN=0
3、 客户端发送包:URG=0,ACK=1,PSH=0,RST=0,SYN=0,FIN=0
4、 客户端发送包:URG=0,ACK=1,PSH=0,RST=1,SYN=0,FIN=0
SYN扫描(端口开放):
1、 客户端发送包:URG=0,ACK=0,PSH=0,RST=0,SYN=1,FIN=0
2、 服务端回包: URG=0,ACK=1,PSH=0,RST=0,SYN=1,FIN=0
3、 客户端发送包:URG=0,ACK=0,PSH=0,RST=1,SYN=0,FIN=0
端口未开放时:(Connect和SYN扫描数据包一样)
1、 客户端发送包:URG=0,ACK=0,PSH=0,RST=0,SYN=1,FIN=0
2、 服务端回包: URG=0,ACK=1,PSH=0,RST=1,SYN=0,FIN=0
FIN扫描(端口未开放):
1、 客户端发送包:URG=0,ACK=0,PSH=0,RST=0,SYN=0,FIN=1
2、 服务端回包: URG=0,ACK=1,PSH=0,RST=1,SYN=0,FIN=0
四、实验源码
主程序:
# -*- coding: utf-8 -*-
"""
简单端口扫描程序
主程序
@author WQ
@time 2021/5/8
"""
from TCP_CONN import conn_scanner
from TCP_SYN import syn_scanner
from TCP_FIN import fin_scanner
from UDP import udp_scanner
def menu():
print('''
----菜单
--------1. TCP_CONN扫描
--------2. TCP_SYN扫描
--------3. TCP_FIN扫描
--------4. UDP扫描
--------5. 显示菜单
--------6. 退出
''')
def main():
targetIP=input("请输入目标IP:")
portslist=[21,22,23,80,135,139,445]
menu()
while True:
try:
options=int(input("请输入扫描方式:"))
except:
continue
if options==1:
conn_scanner(targetIP,portslist)
elif options==2:
syn_scanner(targetIP,portslist)
elif options==3:
fin_scanner(targetIP,portslist)
elif options==4:
udp_scanner(targetIP,portslist)
elif options==5:
menu()
elif options==6:
break
else:
continue
main()
connect扫描
# -*- coding: utf-8 -*-
"""
简单端口扫描程序
connect扫描
@author WQ
@time 2021/5/8
"""
import socket
import time
import threading
targetIP="192.168.137.226"
portslist=[21,22,23,80,135,139,445]
def conn_scan(ip,port):
scansocket=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
status=scansocket.connect_ex((ip,port))
if status==0:
print(f"[+] Port {
str(port)} Is Open\n")
except:
print("error")
scansocket.close()
def conn_scanner(targetIP,portslist):
print(f"Scanning {
targetIP} for Open TCP_CONN Ports\n")
for i in portslist:
run=threading.Thread(target=conn_scan,args=(targetIP,i))
run.start()
run.join()
conn_scanner(targetIP,portslist)
SYN扫描
# -*- coding: utf-8 -*-
"""
简单端口扫描程序
SYN扫描
@author WQ
@time 2021/5/8
"""
import logging
import threading
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.layers.inet import IP, TCP, UDP, ICMP
from scapy.all import *
#target = str(input("请输入目标IP: "))
target="192.168.237.130"
portslist=[21, 22, 34, 135, 139, 80, 445]
def syn_scan(port):
sport = RandShort()
pkt = sr1(IP(dst=target) / TCP(sport=sport, dport=port, flags="S"), timeout=1, verbose=0)
if pkt != None:
if pkt.haslayer(TCP):
if pkt[TCP].flags == 18:
print(f"[+] Port {
str(port)} Is Open\n")
else:
print(f"[+] Port {
str(port)} Is Close\n")
def syn_scanner(target,portslist):
print(f"Scanning {
target} for Open TCP_SYN Ports\n")
for x in portslist:
threading.Thread(target=syn_scan,args=(x,)).start()
#syn_scanner(target,portslist)
#print('Scan Is Completed!\n')
FIN扫描
# -*- coding: utf-8 -*-
"""
简单端口扫描程序
FIN扫描
@author WQ
@time 2021/5/8
"""
from scapy.layers.inet import IP, TCP
from scapy.sendrecv import sr, sr1
import threading
'''
适用于Linux设备
通过设置flags位为'FIN',不回复则表示端口开启,回复并且回复的标志位为RST表示端口关闭
'''
targetIP="192.168.170.98"
portslist=[21,22,23,80,135,139,445]
def fin_scan(targetIP,port):
p = IP(dst=targetIP) / TCP(dport=int(port), flags="F")
ans = sr1(p, timeout=1, verbose=0)
if sr1(p, timeout=1, verbose=0) == None:
print(f"[+] Port {
str(port)} Is Open\n")
elif ans != None and ans[TCP].flags == 'RA':
#ans.display()
#print(f"[+] Port {str(port)} Is Close\n")
pass
def fin_scanner(targetIP,portslist):
print(f"Scanning {
targetIP} for Open TCP_FIN Ports\n")
for p in portslist:
threading.Thread(target=fin_scan,args=(targetIP,p)).start()
#scanner(targetIP,portslist)
UDP扫描
# -*- coding: utf-8 -*-
"""
简单端口扫描程序
UDP扫描
@author WQ
@time 2021/5/8
"""
from scapy.all import *
from scapy.layers.inet import IP, UDP
import threading
target="192.168.189.98"
portslist=[21, 22, 34, 135, 139, 80, 445]
def UDP_scan(target,port):
pkt=IP(dst=target)/UDP(dport=int(port))
res=sr1(pkt,timeout=0.1,verbose=0)
if res==None:
print(f"[+] Port {
str(port)} Is Open\n")
def udp_scanner(target,portslist):
print(f"Scanning {
target} for Open UDP Ports\n")
for port in portslist:
t=threading.Thread(target=UDP_scan,args=(target,port))
t.start()
if __name__=='__main__':
udp_scanner(target,portslist)
五、实验结果