2019-03-31 16:40:35 -04:00
|
|
|
#!/usr/bin/python
|
2019-03-31 16:20:13 -04:00
|
|
|
"""
|
|
|
|
Author: Omar Santos @santosomar
|
|
|
|
version 1.0
|
|
|
|
This is a quick demonstration on how to use the scapy as a scanner
|
|
|
|
* Pre-requisite: scapy, prettytable, argparse
|
|
|
|
"""
|
|
|
|
|
|
|
|
import sys
|
|
|
|
import prettytable
|
|
|
|
import argparse
|
|
|
|
import logging
|
|
|
|
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #This is supress scapy warnings
|
|
|
|
|
|
|
|
from scapy.all import *
|
|
|
|
|
|
|
|
#conf.iface='eth0' # network interface to use
|
|
|
|
conf.verb=0 # enable verbose mode - Is this actually working?
|
|
|
|
conf.nofilter=1
|
|
|
|
|
|
|
|
def tcp_connect_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
src_port = RandShort()
|
|
|
|
tcp_connect_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=dst_timeout)
|
|
|
|
if(str(type(tcp_connect_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Closed"
|
|
|
|
elif(tcp_connect_scan_resp.haslayer(TCP)):
|
|
|
|
if(tcp_connect_scan_resp.getlayer(TCP).flags == 0x12):
|
|
|
|
send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="AR"),timeout=dst_timeout)
|
|
|
|
return "Open"
|
|
|
|
elif (tcp_connect_scan_resp.getlayer(TCP).flags == 0x14):
|
|
|
|
return "Closed"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def stealth_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
src_port = RandShort()
|
|
|
|
stealth_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=dst_timeout)
|
|
|
|
if(str(type(stealth_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Filtered"
|
|
|
|
elif(stealth_scan_resp.haslayer(TCP)):
|
|
|
|
if(stealth_scan_resp.getlayer(TCP).flags == 0x12):
|
|
|
|
send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="R"),timeout=dst_timeout)
|
|
|
|
return "Open"
|
|
|
|
elif (stealth_scan_resp.getlayer(TCP).flags == 0x14):
|
|
|
|
return "Closed"
|
|
|
|
elif(stealth_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(stealth_scan_resp.getlayer(ICMP).type)==3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
|
|
|
|
return "Filtered"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def xmas_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
xmas_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="FPU"),timeout=dst_timeout)
|
|
|
|
if (str(type(xmas_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Open|Filtered"
|
|
|
|
elif(xmas_scan_resp.haslayer(TCP)):
|
|
|
|
if(xmas_scan_resp.getlayer(TCP).flags == 0x14):
|
|
|
|
return "Closed"
|
|
|
|
elif(xmas_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(xmas_scan_resp.getlayer(ICMP).type)==3 and int(xmas_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
|
|
|
|
return "Filtered"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def fin_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
fin_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="F"),timeout=dst_timeout)
|
|
|
|
if (str(type(fin_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Open|Filtered"
|
|
|
|
elif(fin_scan_resp.haslayer(TCP)):
|
|
|
|
if(fin_scan_resp.getlayer(TCP).flags == 0x14):
|
|
|
|
return "Closed"
|
|
|
|
elif(fin_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(fin_scan_resp.getlayer(ICMP).type)==3 and int(fin_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
|
|
|
|
return "Filtered"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def null_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
null_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags=""),timeout=dst_timeout)
|
|
|
|
if (str(type(null_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Open|Filtered"
|
|
|
|
elif(null_scan_resp.haslayer(TCP)):
|
|
|
|
if(null_scan_resp.getlayer(TCP).flags == 0x14):
|
|
|
|
return "Closed"
|
|
|
|
elif(null_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(null_scan_resp.getlayer(ICMP).type)==3 and int(null_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
|
|
|
|
return "Filtered"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def ack_flag_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
ack_flag_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=dst_timeout)
|
|
|
|
if (str(type(ack_flag_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "Stateful firewall present\n(Filtered)"
|
|
|
|
elif(ack_flag_scan_resp.haslayer(TCP)):
|
|
|
|
if(ack_flag_scan_resp.getlayer(TCP).flags == 0x4):
|
|
|
|
return "No firewall\n(Unfiltered)"
|
|
|
|
elif(ack_flag_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(ack_flag_scan_resp.getlayer(ICMP).type)==3 and int(ack_flag_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
|
|
|
|
return "Stateful firewall present\n(Filtered)"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def window_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
window_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=dst_timeout)
|
|
|
|
if (str(type(window_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
return "No response"
|
|
|
|
elif(window_scan_resp.haslayer(TCP)):
|
|
|
|
if(window_scan_resp.getlayer(TCP).window == 0):
|
|
|
|
return "Closed"
|
|
|
|
elif(window_scan_resp.getlayer(TCP).window > 0):
|
|
|
|
return "Open"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
|
|
|
|
def udp_scan(dst_ip,dst_port,dst_timeout):
|
|
|
|
udp_scan_resp = sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout)
|
|
|
|
if (str(type(udp_scan_resp))=="<type 'NoneType'>"):
|
|
|
|
retrans = []
|
|
|
|
for count in range(0,3):
|
|
|
|
retrans.append(sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout))
|
|
|
|
for item in retrans:
|
|
|
|
if (str(type(item))!="<type 'NoneType'>"):
|
|
|
|
udp_scan(dst_ip,dst_port,dst_timeout)
|
|
|
|
return "Open|Filtered"
|
|
|
|
elif (udp_scan_resp.haslayer(UDP)):
|
|
|
|
return "Open"
|
|
|
|
elif(udp_scan_resp.haslayer(ICMP)):
|
|
|
|
if(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code)==3):
|
|
|
|
return "Closed"
|
|
|
|
elif(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code) in [1,2,9,10,13]):
|
|
|
|
return "Filtered"
|
|
|
|
else:
|
|
|
|
return "CHECK"
|
|
|
|
|
|
|
|
def start(your_target,your_ports,your_timeout):
|
|
|
|
x = prettytable.PrettyTable(["Port No.","TCP Connect Scan","Stealth Scan","XMAS Scan","FIN Scan","NULL Scan", "ACK Flag Scan", "Window Scan", "UDP Scan"])
|
|
|
|
x.align["Port No."] = "l"
|
|
|
|
|
|
|
|
user_dst_ip = your_target
|
|
|
|
port_list = your_ports
|
|
|
|
user_dst_timeout = your_timeout
|
|
|
|
|
|
|
|
print "[+] Target : %s\n" % user_dst_ip
|
|
|
|
print "[*] Scan started\n"
|
|
|
|
|
|
|
|
for i in port_list:
|
|
|
|
tcp_connect_scan_res = tcp_connect_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
stealth_scan_res = stealth_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
xmas_scan_res = xmas_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
fin_scan_res = fin_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
null_scan_res = null_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
ack_flag_scan_res = ack_flag_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
window_scan_res = window_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
udp_scan_res = udp_scan(user_dst_ip,int(i),int(user_dst_timeout))
|
|
|
|
x.add_row([i,tcp_connect_scan_res,stealth_scan_res,xmas_scan_res,fin_scan_res,null_scan_res,ack_flag_scan_res,window_scan_res,udp_scan_res])
|
|
|
|
print x
|
|
|
|
|
|
|
|
print "\n[*] Scan completed\n"
|
|
|
|
|
|
|
|
|
|
|
|
def banner():
|
|
|
|
bannerTxt = """
|
|
|
|
************************************************************
|
|
|
|
#### #### ## ##### #### #### ## # #
|
|
|
|
# # # # # # # # # # # # ## #
|
|
|
|
#### # # # # # #### # # # # # #
|
|
|
|
# # ###### ##### # # ###### # # #
|
|
|
|
# # # # # # # # # # # # # # ##
|
|
|
|
#### #### # # # #### #### # # # #
|
|
|
|
|
2019-03-31 16:24:15 -04:00
|
|
|
A demonstration by Omar Santos on how to use scapy for scanning purposes. Part of the Cybersecurity classes at: https://h4cker.org
|
2019-03-31 16:20:13 -04:00
|
|
|
|
2019-03-31 16:24:15 -04:00
|
|
|
This tool supports TCP Connect Scans, Stealth Scans, XMAS Scans, FIN Scans, NULL Scans, ACK Flag Scans, Window Scans, and UDP Scans.
|
2019-03-31 16:20:13 -04:00
|
|
|
|
|
|
|
usage: scapy_stealth_scan.py [-h] [-p] [-pl] [-pr] [-t] target
|
|
|
|
|
|
|
|
************************************************************
|
|
|
|
"""
|
|
|
|
print bannerTxt
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
parser = argparse.ArgumentParser(description=banner())
|
|
|
|
parser.add_argument("target", help="Target address")
|
|
|
|
parser.add_argument("-p", metavar="", help="Single port e.g. 80")
|
|
|
|
parser.add_argument("-pl", metavar="", help="Port list e.g. 21,22,80")
|
|
|
|
parser.add_argument("-pr", metavar="", help="Port range e.g. 20-30")
|
|
|
|
parser.add_argument("-t", metavar="", type=int, default=2, help="Timeout value (default 2)")
|
|
|
|
args = parser.parse_args()
|
|
|
|
target = args.target
|
|
|
|
|
|
|
|
ports = []
|
|
|
|
if args.p:
|
|
|
|
p = args.p
|
|
|
|
ports.append(p)
|
|
|
|
if args.pl:
|
|
|
|
pl = (args.pl).split(",")
|
|
|
|
ports += pl
|
|
|
|
if args.pr:
|
|
|
|
pr = (args.pr).split("-")
|
|
|
|
pr.sort()
|
|
|
|
pr_item1 = int(pr[0])
|
|
|
|
pr_item2 = int(pr[1])+1
|
|
|
|
new_pr = range(pr_item1,pr_item2,1)
|
|
|
|
ports += new_pr
|
|
|
|
|
|
|
|
timeout = int( args.t)
|
|
|
|
|
|
|
|
if(not len(ports)>0):
|
|
|
|
print "No ports specified.\nUse -h or --help to see the help menu"
|
|
|
|
exit(0)
|
|
|
|
|
|
|
|
ports = list(set(ports))
|
|
|
|
new_ports=[]
|
|
|
|
for item in ports:
|
|
|
|
new_ports.append(int(item))
|
|
|
|
ports = new_ports
|
|
|
|
ports.sort()
|
|
|
|
|
|
|
|
start(target,ports,timeout)
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
main()
|