Python/Scanner: Difference between revisions
From charlesreid1
(Created page with "=Source= Github repo: https://github.com/jerry-0824/008_black_hat_python/ File: https://github.com/jerry-0824/008_black_hat_python/blob/master/p44_chapter_03_scanner.py =Co...") |
(→Code) |
||
| Line 5: | Line 5: | ||
File: https://github.com/jerry-0824/008_black_hat_python/blob/master/p44_chapter_03_scanner.py | File: https://github.com/jerry-0824/008_black_hat_python/blob/master/p44_chapter_03_scanner.py | ||
=Code= | =Explanation= | ||
Let's walk through this step-by-step. | |||
==Libraries== | |||
Start with an import of libraries: | |||
<pre> | |||
import socket | |||
import os | |||
import struct | |||
import threading | |||
</pre> | |||
Using the socket library to make connections within the computer to various interfaces. | |||
Using the built-in os library, of course, to do operating system things. | |||
Struct library - not sure exactly. | |||
Threading library allows running multiple simultaneous tasks, for things that can easily be parallelized, like scans of ports. | |||
<pre> | |||
from netaddr import IPNetwork,IPAddress | |||
from ctypes import * | |||
</pre> | |||
netaddr - ? | |||
ctypes - allows using C language types directly from Python (?) | |||
Next we set the host machine IP address, and the subnet that is being scanned: | |||
<pre> | |||
host = "192.168.1.140" | |||
subnet = "192.168.1.0/24" | |||
</pre> | |||
TBC... | |||
{{Scrollbox| | |||
<pre> | |||
def udp_sender(subnet,magic_message): | |||
sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |||
for ip in IPNetwork(subnet): | |||
try: | |||
sender.sendto(magic_message,("%s" % ip,65212)) | |||
except: | |||
pass | |||
class IP(Structure): | |||
_fields_ = [ | |||
("ihl", c_ubyte, 4), | |||
("version", c_ubyte, 4), | |||
("tos", c_ubyte), | |||
("len", c_ushort), | |||
("id", c_ushort), | |||
("offset", c_ushort), | |||
("ttl", c_ubyte), | |||
("protocol_num", c_ubyte), | |||
("sum", c_ushort), | |||
# ("src", c_ulong), | |||
# ("dst", c_ulong) | |||
("src", c_uint32), | |||
("dst", c_uint32) | |||
] | |||
def __new__(self, socket_buffer=None): | |||
return self.from_buffer_copy(socket_buffer) | |||
def __init__(self, socket_buffer=None): | |||
# map protocol constants to their names | |||
self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"} | |||
# human readable IP addresses | |||
self.src_address = socket.inet_ntoa(struct.pack("<L",self.src)) | |||
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst)) | |||
# human readable protocol | |||
try: | |||
self.protocol = self.protocol_map[self.protocol_num] | |||
except: | |||
self.protocol = str(self.protocol_num) | |||
class ICMP(Structure): | |||
_fields_ = [ | |||
("type", c_ubyte), | |||
("code", c_ubyte), | |||
("checksum", c_ushort), | |||
("unused", c_ushort), | |||
("next_hop_mtu", c_ushort) | |||
] | |||
def __new__(self, socket_buffer): | |||
return self.from_buffer_copy(socket_buffer) | |||
def __init__(self, socket_buffer): | |||
pass | |||
# create a raw socket and bind it to the public interface | |||
if os.name == "nt": | |||
socket_protocol = socket.IPPROTO_IP | |||
else: | |||
socket_protocol = socket.IPPROTO_ICMP | |||
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol) | |||
sniffer.bind((host, 0)) | |||
# we want the IP headers included in the capture | |||
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) | |||
# if we're on Windows we need to send some ioctls | |||
# to setup promiscuous mode | |||
if os.name == "nt": | |||
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON) | |||
# start sending packets | |||
t = threading.Thread(target=udp_sender,args=(subnet,magic_message)) | |||
t.start() | |||
try: | |||
while True: | |||
# read in a single packet | |||
raw_buffer = sniffer.recvfrom(65535)[0] | |||
# create an IP header from the first 20 bytes of the buffer | |||
ip_header = IP(raw_buffer[0:20]) | |||
#print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_address, ip_header.dst_address) | |||
# if it's ICMP we want it | |||
if ip_header.protocol == "ICMP": | |||
# calculate where our ICMP packet starts | |||
offset = ip_header.ihl * 4 | |||
buf = raw_buffer[offset:offset + sizeof(ICMP)] | |||
# create our ICMP structure | |||
icmp_header = ICMP(buf) | |||
#print "ICMP -> Type: %d Code: %d" % (icmp_header.type, icmp_header.code) | |||
# now check for the TYPE 3 and CODE 3 which indicates | |||
# a host is up but no port available to talk to | |||
if icmp_header.code == 3 and icmp_header.type == 3: | |||
# check to make sure we are receiving the response | |||
# that lands in our subnet | |||
if IPAddress(ip_header.src_address) in IPNetwork(subnet): | |||
# test for our magic message | |||
if raw_buffer[len(raw_buffer)-len(magic_message):] == magic_message: | |||
print("Host Up: %s" % ip_header.src_address) | |||
# handle CTRL-C | |||
except KeyboardInterrupt: | |||
# if we're on Windows turn off promiscuous mode | |||
if os.name == "nt": | |||
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF) | |||
</pre> | |||
}} | |||
=Original Code= | |||
<pre> | <pre> | ||
Revision as of 02:09, 24 July 2016
Source
Github repo: https://github.com/jerry-0824/008_black_hat_python/
File: https://github.com/jerry-0824/008_black_hat_python/blob/master/p44_chapter_03_scanner.py
Explanation
Let's walk through this step-by-step.
Libraries
Start with an import of libraries:
import socket import os import struct import threading
Using the socket library to make connections within the computer to various interfaces.
Using the built-in os library, of course, to do operating system things.
Struct library - not sure exactly.
Threading library allows running multiple simultaneous tasks, for things that can easily be parallelized, like scans of ports.
from netaddr import IPNetwork,IPAddress from ctypes import *
netaddr - ?
ctypes - allows using C language types directly from Python (?)
Next we set the host machine IP address, and the subnet that is being scanned:
host = "192.168.1.140" subnet = "192.168.1.0/24"
TBC...
def udp_sender(subnet,magic_message):
sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for ip in IPNetwork(subnet):
try:
sender.sendto(magic_message,("%s" % ip,65212))
except:
pass
class IP(Structure):
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
# ("src", c_ulong),
# ("dst", c_ulong)
("src", c_uint32),
("dst", c_uint32)
]
def __new__(self, socket_buffer=None):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer=None):
# map protocol constants to their names
self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"}
# human readable IP addresses
self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst))
# human readable protocol
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num)
class ICMP(Structure):
_fields_ = [
("type", c_ubyte),
("code", c_ubyte),
("checksum", c_ushort),
("unused", c_ushort),
("next_hop_mtu", c_ushort)
]
def __new__(self, socket_buffer):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer):
pass
# create a raw socket and bind it to the public interface
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))
# we want the IP headers included in the capture
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# if we're on Windows we need to send some ioctls
# to setup promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
# start sending packets
t = threading.Thread(target=udp_sender,args=(subnet,magic_message))
t.start()
try:
while True:
# read in a single packet
raw_buffer = sniffer.recvfrom(65535)[0]
# create an IP header from the first 20 bytes of the buffer
ip_header = IP(raw_buffer[0:20])
#print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_address, ip_header.dst_address)
# if it's ICMP we want it
if ip_header.protocol == "ICMP":
# calculate where our ICMP packet starts
offset = ip_header.ihl * 4
buf = raw_buffer[offset:offset + sizeof(ICMP)]
# create our ICMP structure
icmp_header = ICMP(buf)
#print "ICMP -> Type: %d Code: %d" % (icmp_header.type, icmp_header.code)
# now check for the TYPE 3 and CODE 3 which indicates
# a host is up but no port available to talk to
if icmp_header.code == 3 and icmp_header.type == 3:
# check to make sure we are receiving the response
# that lands in our subnet
if IPAddress(ip_header.src_address) in IPNetwork(subnet):
# test for our magic message
if raw_buffer[len(raw_buffer)-len(magic_message):] == magic_message:
print("Host Up: %s" % ip_header.src_address)
# handle CTRL-C
except KeyboardInterrupt:
# if we're on Windows turn off promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
|
Original Code
# /usr/bin/python python3
# -*- coding:utf-8 -*-
##################################################
# Filename: p43_chapter_03_scanner.py
# Author: jerry_0824
# Email: 63935127##qq.com
# Phone: +86-155-8287-7999
# Date: 2016-03-07
# Version: v1.0.0
##################################################
import socket
import os
import struct
import threading
from netaddr import IPNetwork,IPAddress
from ctypes import *
# host to listen on
host = "192.168.1.140"
# subnet to target
subnet = "192.168.1.0/24"
# magic we'll check ICMP responses for
magic_message = "PYTHONRULES!"
def udp_sender(subnet,magic_message):
sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for ip in IPNetwork(subnet):
try:
sender.sendto(magic_message,("%s" % ip,65212))
except:
pass
class IP(Structure):
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
# ("src", c_ulong),
# ("dst", c_ulong)
("src", c_uint32),
("dst", c_uint32)
]
def __new__(self, socket_buffer=None):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer=None):
# map protocol constants to their names
self.protocol_map = {1:"ICMP", 6:"TCP", 17:"UDP"}
# human readable IP addresses
self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst))
# human readable protocol
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num)
class ICMP(Structure):
_fields_ = [
("type", c_ubyte),
("code", c_ubyte),
("checksum", c_ushort),
("unused", c_ushort),
("next_hop_mtu", c_ushort)
]
def __new__(self, socket_buffer):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer):
pass
# create a raw socket and bind it to the public interface
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind((host, 0))
# we want the IP headers included in the capture
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# if we're on Windows we need to send some ioctls
# to setup promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
# start sending packets
t = threading.Thread(target=udp_sender,args=(subnet,magic_message))
t.start()
try:
while True:
# read in a single packet
raw_buffer = sniffer.recvfrom(65535)[0]
# create an IP header from the first 20 bytes of the buffer
ip_header = IP(raw_buffer[0:20])
#print "Protocol: %s %s -> %s" % (ip_header.protocol, ip_header.src_address, ip_header.dst_address)
# if it's ICMP we want it
if ip_header.protocol == "ICMP":
# calculate where our ICMP packet starts
offset = ip_header.ihl * 4
buf = raw_buffer[offset:offset + sizeof(ICMP)]
# create our ICMP structure
icmp_header = ICMP(buf)
#print "ICMP -> Type: %d Code: %d" % (icmp_header.type, icmp_header.code)
# now check for the TYPE 3 and CODE 3 which indicates
# a host is up but no port available to talk to
if icmp_header.code == 3 and icmp_header.type == 3:
# check to make sure we are receiving the response
# that lands in our subnet
if IPAddress(ip_header.src_address) in IPNetwork(subnet):
# test for our magic message
if raw_buffer[len(raw_buffer)-len(magic_message):] == magic_message:
print("Host Up: %s" % ip_header.src_address)
# handle CTRL-C
except KeyboardInterrupt:
# if we're on Windows turn off promiscuous mode
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)