僵尸扫描是一种极其隐蔽的端口扫描,被扫描的主机基本上察觉不到扫描者。
但是实现条件比较苛刻。
条件1:可伪造源地址(Scanner 发的IP包里的源地址要伪造成Zombie的)
条件2:Zombie机的系统足够闲置,基本上没有和外界进行IP通信
条件3:Zombie机发的IP包中的IPID是递增的(这是判断端口是否开放的依据)
PS:有些系统IPID是随机的,或者为0.像WIN7 ,WIN XP ,WIN 2000为递增。
目标主机端口开放状态下 扫描者从Zombie机得到的两个RST包中的 IPID相差2:
目标主机端口关闭状态下 扫描者从Zombie机得到的两个RST包中的 IPID相差1:
脚本:
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#History:
#2019/4/13 MWQ First
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def ipid(zombie):
reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)
reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
try:
if reply2[IP].id==(reply1[IP].id+2):
print("IPID sequence is incremental and target to be idle.ZOMBIE LOCATED")
response = raw_input("Do you want to use this zombie to perfoem a scan? (Y or N):")
if response == "Y":
target=raw_input("Enter IP address of the target system:")
zombiescan(target,zombie)
else:
print("Either the IPID sequence is not incremental or the target is not idle.NOT A GOOD ZIMBIE")
except:
print("zombie may not turndwon firewall!")
def zombiescan(target,zombie):
print("
Scanning target "+target+" with zombie "+zombie)
print("
-----------------Open Ports On Target -----------------
")
for port in range(1,200):
try:
start_val = sr1(IP(dst=zombie)/TCP(flags="SA",dport=port),timeout=2,verbose=0)
send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)
end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
if end_val[IP].id==(start_val[IP].id+2):
print(port)
except:
pass
print("-----------------Zombie Scan Suite-----------------
")
print("1 Identify Zombie Host
")
print("2 Perform Zombie Host
")
ans=raw_input("select an Option (1 or 2 ):")
if ans == "1":
zombie=raw_input("Enter IP address to text IPID sequence:")
ipid(zombie)
else:
if ans =="2":
zombie =raw_input("Enter IP address for zombie system:")
target=raw_input("Enter IP address for scan target:")
zombiescan(target,zombie)
演示:
对比一下成功率还很高!