• scapy学习笔记(3)发送包,SYN及TCP traceroute 扫描


    转载请注明:@小五义:http://www.cnblogs/xiaowuyi

        在安装完scapy(前两篇笔记有介绍)后,linux环境下,执行sudo scapy运行scapy。

    一、简单的发送包

    1、send()在第三层发送数据包,但没有接收功能。如:

    >>> send(IP(dst="www.baidu.com",ttl=1)/ICMP())
    .
    Sent 1 packets.

     这里相当于ping了下百度,ttl=1

    2、sendp(),在第二层发送数据包,同样没有接收功能。如:

    >>> sendp(Ether()/IP(dst="www.baidu.com",ttl=1)/ICMP())
    WARNING: Mac address to reach destination not found. Using broadcast.
    .
    Sent 1 packets.
    >>> sendp(Ether()/IP(dst="127.0.0.1",ttl=1)/ICMP())
    .
    Sent 1 packets.

    3、sr(),在第三层发送数据包,有接收功能。如:

    >>> p=sr(IP(dst="www.baidu.com",ttl=1)/ICMP())
    Begin emission:
    ..Finished to send 1 packets.
    .*
    Received 4 packets, got 1 answers, remaining 0 packets
    >>> p
    (<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
    >>> p[0]
    <Results: TCP:0 UDP:0 ICMP:1 Other:0>
    >>> p[0].show()
    0000 IP / ICMP 27.214.222.160 > 61.135.169.105 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror

    再比如,连续发送ttl=1,2,3,4四个包的情况
    >>> p=sr(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
    Begin emission:
    Finished to send 4 packets.
    .*.*.*.*
    Received 8 packets, got 4 answers, remaining 0 packets
    >>> p
    (<Results: TCP:0 UDP:0 ICMP:4 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
    >>> p[0].show()
    0000 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    0001 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 222.132.4.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    0002 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 119.190.5.126 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    0003 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 112.253.4.197 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    >>> 

    4、sr1(),在第三层发送数据包,有接收功能,但只接收第一个包。以上面的发送四个包为例:

    >>> q=sr1(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
    Begin emission:
    Finished to send 4 packets.
    .*.*.*.*
    Received 8 packets, got 4 answers, remaining 0 packets
    >>> q
    <IP  version=4L ihl=5L tos=0xc0 len=56 id=4773 flags= frag=0L ttl=255 proto=icmp chksum=0xb611 src=27.214.220.1 dst=27.214.222.160 options=[] |<ICMP  type=time-exceeded code=ttl-zero-during-transit chksum=0xf4ff unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=28 id=1 flags= frag=0L ttl=1 proto=icmp chksum=0xd879 src=27.214.222.160 dst=61.135.169.105 options=[] |<ICMPerror  type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>>
    >>> q.show()
    ###[ IP ]###
      version= 4L
      ihl= 5L
      tos= 0xc0
      len= 56
      id= 4773
      flags= 
      frag= 0L
      ttl= 255
      proto= icmp
      chksum= 0xb611
      src= 27.214.220.1
      dst= 27.214.222.160
      options
    ###[ ICMP ]###
         type= time-exceeded
         code= ttl-zero-during-transit
         chksum= 0xf4ff
         unused= 0
    ###[ IP in ICMP ]###
            version= 4L
            ihl= 5L
            tos= 0x0
            len= 28
            id= 1
            flags= 
            frag= 0L
            ttl= 1
            proto= icmp
            chksum= 0xd879
            src= 27.214.222.160
            dst= 61.135.169.105
            options
    ###[ ICMP in ICMP ]###
               type= echo-request
               code= 0
               chksum= 0xf7ff
               id= 0x0
               seq= 0x0

    5、srloop(),在第三层工作,如下:

    >>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP())
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    ^C        
    Sent 5 packets, received 5 packets. 100.0% hits.
    >>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP(),inter=3,count=2)
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
    RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
            
    Sent 2 packets, received 2 packets. 100.0% hits.

    这里第一条语句在执行时,将会不停的ping百度,第二条执行时每隔3秒ping一次,一共执行两次。inter表示间隔,count记录次数。

    6、srp()、srp1()、srploop()与上面3、4、5相同,只是工作在第二层。

    二、SYN扫描

    SYN扫描:也叫“半开式扫描”(half-open scanning),因为它没有完成一个完整的TCP连接。这种方法向目标端口发送一个SYN分组(packet),如果目标端口返回SYN/ACK,那么可以肯定该端口处于检听状态;否则,返回的是RST/ACK。

    >>> sr1(IP(dst="61.135.169.105")/TCP(dport=80,flags="S"))
    Begin emission:
    Finished to send 1 packets.
    .*
    Received 2 packets, got 1 answers, remaining 0 packets
    <IP  version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=61.135.169.105 dst=27.214.222.160 options=[] |<TCP  sport=http dport=ftp_data seq=3516051844L ack=1 dataofs=5L reserved=0L flags=SA window=8192 chksum=0x2aef urgptr=0 |>>
    
    >>> sr1(IP(dst="61.135.169.105")/TCP(dport=81,flags="S"))
    Begin emission:
    Finished to send 1 packets.
    .*
    Received 2 packets, got 1 answers, remaining 0 packets
    <IP  version=4L ihl=5L tos=0x0 len=56 id=31986 flags= frag=0L ttl=249 proto=icmp chksum=0xd677 src=123.125.248.102 dst=27.214.222.160 options=[] |<ICMP  type=dest-unreach code=communication-prohibited chksum=0xfc8d unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=27.214.222.160 dst=61.135.169.105 options=[] |<TCPerror  sport=ftp_data dport=81 seq=0 |>>>>

     从结果看,当扫描百度(61.135.169.105)的80端口时,返回的包中ACK=1或者flags=SA,说明该端口处于监听状态,当扫描81端口时,无ACK=1,或者flags=,说明其未处于监听状态。

    如果要扫描多个端口,可以使用以下语句,如扫描百度的80-83端口:

    >>>sr(IP(dst="www.baidu.com")/TCP(dport=(80,83),flags="S"))

    如要扫描21,80,3389等端口:

    >>>sr(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags="S"))

    简单要显示结果:

    >>>ans,unans=_
    
    >>>ans.summary(lambda(s,r):r.sprintf("%TCP.sport% 	 %TCP.flags%"))
    
    http SA
    
    81   RA
    
    82   RA
    
    83   RA

    这里我在扫描80-83时,总是在不停的扫,用ctrl+C停止后,只能得到两个结果,目前没搞明白是什么原因。如下:

    >>> sr(IP(dst="www.baidu.com",ttl=56)/TCP(dport=(80,83),flags="S"))
    Begin emission:
    Finished to send 4 packets.
    .*.*.................................................................................
    ^C
    Received 85 packets, got 2 answers, remaining 2 packets
    (<Results: TCP:1 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>)
    >>> ans,unans=_
    >>> ans.summary()
    IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:http S ==> IP / TCP 61.135.169.105:http > 27.214.134.124:ftp_data SA
    IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:82 S ==> IP / ICMP 123.125.248.42 > 27.214.134.124 dest-unreach communication-prohibited / IPerror / TCPerror
    >>> ans.summary(lambda(s,r):r.sprintf("%TCP.sport% 	 %TCP.flags%"))
    http      SA
    ??      ??

    三、TCP traceroute

    traceroute:用来追踪出发点到目的地所经过的路径,通过Traceroute我们可以知道信息从你的计算机到互联网另一端的主机是走的什么路径。当然每次数据包由某一同样的出发点(source)到达某一同样的目的地(destination)走的路径可能会不一样,但基本上来说大部分时候所走的路由是相同的。

    >>> ans,unans=sr(IP(dst="www.baidu.com",ttl=(4,25),id=RandShort())/TCP(flags=0x2))
    Begin emission:
    ...*.*.*.*.*.*.*.*.*.*.*Finished to send 22 packets.
    .*.*.*.*.*.*.*.*.*.*....^C
    Received 48 packets, got 21 answers, remaining 1 packets
    >>> for snd,rcv in ans:
    ...     print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)
    ... 
    4 112.253.4.177 False
    5 219.158.98.221 False
    6 124.65.194.22 False
    7 124.65.58.182 False
    8 123.125.248.42 False
    9 61.135.169.105 True
    10 61.135.169.105 True
    11 61.135.169.105 True
    12 61.135.169.105 True
    13 61.135.169.105 True
    14 61.135.169.105 True
    15 61.135.169.105 True
    16 61.135.169.105 True
    17 61.135.169.105 True
    18 61.135.169.105 True
    19 61.135.169.105 True
    20 61.135.169.105 True
    21 61.135.169.105 True
    22 61.135.169.105 True
    23 61.135.169.105 True
    24 61.135.169.105 True
  • 相关阅读:
    liunx知识点滴积累(1)
    Regsvr32命令的使用
    QTP知识点滴积累
    LoadRunner的Apache的监控
    CMM和过程改进的“妙语” 集锦
    Linux 性能调优的几种方法
    数据库学习笔录(转载)
    Windows性能管理解析
    使用NUnit在.Net编程中进行单元测试
    Google 工程师文化 互助篇
  • 原文地址:https://www.cnblogs.com/xiaowuyi/p/3337189.html
Copyright © 2020-2023  润新知