首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Python编写渗透工具学习笔记一 | 0x04 nmap实现端口扫描(准确性更高)

Python编写渗透工具学习笔记一 | 0x04 nmap实现端口扫描(准确性更高)

作者头像
安恒网络空间安全讲武堂
发布2018-02-06 14:52:57
2K0
发布2018-02-06 14:52:57
举报

0x04 nmap实现端口扫描

在windows下安装nmap模块会遇到一些障碍,主要是路径的一些问题,在linux下会比较容易。

#实现功能 端口扫描

先介绍一下nmap在这个脚本中用到的方法

nmScan = nmap.PortScanner()#创建一个portscanner()类对象
nmScan.scan(tgtHost,tgtPort)#进行基本的nmap扫描
state=nmScan[tgtHost]['tcp'][int(tgtPort)]['state']#获取扫描状态

附上一个描述和一个使用例子

例子

实现思路:

用sys模块接受命令行参数,使得用户可以自定义扫描的主机和端口

具体实现脚本

import nmap
import optparse
#扫描
def nmapScan(tgtHost,tgtPort):
    nmScan = nmap.PortScanner()#创建一个portscanner()类对象
    nmScan.scan(tgtHost,tgtPort)#进行基本的nmap扫描
    state=nmScan[tgtHost]['tcp'][int(tgtPort)]['state']#获取扫描状态
    print "[*] " + tgtHost + " tcp/"+tgtPort +" "+state
def main():
    parser = optparse.OptionParser('usage %prog '+\
                                   '-H <target host> -p <target port>')
    parser.add_option('-H', dest='tgtHost', type='string',\
                      help='specify target host')
    parser.add_option('-p', dest='tgtPort', type='string',\
                      help='specify target port[s] separated by comma')
    (options, args) = parser.parse_args()
    tgtHost = options.tgtHost
    #对接收到的端口参数进行分割
    tgtPorts = str(options.tgtPort).split(',')
    if (tgtHost == None) | (tgtPorts[0] == None):
        print parser.usage
        exit(0)
    for tgtPort in tgtPorts:
        nmapScan(tgtHost, tgtPort)
if __name__ == '__main__':
    main()

进一步优化脚本

这里的逻辑较为简单易懂,上面的脚本中用户需要自己用逗号一个一个地输入端口,但如果当端口数量比较大的时候,这明显就会非常不方便了,所以下面优化一下脚本,让这个脚本可以实现对一个特定范围的端口扫描或者对自己自定义的特定某几个端口进行扫描

具体代码如下

以下为源码:

端口扫描

可以实现对一个特定范围的端口扫描或者

对自己自定义的特定某几个端口进行扫描

import nmap
import optparse
def nmapScan(tgtHost,tgtPort):
    nmScan = nmap.PortScanner()#创建一个portscanner()类对象
    nmScan.scan(tgtHost,tgtPort)#进行基本的nmap扫描
    state=nmScan[tgtHost]['tcp'][int(tgtPort)]['state']#获取扫描状态
    print "[*] " + tgtHost + " tcp/"+tgtPort +" "+state
def main():
    #定义说明等
    parser = optparse.OptionParser('usage %prog -H <target host> -p <target port> -prange <target ports>')
    parser.add_option('-H', dest='tgtHost', type='string',help='specify target host')
    parser.add_option('-p', dest='tgtPort', type='string',help='specify target port[s] separated by comma') 
    parser.add_option('-P',dest='prange',type='string',help='define ports')
    (options, args) = parser.parse_args()
    tgtHost = options.tgtHost
    tgtPorts = str(options.tgtPort).split(',')
    prange=str(options.prange).split('-')
    #参数为空则打印使用方法
    if prange[0]==None:
        if (tgtHost == None) | (tgtPorts[0] == None):
            print parser.usage
            print '[#]example:'
            print 'python 2-nmapScan.py -H 127.0.0.1 -p 21,22,23,25,80,8001,8010,8080,1433,3389,445'
            print 'python 2-nmapScan.py -H 127.0.0.1 -prange 1-65535'
            exit(0)
        for tgtPort in tgtPorts:
            nmapScan(tgtHost, tgtPort)
    else:
        if tgtHost==None:
            print parser.usage
            print '[#]example:'
            print 'python 2-nmapScan.py -H 127.0.0.1 -p 21,22,23,25,80,8001,8010,8080,1433,3389,445'
            print 'python 2-nmapScan.py -H 127.0.0.1 -P 1-65535'
            exit(0)
        low=int(prange[0])
        height=int(prange[1])
        for i in range(low,height+1):
            tgtPort=str(i)
            nmapScan(tgtHost, tgtPort)
if __name__ == '__main__':
    main()
'''

先创建一个portscanner()类对象,这使我们能用这个对象完成扫描操作

该类有个scan()函数,它可以将目标和端口的列表作为参数输入,

并对它们进行基本的nmap扫描

需安装python_nmap包,支持2.x以及3.x

python_nmap包提供了python调用nmap的一系列接口

(一)重要类及方法:

1.创建nmap扫描器

class PortScanner()

__init__(self, nmap_search_path=('nmap', '/usr/bin/nmap', '/usr/local/bin/nmap', '/sw/bin/nmap', '/opt/local/bin/nmap'))

Initialize PortScanner module

* detects nmap on the system and nmap version

* may raise PortScannerError exception if nmap is not found in the path

:param nmap_search_path: tupple of string where to search for nmap executable. Change this if you want to use a specific version of nmap.

:returns: nothing

2.扫描器方法

scan(self, hosts='127.0.0.1', ports=None, arguments='-sV', sudo=False)
    Scan given hosts
    May raise PortScannerError exception if nmap output was not xml
    Test existance of the following key to know if something went wrong : ['nmap']['scaninfo']['error']
    If not present, everything was ok.
    :param hosts: string for hosts as nmap use it 'scanme.nmap.org' or '198.116.0-255.1-127' or '216.163.128.20/20'
    :param ports: string for ports as nmap use it '22,53,110,143-4564'
    :param arguments: string of arguments for nmap '-sU -sX -sC'
    :param sudo: launch nmap with sudo if True
    :returns: scan_result as dictionnary

(二)例子

import nmap
scanner = nmap.PortScanner()    #nmap_search_path已包含了nmap所在路径,若默认路径中没有nmap,则需指出
results = scanner.scan(hosts='192.168.2.1',ports='80')
print results
{'nmap': {'command_line': 'nmap -oX - -p 80 -sV 192.168.2.1',
          'scaninfo': {'tcp': {'method': 'syn', 'services': '80'}},
          'scanstats': {'downhosts': '0',
                        'elapsed': '11.59',
                        'timestr': 'Thu Jul 21 10:08:34 2016',
                        'totalhosts': '1',
                        'uphosts': '1'}},
 'scan': {'192.168.2.1': {'addresses': {'ipv4': '192.168.2.1',
                                        'mac': 'D0:C7:C0:6A:F6:A0'},
                          'hostnames': [],
                          'status': {'reason': 'arp-response',
                                     'state': 'up'},
                          'tcp': {80: {'conf': '3',
                                       'cpe': '',
                                       'extrainfo': '',
                                       'name': 'http',
                                       'product': '',
                                       'reason': 'no-response',
                                       'state': 'filtered',
                                       'version': ''}},
                          'vendor': {'D0:C7:C0:6A:F6:A0': 'Tp-link '
                                                          'Technologies'}}}}
root@kali64:~# python test.py
{'nmap':
 {
  'scanstats': 
  { 'uphosts': '1', 
    'timestr': 'Mon Nov 20 22:26:21 2017', 
    'downhosts': '0', 
    'totalhosts': '1', 
    'elapsed': '9.09'}, 
    'scaninfo': 
     {'tcp': 
       {'services': '80', 
        'method': 'syn'
       }
     }, 
    'command_line': 'nmap -oX - -p 80 -sV 10.10.10.1'
  }, 
  'scan': 
   {'10.10.10.1': 
     {'status': 
        {'state': 'up', 
         'reason': 'arp-response'
        }, 
      'hostnames': [{'type': '', 'name': ''}], 
      'vendor': {'00:50:56:C0:00:08': 'VMware'}, 
      'addresses': {'mac': '00:50:56:C0:00:08', 'ipv4': '10.10.10.1'}, 
      'tcp': {80: 
                { 'product': 'Apache httpd', 
                  'state': 'open', 
                  'version': '2.4.18', 
                  'name': 'http', 
                  'conf': '10', 
                  'extrainfo': '(Win32) OpenSSL/1.0.2e PHP/5.5.30', 
                  'reason': 'syn-ack', 
                  'cpe': 'cpe:/a:apache:http_server:2.4.18'
                }
             }
      }
    }
}
'''

先创建一个portscanner()类对象,这使我们能用这个对象完成扫描操作

该类有个scan()函数,它可以将目标和端口的列表作为参数输入,

并对它们进行基本的nmap扫描

需安装python_nmap包,支持2.x以及3.x

python_nmap包提供了python调用nmap的一系列接口

(一)重要类及方法:

1.创建nmap扫描器

class PortScanner()
    __init__(self, nmap_search_path=('nmap', '/usr/bin/nmap', '/usr/local/bin/nmap', '/sw/bin/nmap', '/opt/local/bin/nmap'))
    Initialize PortScanner module
    * detects nmap on the system and nmap version
    * may raise PortScannerError exception if nmap is not found in the path
    :param nmap_search_path: tupple of string where to search for nmap executable. Change this if you want to use a specific version of nmap.
    :returns: nothing

2.扫描方法

scan(self, hosts='127.0.0.1', ports=None, arguments='-sV', sudo=False)
    Scan given hosts
    May raise PortScannerError exception if nmap output was not xml
    Test existance of the following key to know if something went wrong : ['nmap']['scaninfo']['error']
    If not present, everything was ok.
    :param hosts: string for hosts as nmap use it 'scanme.nmap.org' or '198.116.0-255.1-127' or '216.163.128.20/20'
    :param ports: string for ports as nmap use it '22,53,110,143-4564'
    :param arguments: string of arguments for nmap '-sU -sX -sC'
    :param sudo: launch nmap with sudo if True
    :returns: scan_result as dictionnary

(二)例子

import nmap
scanner = nmap.PortScanner()    #nmap_search_path已包含了nmap所在路径,若默认路径中没有nmap,则需指出
results = scanner.scan(hosts='192.168.2.1',ports='80')
print results
{'nmap': {'command_line': 'nmap -oX - -p 80 -sV 192.168.2.1',
          'scaninfo': {'tcp': {'method': 'syn', 'services': '80'}},
          'scanstats': {'downhosts': '0',
                        'elapsed': '11.59',
                        'timestr': 'Thu Jul 21 10:08:34 2016',
                        'totalhosts': '1',
                        'uphosts': '1'}},
 'scan': {'192.168.2.1': {'addresses': {'ipv4': '192.168.2.1',
                                        'mac': 'D0:C7:C0:6A:F6:A0'},
                          'hostnames': [],
                          'status': {'reason': 'arp-response',
                                     'state': 'up'},
                          'tcp': {80: {'conf': '3',
                                       'cpe': '',
                                       'extrainfo': '',
                                       'name': 'http',
                                       'product': '',
                                       'reason': 'no-response',
                                       'state': 'filtered',
                                       'version': ''}},
                          'vendor': {'D0:C7:C0:6A:F6:A0': 'Tp-link '
                                                          'Technologies'}}}}
root@kali64:~# python test.py
{'nmap':
 {
  'scanstats': 
  { 'uphosts': '1', 
    'timestr': 'Mon Nov 20 22:26:21 2017', 
    'downhosts': '0', 
    'totalhosts': '1', 
    'elapsed': '9.09'}, 
    'scaninfo': 
     {'tcp': 
       {'services': '80', 
        'method': 'syn'
       }
     }, 
    'command_line': 'nmap -oX - -p 80 -sV 10.10.10.1'
  }, 
  'scan': 
   {'10.10.10.1': 
     {'status': 
        {'state': 'up', 
         'reason': 'arp-response'
        }, 
      'hostnames': [{'type': '', 'name': ''}], 
      'vendor': {'00:50:56:C0:00:08': 'VMware'}, 
      'addresses': {'mac': '00:50:56:C0:00:08', 'ipv4': '10.10.10.1'}, 
      'tcp': {80: 
                { 'product': 'Apache httpd', 
                  'state': 'open', 
                  'version': '2.4.18', 
                  'name': 'http', 
                  'conf': '10', 
                  'extrainfo': '(Win32) OpenSSL/1.0.2e PHP/5.5.30', 
                  'reason': 'syn-ack', 
                  'cpe': 'cpe:/a:apache:http_server:2.4.18'
                }
             }
      }
    }
}

未完待续

本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2017-12-05,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 恒星EDU 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档