[primalsecurity] 0x1 – Port Scanner

반복문(for)을 사용해서 포트스캐닝 수행 코드 분석

IP/포트 조합을 기반으로 네트워크 소켓 연결 반복 스캐닝

 

>>> for port in range(1000,1024):
...     print("[+] The port is : "+str(port))

 

출력 결과

 

[+] The port is : 1000
[+] The port is : 1001
[+] The port is : 1002
[+] The port is : 1003
[+] The port is : 1004
[+] The port is : 1005
[+] The port is : 1006
[+] The port is : 1007
[+] The port is : 1008
[+] The port is : 1009
[+] The port is : 1010
[+] The port is : 1011
[+] The port is : 1012
[+] The port is : 1013
[+] The port is : 1014
[+] The port is : 1015
[+] The port is : 1016
[+] The port is : 1017
[+] The port is : 1018
[+] The port is : 1019
[+] The port is : 1020
[+] The port is : 1021
[+] The port is : 1022
[+] The port is : 1023
>>>

 

내부 소켓 모듈을 사용하여 소켓을 연결

 

>>> import socket
>>>
>>> s = socket.socket()
>>> s.connect(('127.0.0.1', 22))
>>> s.send('Primal Security n')
17
>>> banner = s.recv(1024)
>>> print banner
OpenSSH

 

소켓 모듈 호출 후 connect() 함수를 호출하여 IP/Port 연결

send() 함수로 연결된 지점으로 데이터 전송

recv() 함수로 해당 포트로 응답을 받음

 

예외처리(try/except) 방식

 

>>> try:
...   s.connect(('127.0.0.1', 23))
... except: pass

 

예외처리 적용

 

>>> for port in range(20,25):
...   try:
...    print("[+] Attempting to connect to 127.0.0.1:"+str(port))
...     s.connect(('127.0.0.1', port))
...     s.send('Primal Security n')    
...     banner = s.recv(1024)
...     if banner:
...       print("[+] Port "+str(port)+" open: "+banner)
...     s.close()
...   except: pass
...
17
[+] Attempting to connect to 127.0.0.1:20
[+] Attempting to connect to 127.0.0.1:21
[+] Attempting to connect to 127.0.0.1:22
[+] Port 22 open: OpenSSH
[+] Attempting to connect to 127.0.0.1:23
[+] Attempting to connect to 127.0.0.1:24
[+] Attempting to connect to 127.0.0.1:25

 

7line의 조건 문을 사용해서 probe에 대한 응답이 있을 경우 open port로 출력하도록함

 

배열로 포트 적용

 

>>> ports = [22, 445, 80, 443, 3389]
>>> for port in ports:
...   print port
...
22
445
80
443
3389
>>>

 

중첩 for 문으로 배열로 적용한 타겟과 포트 probe 보내기

 

>>> hosts = ['127.0.0.1', '192.168.1.5', '10.0.0.1']
>>>
>>> ports = [22, 445, 80, 443, 3389]
>>>
>>> for host in hosts:
...   for port in ports:
...     try:
...        print("[+] Connecting to "+host+":"+str(port))
...        s.connect((host, port))
...        s.send('Primal Security n')
...        banner = s.recv(1024)
...        if banner:
...          print("[+] Port "+str(port)+" open: "+banner)
...        s.close()
...     except:pass
...
[+] Connecting to 127.0.0.1:22
[+] Port 22 open: OpenSSH
[+] Connecting to 127.0.0.1:445
[+] Connecting to 127.0.0.1:80
[+] Connecting to 127.0.0.1:443
[+] Connecting to 127.0.0.1:3389
[+] Connecting to 192.168.1.5:22
[+] Connecting to 192.168.1.5:445
[+] Connecting to 192.168.1.5:80
[+] Connecting to 192.168.1.5:443
[+] Connecting to 192.168.1.5:3389
[+] Connecting to 10.0.0.1:22
[+] Connecting to 10.0.0.1:445
[+] Connecting to 10.0.0.1:80
[+] Connecting to 10.0.0.1:443
[+] Connecting to 10.0.0.1:3389

 

dir(socket)

 

>>> dir(socket)
['AF_APPLETALK', 'AF_DECnet', 'AF_INET', 'AF_INET6', 'AF_IPX', 'AF_IRDA', 'AF_SNA', 'AF_UNS
PEC', 'AI_ADDRCONFIG', 'AI_ALL', 'AI_CANONNAME', 'AI_NUMERICHOST', 'AI_NUMERICSERV', 'AI_PA
SSIVE', 'AI_V4MAPPED', 'AddressFamily', 'AddressInfo', 'CAPI', 'EAGAIN', 'EAI_AGAIN', 'EAI_
BADFLAGS', 'EAI_FAIL', 'EAI_FAMILY', 'EAI_MEMORY', 'EAI_NODATA', 'EAI_NONAME', 'EAI_SERVICE
', 'EAI_SOCKTYPE', 'EBADF', 'EWOULDBLOCK', 'INADDR_ALLHOSTS_GROUP', 'INADDR_ANY', 'INADDR_B
ROADCAST', 'INADDR_LOOPBACK', 'INADDR_MAX_LOCAL_GROUP', 'INADDR_NONE', 'INADDR_UNSPEC_GROUP
', 'IPPORT_RESERVED', 'IPPORT_USERRESERVED', 'IPPROTO_ICMP', 'IPPROTO_IP', 'IPPROTO_RAW', '
IPPROTO_TCP', 'IPPROTO_UDP', 'IPV6_CHECKSUM', 'IPV6_DONTFRAG', 'IPV6_HOPLIMIT', 'IPV6_HOPOP
TS', 'IPV6_JOIN_GROUP', 'IPV6_LEAVE_GROUP', 'IPV6_MULTICAST_HOPS', 'IPV6_MULTICAST_IF', 'IP
V6_MULTICAST_LOOP', 'IPV6_PKTINFO', 'IPV6_RECVRTHDR', 'IPV6_RECVTCLASS', 'IPV6_RTHDR', 'IPV
6_TCLASS', 'IPV6_UNICAST_HOPS', 'IPV6_V6ONLY', 'IP_ADD_MEMBERSHIP', 'IP_DROP_MEMBERSHIP', '
IP_HDRINCL', 'IP_MULTICAST_IF', 'IP_MULTICAST_LOOP', 'IP_MULTICAST_TTL', 'IP_OPTIONS', 'IP_
RECVDSTADDR', 'IP_TOS', 'IP_TTL', 'IntEnum', 'IntFlag', 'MSG_BCAST', 'MSG_CTRUNC', 'MSG_DON
TROUTE', 'MSG_MCAST', 'MSG_OOB', 'MSG_PEEK', 'MSG_TRUNC', 'MSG_WAITALL', 'MsgFlag', 'NI_DGR
AM', 'NI_MAXHOST', 'NI_MAXSERV', 'NI_NAMEREQD', 'NI_NOFQDN', 'NI_NUMERICHOST', 'NI_NUMERICS
ERV', 'RCVALL_MAX', 'RCVALL_OFF', 'RCVALL_ON', 'RCVALL_SOCKETLEVELONLY', 'SHUT_RD', 'SHUT_R
DWR', 'SHUT_WR', 'SIO_KEEPALIVE_VALS', 'SIO_LOOPBACK_FAST_PATH', 'SIO_RCVALL', 'SOCK_DGRAM'
, 'SOCK_RAW', 'SOCK_RDM', 'SOCK_SEQPACKET', 'SOCK_STREAM', 'SOL_IP', 'SOL_SOCKET', 'SOL_TCP
', 'SOL_UDP', 'SOMAXCONN', 'SO_ACCEPTCONN', 'SO_BROADCAST', 'SO_DEBUG', 'SO_DONTROUTE', 'SO
_ERROR', 'SO_EXCLUSIVEADDRUSE', 'SO_KEEPALIVE', 'SO_LINGER', 'SO_OOBINLINE', 'SO_RCVBUF', '
SO_RCVLOWAT', 'SO_RCVTIMEO', 'SO_REUSEADDR', 'SO_SNDBUF', 'SO_SNDLOWAT', 'SO_SNDTIMEO', 'SO
_TYPE', 'SO_USELOOPBACK', 'SocketIO', 'SocketKind', 'SocketType', 'TCP_FASTOPEN', 'TCP_KEEP
CNT', 'TCP_MAXSEG', 'TCP_NODELAY', '_GLOBAL_DEFAULT_TIMEOUT', '_GiveupOnSendfile', '_LOCALH
OST', '_LOCALHOST_V6', '__all__', '__builtins__', '__cached__', '__doc__', '__file__', '__l
oader__', '__name__', '__package__', '__spec__', '_blocking_errnos', '_intenum_converter',
'_realsocket', '_socket', 'create_connection', 'dup', 'errno', 'error', 'errorTab', 'fromfd
', 'fromshare', 'gaierror', 'getaddrinfo', 'getdefaulttimeout', 'getfqdn', 'gethostbyaddr',
 'gethostbyname', 'gethostbyname_ex', 'gethostname', 'getnameinfo', 'getprotobyname', 'gets
ervbyname', 'getservbyport', 'has_ipv6', 'herror', 'htonl', 'htons', 'inet_aton', 'inet_nto
a', 'inet_ntop', 'inet_pton', 'io', 'ntohl', 'ntohs', 'os', 'selectors', 'setdefaulttimeout
', 'socket', 'socketpair', 'sys', 'timeout']