[Python] Python and security-② Port scanning tool made with Python
Introduction
Last time ([Python] Python and Security-② Port Scanning Tool Made with Python), I examined the outline and features of Python. This time, let's make a simple port scanning tool using Python. In addition, by using the tool, it is possible to check and respond to services that are operating carelessly.
** Because it is an act of collecting information, "Banner Grabbing", it is a crime to carry out to an unauthorized subject. Please note that we are not responsible for any problems with this article. ** **
What is Port Scan?
Port scanning is to search for and identify ports that are open to the target server or network device. By checking the open port, it is possible to check the service running from the target, and for an attacker, port scanning can be said to be a preparation for an attack.
** The types of Port Scan are as follows **
- UDP Port Scan
- TCP Port Scan
- Connect Scan
- Half-open(SYN) Scan
- FIN / NULL / Xmas Scan
Features by type of Port Scan
UDP Port Scan In the case of UDP Scan, the port is scanned using the UDP protocol. If the port is open, there is no response from the target, but if it is closed, there is an ICMP message (Destination Unreachable, Port Unreachable) response. However, UDP Scan is not reliable because packets are likely to be lost from routers and firewalls.
TCP Connect Scan(TCP Open Scan)
A scan that uses the connect () function to connect the target with a 3-way-Handshaking and check for open ports. It's reliable and you can scan without root and privileges, but the scan is slow and logs.
TCP Half-Open Scan(SYN Stealth Scan)
Unlike TCP Connect Scan, Half-Open Scan, also known as SYN scan, does not form a complete session with 3 Way-Handshaking and uses only SYN packets to check the port. No logs are left, but root privileges are required for implementation.
** Why do you need root privileges? ** Since the control bit of the TCP protocol header needs to be set, SYN scanning can only be performed with root privileges. ** Why is there no log? ** When a SYN / ACK response is received from the target, the packet set to RST is sent as the response instead of ACK. Since the packet is RST, the communication is forcibly terminated and the communication setting is not completed (connecting the session), so there is a high possibility that no log will be left in the system.
FIN/NULL/Xmas Scan
The three scans include TCP FIN Scan, which sets Flag to FIN, and Xmas Scan, which sets nothing, NULL Scan, FIN, PSH, and HUG at the same time.
Since each communication is not normal, no log is left, the target can be used only in UNIX / Linux environment, and the result of Open / Filter / error is unknown.
FIN Scan
NULL Scan
Xmas Scan
Let's make a Scanning tool in Python using the socket module
After importing the socket module, use the connect () function, specify the IP and Port number, and then perform TCP communication. Data can be sent and received using the send () and recv () functions.
port_scanning.py
import socket
s = socket.socket()
s.connect(('IP address',port number))
s.close()
"Result" port_scanning.py
#If the port is open
>>
#If the port is not open
Traceback (most recent call last):
File "C:/~", line 3, in <module>
s.connect(('127.0.0.1', 23))
ConnectionRefusedError: [WinError 10061]The connection could not be made because it was rejected by the target computer.
To resolve the error, use the "try" and "except" statements in a simple way to distinguish between success and failure.
port_scanning.py
import socket
try:
s = socket.socket()
s.connect(('IP address',port number))
print('success')
s.close()
except:
print('fail')
"Result" port_scanning.py
#If the port is open
>> success
#If the port is not open
>> fail
Create to automatically check the port number within the range using the roop statement.
port_scanning.py
import socket
for port in range(1,101):
try:
s = socket.socket()
s.connect(('IP address', port))
print('Open port:%d' % port)
s.close()
except: pass
"Result" port_scanning.py
>>Open port:22
>>Open port:80
Checking ports 1 to 100 can be time consuming, so let's use Python's list data type to scan only the ports that are primarily used.
** Frequently used ports ** 20, 21(FTP) / 22(SSH) / 23(Telnet) / 25(SMTP) / 53(DNS) / 80(HTTP) / 110(POP3) / 123(NTP) / 443(HTTPS) / 1433(MSSQL) / 3306(MYSQL) / 1521(ORACLE) / 8080(ORACLE, TOMCAT) / 3389(RDP)
port_scanning.py
import socket
ports = [20, 21, 22, 23, 25, 53, 80, 110, 123, 443, 1433, 3306, 1521, 8080, 3389]
for port in ports:
try:
s = socket.socket()
s.connect(('IP address', port))
print('Open port:%d' % port)
s.close()
except: pass
"Result" port_scanning.py
>>Open port:80
>>Open port:443
>>Open port:3306
>>Open port:8080
Let's use the input () function to enter the host address and create code to perform port scanning.
port_scanning.py
import socket
ports = [20, 21, 22, 23, 25, 53, 80, 110, 123, 443, 1433, 3306, 1521, 8080, 3389]
host = input('IP address:')
for port in ports:
try:
s = socket.socket()
s.connect((host, port))
print('Open port:%d' % port)
s.close()
except: pass
"Result" port_scanning.py
>>IP address: 127.0.0.1
>>Open port:80
>>Open port:443
>>Open port:3306
>>Open port:8080
Summary
This time I tried to make a simple port scanning tool using Python's sokect library, but various modifications are necessary to use it practically. However, since the principle of port scanning and the basic port scanning tool can be created with Python, the person in charge and the administrator hope to refer to this post and help build a more secure network environment.
Article summary
February 14, 2020-: sunny: [Python] Python and Security-① What is Python
Recommended Posts