轉載請注明:@小五義:http://www.cnblogs/xiaowuyi
在安裝完scapy(前兩篇筆記有介紹)后,linux環境下,執行sudo scapy運行scapy。
一、簡單的發送包
1、send()在第三層發送數據包,但沒有接收功能。如:
>>> send(IP(dst="www.baidu.com",ttl=1)/ICMP()) . Sent 1 packets.
這里相當於ping了下百度,ttl=1
2、sendp(),在第二層發送數據包,同樣沒有接收功能。如:
>>> sendp(Ether()/IP(dst="www.baidu.com",ttl=1)/ICMP()) WARNING: Mac address to reach destination not found. Using broadcast. . Sent 1 packets. >>> sendp(Ether()/IP(dst="127.0.0.1",ttl=1)/ICMP()) . Sent 1 packets.
3、sr(),在第三層發送數據包,有接收功能。如:
>>> p=sr(IP(dst="www.baidu.com",ttl=1)/ICMP()) Begin emission: ..Finished to send 1 packets. .* Received 4 packets, got 1 answers, remaining 0 packets >>> p (<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> p[0] <Results: TCP:0 UDP:0 ICMP:1 Other:0> >>> p[0].show() 0000 IP / ICMP 27.214.222.160 > 61.135.169.105 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
再比如,連續發送ttl=1,2,3,4四個包的情況
>>> p=sr(IP(dst="www.baidu.com",ttl=(1,4))/ICMP()) Begin emission: Finished to send 4 packets. .*.*.*.* Received 8 packets, got 4 answers, remaining 0 packets >>> p (<Results: TCP:0 UDP:0 ICMP:4 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) >>> p[0].show() 0000 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror 0001 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 222.132.4.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror 0002 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 119.190.5.126 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror 0003 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 112.253.4.197 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror >>>
4、sr1(),在第三層發送數據包,有接收功能,但只接收第一個包。以上面的發送四個包為例:
>>> q=sr1(IP(dst="www.baidu.com",ttl=(1,4))/ICMP()) Begin emission: Finished to send 4 packets. .*.*.*.* Received 8 packets, got 4 answers, remaining 0 packets >>> q <IP version=4L ihl=5L tos=0xc0 len=56 id=4773 flags= frag=0L ttl=255 proto=icmp chksum=0xb611 src=27.214.220.1 dst=27.214.222.160 options=[] |<ICMP type=time-exceeded code=ttl-zero-during-transit chksum=0xf4ff unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=28 id=1 flags= frag=0L ttl=1 proto=icmp chksum=0xd879 src=27.214.222.160 dst=61.135.169.105 options=[] |<ICMPerror type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>> >>> q.show() ###[ IP ]### version= 4L ihl= 5L tos= 0xc0 len= 56 id= 4773 flags= frag= 0L ttl= 255 proto= icmp chksum= 0xb611 src= 27.214.220.1 dst= 27.214.222.160 \options\ ###[ ICMP ]### type= time-exceeded code= ttl-zero-during-transit chksum= 0xf4ff unused= 0 ###[ IP in ICMP ]### version= 4L ihl= 5L tos= 0x0 len= 28 id= 1 flags= frag= 0L ttl= 1 proto= icmp chksum= 0xd879 src= 27.214.222.160 dst= 61.135.169.105 \options\ ###[ ICMP in ICMP ]### type= echo-request code= 0 chksum= 0xf7ff id= 0x0 seq= 0x0
5、srloop(),在第三層工作,如下:
>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP()) RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror ^C Sent 5 packets, received 5 packets. 100.0% hits. >>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP(),inter=3,count=2) RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror Sent 2 packets, received 2 packets. 100.0% hits.
這里第一條語句在執行時,將會不停的ping百度,第二條執行時每隔3秒ping一次,一共執行兩次。inter表示間隔,count記錄次數。
6、srp()、srp1()、srploop()與上面3、4、5相同,只是工作在第二層。
二、SYN掃描
SYN掃描:也叫“半開式掃描”(half-open scanning),因為它沒有完成一個完整的TCP連接。這種方法向目標端口發送一個SYN分組(packet),如果目標端口返回SYN/ACK,那么可以肯定該端口處於檢聽狀態;否則,返回的是RST/ACK。
>>> sr1(IP(dst="61.135.169.105")/TCP(dport=80,flags="S")) Begin emission: Finished to send 1 packets. .* Received 2 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=61.135.169.105 dst=27.214.222.160 options=[] |<TCP sport=http dport=ftp_data seq=3516051844L ack=1 dataofs=5L reserved=0L flags=SA window=8192 chksum=0x2aef urgptr=0 |>> >>> sr1(IP(dst="61.135.169.105")/TCP(dport=81,flags="S")) Begin emission: Finished to send 1 packets. .* Received 2 packets, got 1 answers, remaining 0 packets <IP version=4L ihl=5L tos=0x0 len=56 id=31986 flags= frag=0L ttl=249 proto=icmp chksum=0xd677 src=123.125.248.102 dst=27.214.222.160 options=[] |<ICMP type=dest-unreach code=communication-prohibited chksum=0xfc8d unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=27.214.222.160 dst=61.135.169.105 options=[] |<TCPerror sport=ftp_data dport=81 seq=0 |>>>>
從結果看,當掃描百度(61.135.169.105)的80端口時,返回的包中ACK=1或者flags=SA,說明該端口處於監聽狀態,當掃描81端口時,無ACK=1,或者flags=,說明其未處於監聽狀態。
如果要掃描多個端口,可以使用以下語句,如掃描百度的80-83端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=(80,83),flags="S"))
如要掃描21,80,3389等端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags="S"))
簡單要顯示結果:
>>>ans,unans=_ >>>ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%")) http SA 81 RA 82 RA 83 RA
這里我在掃描80-83時,總是在不停的掃,用ctrl+C停止后,只能得到兩個結果,目前沒搞明白是什么原因。如下:
>>> sr(IP(dst="www.baidu.com",ttl=56)/TCP(dport=(80,83),flags="S")) Begin emission: Finished to send 4 packets. .*.*................................................................................. ^C Received 85 packets, got 2 answers, remaining 2 packets (<Results: TCP:1 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>) >>> ans,unans=_ >>> ans.summary() IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:http S ==> IP / TCP 61.135.169.105:http > 27.214.134.124:ftp_data SA IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:82 S ==> IP / ICMP 123.125.248.42 > 27.214.134.124 dest-unreach communication-prohibited / IPerror / TCPerror >>> ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%")) http SA ?? ??
三、TCP traceroute
traceroute:用來追蹤出發點到目的地所經過的路徑,通過Traceroute我們可以知道信息從你的計算機到互聯網另一端的主機是走的什么路徑。當然每次數據包由某一同樣的出發點(source)到達某一同樣的目的地(destination)走的路徑可能會不一樣,但基本上來說大部分時候所走的路由是相同的。
>>> ans,unans=sr(IP(dst="www.baidu.com",ttl=(4,25),id=RandShort())/TCP(flags=0x2)) Begin emission: ...*.*.*.*.*.*.*.*.*.*.*Finished to send 22 packets. .*.*.*.*.*.*.*.*.*.*....^C Received 48 packets, got 21 answers, remaining 1 packets >>> for snd,rcv in ans: ... print snd.ttl,rcv.src,isinstance(rcv.payload,TCP) ... 4 112.253.4.177 False 5 219.158.98.221 False 6 124.65.194.22 False 7 124.65.58.182 False 8 123.125.248.42 False 9 61.135.169.105 True 10 61.135.169.105 True 11 61.135.169.105 True 12 61.135.169.105 True 13 61.135.169.105 True 14 61.135.169.105 True 15 61.135.169.105 True 16 61.135.169.105 True 17 61.135.169.105 True 18 61.135.169.105 True 19 61.135.169.105 True 20 61.135.169.105 True 21 61.135.169.105 True 22 61.135.169.105 True 23 61.135.169.105 True 24 61.135.169.105 True