端口掃描器的幾種代碼實現方案

　　搞安全的應該都知道端口掃描在滲透測試、漏洞掃描過程中的重要性，其與URL爬蟲等技術構成了漏洞掃描的第一階段，即目標信息收集。因此能否開發出一款高效穩定的端口掃描器，往往決定了漏洞掃描器的好壞。那么說到端口掃描器，我們往往會先想到nmap、masscan等神器，它們是這個領域的標桿。但本篇並不是為了介紹這幾款工具，而是談談如何自研一款高效穩定的端口掃描器。

　　端口掃描器，顧名思義就是為了探測服務器上的某個端口是否開放，究其原理可以分為很多種探測方式，比如tcp三次握手掃描，syn掃描等等，本篇並不打算詳細介紹這些掃描方式的區別，有興趣的可以看下nmap的文檔，對這幾種掃描方式有詳細的介紹。

　　那么說下本文重點，基於這幾天我研究並嘗試利用python、go開發tcp掃描器、tcp-syn掃描器，以及對比它們之間的速度性能、穩定性差異情況，將測試結果在此做個記錄，並分享一下代碼以及方案。

　　說明：文章結尾將給出本篇所使用代碼的Github地址，可供大家測試，代碼測試環境為centos7。

　　scan for Python Socket

　　Python的Socket模塊可以創建套接字，創建tcp三次握手連接，以此探測目標端口是否存活。本篇將使用socket模塊編寫tcp掃描以及syn掃描，並對比兩者的差異。

　　tcp scan

　　快來看代碼：

#! -*- coding:utf-8 -*-
import time
import socket
socket_timeout = 0.1
def tcp_scan(ip,port):
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(socket_timeout)
c=s.connect_ex((ip,port))
if c==0:
print “%s:%s is open” % (ip,port)
else :
# print “%s:%s is not open” % (ip,port)
pass
except Exception,e:
print e
s.close()
if __name__== “__main__” :
s_time = time.time()
ip = “14.215.177.38”
for port in range(0,1024):
” ‘ 此處可用協作 ‘ ”
tcp_scan(ip,port)
e_time = time.time()
print “scan time is “ ,e_time-s_time

　　運行結果：

　　說明一下：可以看到此代碼掃描1024個端口用了102s，當然代碼並沒有用多線程、協程等方式提高掃描效率(使用協程測試過掃65535個端口用時400s左右)，因為python在這方面的能力比較弱;由於掃描過程中會建立tcp三次握手，因此比較消耗資源。

　　tcp syn scan

 

　　相對tcp掃描，tcp syn掃描方式更為隱蔽，也更節省資源，那么如何利用socket模塊實現tcp syn掃描呢?這里需要用到SOCK_RAW，這個在socket編程中相對少用，資料也不多。

# -*- coding: UTF-8 -*-
import time
import random
import socket
import sys
from struct import *
” ‘
Warning:must run it as root
yum install python-devel libpcap-devel
pip install pcap
‘ ”
def checksum(msg):
” ‘ Check Summing ‘ ”
s = 0
for i in range(0,len(msg),2):
w = (ord(msg[i]) << 8) + (ord(msg[i+1]))
s = s+w
s = (s>>16) + (s & 0xffff)
s = ~s & 0xffff
return s
def CreateSocket(source_ip,dest_ip):
” ‘ create socket connection ‘ ”
try:
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
except socket.error, msg:
print ‘Socket create error: ‘ ,str(msg[0]), ‘message: ‘ ,msg[1]
sys.exit()
” ‘ Set the IP header manually ‘ ”
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
return s
def CreateIpHeader(source_ip, dest_ip):
” ‘ create ip header ‘ ”
# packet = ”
# ip header option
headerlen = 5
version = 4
tos = 0
tot_len = 20 + 20
id = random.randrange(18000,65535,1)
frag_off = 0
ttl = 255
protocol = socket.IPPROTO_TCP
check = 10
saddr = socket.inet_aton ( source_ip )
daddr = socket.inet_aton ( dest_ip )
hl_version = (version << 4) + headerlen
ip_header = pack( ‘!BBHHHBBH4s4s’ , hl_version, tos, tot_len, id, frag_off, ttl, protocol, check, saddr, daddr)
return ip_header
def create_tcp_syn_header(source_ip, dest_ip, dest_port):
” ‘ create tcp syn header function ‘ ”
source = random.randrange(32000,62000,1) # randon select one source_port
seq = 0
ack_seq = 0
doff = 5
” ‘ tcp flags ‘ ”
fin = 0
syn = 1
rst = 0
psh = 0
ack = 0
urg = 0
window = socket.htons (8192) # max windows size
check = 0
urg_ptr = 0
offset_res = (doff << 4) + 0
tcp_flags = fin + (syn<<1) + (rst<<2) + (psh<<3) + (ack<<4) + (urg<<5)
tcp_header = pack( ‘!HHLLBBHHH’ , source , dest_port, seq, ack_seq, offset_res, tcp_flags, window, check, urg_ptr)
” ‘ headers option ‘ ”
source_address = socket.inet_aton( source_ip )
dest_address = socket.inet_aton( dest_ip )
placeholder = 0
protocol = socket.IPPROTO_TCP
tcp_length = len(tcp_header)
psh = pack( ‘!4s4sBBH’ , source_address, dest_address, placeholder, protocol, tcp_length);
psh = psh + tcp_header;
tcp_checksum = checksum(psh)
” ‘ Repack the TCP header and fill in the correct checksum ‘ ”
tcp_header = pack( ‘!HHLLBBHHH’ , source , dest_port, seq, ack_seq, offset_res, tcp_flags, window, tcp_checksum, urg_ptr)
return tcp_header
def syn_scan(source_ip, dest_ip, des_port) :
s = CreateSocket(source_ip, dest_ip)
ip_header = CreateIpHeader(source_ip, dest_ip)
tcp_header = create_tcp_syn_header(source_ip, dest_ip, des_port)
packet = ip_header + tcp_header
s.sendto(packet, (dest_ip, 0))
data = s.recvfrom(1024) [0][0:]
ip_header_len = (ord(data[0]) & 0x0f) * 4
# ip_header_ret = data[0: ip_header_len – 1]
tcp_header_len = (ord(data[32]) & 0xf0)>>2
tcp_header_ret = data[ip_header_len:ip_header_len+tcp_header_len – 1]
” ‘ SYN/ACK flags ‘ ”
if ord(tcp_header_ret[13]) == 0x12:
print “%s:%s is open” % (dest_ip,des_port)
else :
print “%s:%s is not open” % (dest_ip,des_port)
if __name__== “__main__” :
t_s = time.time()
source_ip = ” # 填寫本機ip
dest_ip = ‘14.215.177.38’
for des_port in range(1024):
syn_scan(source_ip, dest_ip, des_port)
t_e = time.time()
print “time is “ ,(t_e-t_s)

　　有一點需要注意的，運行這段代碼前，需要在系統上安裝依賴：

yum install python-devel libpcap-devel
pip install pcap

　　

　　運行結果：

　　說明：從運行結果上來看，並沒有很准確，而且速度也不快，不清楚是不是代碼上有問題。

　　scan for Python scapy

　　除了socket模塊外，python還有一個scapy模塊，可以用來模擬發包，但只能在linux下使用，其他操作系統不建議使用此模塊。

　　tcp syn csan

　　代碼在這里：

#! -*- coding:utf-8 -*-
import time
from scapy.all import *
ip = “14.215.177.38”
TIMEOUT = 0.5
threads = 500
port_range = 1024
retry = 1
def is_up(ip):
“” ” Tests if host is up “ “”
icmp = IP(dst=ip)/ICMP()
resp = sr1(icmp, timeout=TIMEOUT)
if resp == None:
return False
else :
return True
def reset_half_open(ip, ports):
# Reset the connection to stop half-open connections from pooling up
sr(IP(dst=ip)/TCP(dport=ports, flags= ‘AR’ ), timeout=TIMEOUT)
def is_open(ip, ports):
to_reset = []
results = []
p = IP(dst=ip)/TCP(dport=ports, flags= ‘S’ ) # Forging SYN packet
answers, un_answered = sr(p, verbose=False, retry=retry ,timeout=TIMEOUT) # Send the packets
for req, resp in answers:
if not resp.haslayer(TCP):
continue
tcp_layer = resp.getlayer(TCP)
if tcp_layer.flags == 0x12:
# port is open
to_reset.append(tcp_layer.sport)
results.append(tcp_layer.sport)
elif tcp_layer.flags == 0x14:
# port is open
pass
reset_half_open(ip, to_reset)
return results
def chunks(l, n):
“” “Yield successive n-sized chunks from l.” “”
for i in range(0, len(l), n):
yield l[i:i + n]
if __name__ == ‘__main__’ :
start_time = time.time()
open_port_list = []
for ports in chunks(list(range(port_range)), threads):
results = is_open(ip, ports)
if results:
open_port_list += results
end_time = time.time()
print “%s %s” % (ip,open_port_list)
print “%s Scan Completed in %fs” % (ip, end_time-start_time)

 

　　運行結果：

　　說明：由於scapy可以一次性發多個syn包，因此速度相對socket更快一些，但穩定性沒有很好。

　　scan for python+nmap

　　文章開頭提到了nmap，其實在python中也可以直接調用nmap，看代碼：

#! -*- coding:utf-8 -*-
” ‘
pip install python-nmap
‘ ”
import nmap
nm =nmap.PortScanner()
def scan(ip,port,arg):
try:
nm.scan(ip, arguments=arg+str(port))
except nmap.nmap.PortScannerError:
print “Please run -O method for root privileges”
else :
for host in nm.all_hosts():
for proto in nm[host].all_protocols():
lport = nm[host][proto].keys()
lport.sort()
for port in lport:
print ( ‘port : %ststate : %s’ % (port, nm[host][proto][port][ ‘state’ ]))
if __name__== “__main__” :
port= “80,443,22,21”
scan(ip= “14.215.177.38” ,port=port,arg= “-sS -Pn -p” )
# tcp scan -sT
# tcp syn scan -sS

　　運行結果：

　　由於nmap掃描速度相對比較慢，因此這里只演示掃描4個端口，不做速度的對比，當然其穩定性還是可以的。

　　scan for go

　　前文一直在介紹使用python語言開發端口掃描器，然而由於python在多線程方面的弱勢，掃描器的性能可想而知，因此我又利用go語言的高並發性優勢，嘗試開發端口掃描器。(題外話：為此我花了半天時間看了下go語言的基礎，勉強看懂了掃描代碼，並做了一些修改)

　　tcp scan

　　直接看代碼吧：

package main
// port tcp scan
import (
“fmt”
“net”
“os”
“runtime”
“strconv”
“sync”
“time”
)
func loop(inport chan int, startport, endport int) {
for i := startport; i <= endport; i++ {
inport <- i
}
close(inport)
}
type ScanSafeCount struct {
// 結構體
count int
mux sync.Mutex
}
var scanCount ScanSafeCount
func scanner(inport int, outport chan int, ip string, endport int) {
// 掃描函數
in := inport // 定義要掃描的端口號
// fmt.Printf( ” %d “ , in ) // 輸出掃描的端口
host := fmt.Sprintf( “%s:%d” , ip, in ) // 類似（ip,port）
tcpAddr, err := net.ResolveTCPAddr( “tcp4” , host) // 根據域名查找ip
if err != nil {
// 域名解析ip失敗
outport <- 0
} else {
conn, err := net.DialTimeout( “tcp” , tcpAddr.String(), 10*time.Second) //建立tcp連接
if err != nil {
// tcp連接失敗
outport <- 0
} else {
// tcp連接成功
outport <- in // 將端口寫入outport信號
fmt.Printf( “n *************( %d 可以 )*****************n” , in )
conn.Close()
}
}
// 線程鎖
scanCount.mux.Lock()
scanCount.count = scanCount.count – 1
if scanCount.count <= 0 {
close(outport)
}
scanCount.mux.Unlock()
}
func main () {
runtime.GOMAXPROCS(runtime.NumCPU()) // 設置最大可使用的cpu核數
// 定義變量
inport := make(chan int) // 信號變量，類似python中的queue
outport := make(chan int)
collect := []int{} // 定義一個切片變量，類似python中的list
// fmt.Println(os.Args, len(os.Args)) // 獲取命令行參數並輸出
if len(os.Args) != 4 {
// 命令行參數個數有誤
fmt.Println( “使用方式：port_scanner IP startport endport” )
os.Exit(0)
}
s_time := time.Now().Unix()
// fmt.Println( “掃描開始：” ) // 獲取當前時間
ip := string(os.Args[1]) // 獲取參數中的ip
startport, _ := strconv.Atoi(os.Args[2]) // 獲取參數中的啟始端口
endport, _ := strconv.Atoi(os.Args[3]) // 獲取參數中的結束端口
if startport > endport {
fmt.Println( “Usage: scanner IP startport endport” )
fmt.Println( “Endport must be larger than startport” )
os.Exit(0)
} else {
// 定義scanCount變量為ScanSafeCount結構體，即計算掃描的端口數量
scanCount = ScanSafeCount{count: (endport – startport + 1)}
}
fmt.Printf( “掃描 %s：%d———-%dn” , ip, startport, endport)
go loop(inport, startport, endport) // 執行loop函數將端口寫入input信號
for v := range inport {
// 開始循環input
go scanner(v, outport, ip, endport)
}
// 輸出結果
for port := range outport {
if port != 0 {
collect = append(collect, port)
}
}
fmt.Println( “–“ )
fmt.Println(collect)
e_time := time.Now().Unix()
fmt.Println( “掃描時間:” , e_time-s_time)
}

　　代碼我就不解釋了(我在代碼中加了些注釋，應該大致可以看懂)，本文也不打算介紹go的用法，畢竟自己也是剛開始學習go，有興趣的可以看看go的文檔，然后再回過頭來看看這段代碼。

　　代碼運行結果：

　　說明：由於是tcp掃描，所以多少還是占資源的，而且測試發現穩定性不是很好。

　　tcp syn scan

　　看代碼看代碼：

package main
// port tcp syn scan
import (
“bytes”
“encoding/binary”
“flag”
“fmt”
“log”
“math/rand”
“net”
“os”
“strconv”
“strings”
“time”
“errors”
)
//TCPHeader test
type TCPHeader struct {
SrcPort uint16
DstPort uint16
SeqNum uint32
AckNum uint32
Flags uint16
Window uint16
ChkSum uint16
UrgentPointer uint16
}
//TCPOption test
type TCPOption struct {
Kind uint8
Length uint8
Data []byte
}
type scanResult struct {
Port uint16
Opened bool
}
type scanJob struct {
Laddr string
Raddr string
SPort uint16
DPort uint16
Stop uint8
}
var stopFlag = make(chan uint8, 1)
func main () {
rate := time.Second / 400
throttle := time.Tick(rate)
jobs := make(chan *scanJob, 65536)
results := make(chan *scanResult, 1000)
for w := 0; w < 10; w++ {
go worker(w, jobs , throttle, results)
}
// 獲取命令行參數
ifaceName := flag.String( “i” , “eth0” , “Specify network” )
remote := flag.String( “r” , “” , “remote address” )
portRange := flag.String( “p” , “1-1024” , “port range: -p 1-1024” )
flag.Parse()
// ifaceName := &interfaceName_
// remote := &remote_
// portRange := &portRange_
s_time := time.Now().Unix()
laddr := interfaceAddress(*ifaceName) //
raddr := *remote
minPort , maxPort := portSplit(portRange)
// fmt.Println(laddr, raddr) // 輸出源ip地址，目標ip地址
go func(num int){
for i := 0; i < num; i++ {
recvSynAck(laddr, raddr, results)
}
}(10)
go func(jobLength int) {
for j := minPort; j < maxPort + 1; j++ {
s := scanJob{
Laddr: laddr,
Raddr: raddr,
SPort: uint16(random(10000, 65535)),
DPort: uint16(j + 1),
}
jobs <- &s
}
jobs <- &scanJob{Stop: 1}
}(1024)
for {
select {
case res := <-results:
fmt.Println( “掃描到開放的端口:” ,res.Port)
case <-stopFlag:
e_time := time.Now().Unix()
fmt.Println( “總共用了多少時間(s):” ,e_time-s_time)
os.Exit(0)
}
}
}
func worker(id int, jobs <-chan *scanJob, th <-chan time.Time, results chan<- *scanResult) {
for j := range jobs {
if j.Stop != 1 {
sendSyn(j.Laddr, j.Raddr, j.SPort, j.DPort)
} else {
stopFlag <- j.Stop
}
<-th
}
}
func checkError(err error) {
// 錯誤check
if err != nil {
log.Println(err)
}
}
//CheckSum test
func CheckSum(data []byte, src, dst [4]byte) uint16 {
pseudoHeader := []byte{
src[0], src[1], src[2], src[3],
dst[0], dst[1], dst[2], dst[3],
0,
6,
0,
byte(len(data)),
}
totalLength := len(pseudoHeader) + len(data)
if totalLength%2 != 0 {
totalLength++
}
d := make([]byte, 0, totalLength)
d = append(d, pseudoHeader…)
d = append(d, data…)
return ^mySum(d)
}
func mySum(data []byte) uint16 {
var sum uint32
for i := 0; i < len(data)-1; i += 2 {
sum += uint32(uint16(data[i])<<8 | uint16(data[i+1]))
}
sum = (sum >> 16) + (sum & 0xffff)
sum = sum + (sum >> 16)
return uint16(sum)
}
func sendSyn(laddr, raddr string, sport, dport uint16) {
conn, err := net.Dial( “ip4:tcp” , raddr)
checkError(err)
defer conn.Close()
op := []TCPOption{
TCPOption{
Kind: 2,
Length: 4,
Data: []byte{0x05, 0xb4},
},
TCPOption{
Kind: 0,
},
}
tcpH := TCPHeader{
SrcPort: sport,
DstPort: dport,
SeqNum: rand.Uint32(),
AckNum: 0,
Flags: 0x8002,
Window: 8192,
ChkSum: 0,
UrgentPointer: 0,
}
buff := new(bytes.Buffer)
err = binary.Write(buff, binary.BigEndian, tcpH)
checkError(err)
for i := range op {
binary.Write(buff, binary.BigEndian, op[i].Kind)
binary.Write(buff, binary.BigEndian, op[i].Length)
binary.Write(buff, binary.BigEndian, op[i].Data)
}
binary.Write(buff, binary.BigEndian, [6]byte{})
data := buff.Bytes()
checkSum := CheckSum(data, ipstr2Bytes(laddr), ipstr2Bytes(raddr))
//fmt.Printf( “CheckSum 0x%Xn” , checkSum)
tcpH.ChkSum = checkSum
buff = new(bytes.Buffer)
binary.Write(buff, binary.BigEndian, tcpH)
for i := range op {
binary.Write(buff, binary.BigEndian, op[i].Kind)
binary.Write(buff, binary.BigEndian, op[i].Length)
binary.Write(buff, binary.BigEndian, op[i].Data)
}
binary.Write(buff, binary.BigEndian, [6]byte{})
data = buff.Bytes()
//fmt.Printf( “% Xn” , data)
_, err = conn.Write(data)
checkError(err)
}
func recvSynAck(laddr, raddr string, res chan<- *scanResult) error {
listenAddr, err := net.ResolveIPAddr( “ip4” , laddr) // 解析域名為ip
checkError(err)
conn, err := net.ListenIP( “ip4:tcp” , listenAddr)
defer conn.Close()
checkError(err)
for {
buff := make([]byte, 1024)
_, addr, err := conn.ReadFrom(buff)
if err != nil {
continue
}
if addr.String() != raddr || buff[13] != 0x12 {
continue
}
var port uint16
binary.Read(bytes.NewReader(buff), binary.BigEndian, &port)
res <- &scanResult{
Port: port,
Opened: true ,
}
}
}
func ipstr2Bytes(addr string) [4]byte {
s := strings.Split(addr, “.” )
b0, _ := strconv.Atoi(s[0])
b1, _ := strconv.Atoi(s[1])
b2, _ := strconv.Atoi(s[2])
b3, _ := strconv.Atoi(s[3])
return [4]byte{byte(b0), byte(b1), byte(b2), byte(b3)}
}
func random(min, max int) int {
return rand.Intn(max-min) + min
}
func interfaceAddress(ifaceName string ) string {
iface, err:= net.InterfaceByName(ifaceName)
if err != nil {
panic(err)
}
addr, err := iface.Addrs()
if err != nil {
panic(err)
}
addrStr := strings.Split(addr[0].String(), “/” )[0]
return addrStr
}
func portSplit(portRange *string) (uint16, uint16) {
ports := strings.Split(*portRange, “-“ )
minPort, err := strconv.ParseUint(ports[0], 10, 16)
if err !=nil {
panic(err)
}
maxPort, err := strconv.ParseUint(ports[1], 10, 16)
if err != nil {
panic(err)
}
if minPort > maxPort {
panic(errors.New( “minPort must greater than maxPort” ))
}
return uint16(minPort), uint16(maxPort)
}

　　代碼運行結果：

　　沒錯，就是2s!我測試了掃描全端口(0-65535)，大概120s左右，而且穩定性不錯。

　　scan for go+python

　　經過前面的測試我們不難發現，在並發的性能上，go完勝python，但go不適合做復雜的邏輯處理，以及web開發之類的。因此如何整合python跟go呢?這里我想了兩種方案，第一種將go語言打包成.so動態連接庫，利用python的ctypes模塊可以調用;第二種是go寫成接口，提供python調用。寫成接口的方式相對簡單一些，因此這里不介紹了，說說如何打包go，即如何利用python調用go的方法或者說函數。

　　先看下修改過后的tcp_syn_scan.go代碼：

package main
// port tcp syn scan
import (
“C”
“os”
“bytes”
“encoding/binary”
“fmt”
“log”
“math/rand”
“net”
“strconv”
“strings”
“time”
“errors”
)
//TCPHeader test
type TCPHeader struct {
SrcPort uint16
DstPort uint16
SeqNum uint32
AckNum uint32
Flags uint16
Window uint16
ChkSum uint16
UrgentPointer uint16
}
//TCPOption test
type TCPOption struct {
Kind uint8
Length uint8
Data []byte
}
type scanResult struct {
Port uint16
Opened bool
}
type scanJob struct {
Laddr string
Raddr string
SPort uint16
DPort uint16
Stop uint8
}
var stopFlag = make(chan uint8, 1)
// export Scan
func Scan(remote_ *C.char, portRange_ *C.char, interfaceName_ *C.char) {
rate := time.Second / 400
throttle := time.Tick(rate)
jobs := make(chan *scanJob, 65536)
results := make(chan *scanResult, 1000)
for w := 0; w < 10; w++ {
go worker(w, jobs , throttle, results)
}
// 獲取命令行參數
// ifaceName := flag.String( “i” , “eth0” , “Specify network” )
// remote := flag.String( “r” , “” , “remote address” )
// portRange := flag.String( “p” , “1-1024” , “port range: -p 1-1024” )
// flag.Parse()
interfaceName_1 := C.GoString(interfaceName_)
remote_1 := C.GoString(remote_)
portRange_1 := C.GoString(portRange_)
ifaceName := &interfaceName_1
remote := &remote_1
portRange := &portRange_1
s_time := time.Now().Unix()
laddr := interfaceAddress(*ifaceName) //
raddr := *remote
minPort , maxPort := portSplit(portRange)
fmt.Println(laddr, raddr) // 輸出源ip地址，目標ip地址
go func(num int){
for i := 0; i < num; i++ {
recvSynAck(laddr, raddr, results)
}
}(10)
go func(jobLength int) {
for j := minPort; j < maxPort + 1; j++ {
s := scanJob{
Laddr: laddr,
Raddr: raddr,
SPort: uint16(random(10000, 65535)),
DPort: uint16(j + 1),
}
jobs <- &s
}
jobs <- &scanJob{Stop: 1}
}(1024)
for {
select {
case res := <-results:
fmt.Println( “掃描到開放的端口：” ,res.Port) //輸出開放的端口號
case <-stopFlag:
e_time := time.Now().Unix()
fmt.Println( “本次掃描總共耗時(s):” ,e_time-s_time)
os.Exit(0)
}
}
}
func worker(id int, jobs <-chan *scanJob, th <-chan time.Time, results chan<- *scanResult) {
for j := range jobs {
if j.Stop != 1 {
sendSyn(j.Laddr, j.Raddr, j.SPort, j.DPort)
} else {
stopFlag <- j.Stop
}
<-th
}
}
func checkError(err error) {
// 錯誤check
if err != nil {
log.Println(err)
}
}
//CheckSum test
func CheckSum(data []byte, src, dst [4]byte) uint16 {
pseudoHeader := []byte{
src[0], src[1], src[2], src[3],
dst[0], dst[1], dst[2], dst[3],
0,
6,
0,
byte(len(data)),
}
totalLength := len(pseudoHeader) + len(data)
if totalLength%2 != 0 {
totalLength++
}
d := make([]byte, 0, totalLength)
d = append(d, pseudoHeader…)
d = append(d, data…)
return ^mySum(d)
}
func mySum(data []byte) uint16 {
var sum uint32
for i := 0; i < len(data)-1; i += 2 {
sum += uint32(uint16(data[i])<<8 | uint16(data[i+1]))
}
sum = (sum >> 16) + (sum & 0xffff)
sum = sum + (sum >> 16)
return uint16(sum)
}
func sendSyn(laddr, raddr string, sport, dport uint16) {
conn, err := net.Dial( “ip4:tcp” , raddr)
checkError(err)
defer conn.Close()
op := []TCPOption{
TCPOption{
Kind: 2,
Length: 4,
Data: []byte{0x05, 0xb4},
},
TCPOption{
Kind: 0,
},
}
tcpH := TCPHeader{
SrcPort: sport,
DstPort: dport,
SeqNum: rand.Uint32(),
AckNum: 0,
Flags: 0x8002,
Window: 8192,
ChkSum: 0,
UrgentPointer: 0,
}
buff := new(bytes.Buffer)
err = binary.Write(buff, binary.BigEndian, tcpH)
checkError(err)
for i := range op {
binary.Write(buff, binary.BigEndian, op[i].Kind)
binary.Write(buff, binary.BigEndian, op[i].Length)
binary.Write(buff, binary.BigEndian, op[i].Data)
}
binary.Write(buff, binary.BigEndian, [6]byte{})
data := buff.Bytes()
checkSum := CheckSum(data, ipstr2Bytes(laddr), ipstr2Bytes(raddr))
//fmt.Printf( “CheckSum 0x%Xn” , checkSum)
tcpH.ChkSum = checkSum
buff = new(bytes.Buffer)
binary.Write(buff, binary.BigEndian, tcpH)
for i := range op {
binary.Write(buff, binary.BigEndian, op[i].Kind)
binary.Write(buff, binary.BigEndian, op[i].Length)
binary.Write(buff, binary.BigEndian, op[i].Data)
}
binary.Write(buff, binary.BigEndian, [6]byte{})
data = buff.Bytes()
//fmt.Printf( “% Xn” , data)
_, err = conn.Write(data)
checkError(err)
}
func recvSynAck(laddr, raddr string, res chan<- *scanResult) error {
listenAddr, err := net.ResolveIPAddr( “ip4” , laddr) // 解析域名為ip
checkError(err)
conn, err := net.ListenIP( “ip4:tcp” , listenAddr)
defer conn.Close()
checkError(err)
for {
buff := make([]byte, 1024)
_, addr, err := conn.ReadFrom(buff)
if err != nil {
continue
}
if addr.String() != raddr || buff[13] != 0x12 {
continue
}
var port uint16
binary.Read(bytes.NewReader(buff), binary.BigEndian, &port)
res <- &scanResult{
Port: port,
Opened: true ,
}
}
}
func ipstr2Bytes(addr string) [4]byte {
s := strings.Split(addr, “.” )
b0, _ := strconv.Atoi(s[0])
b1, _ := strconv.Atoi(s[1])
b2, _ := strconv.Atoi(s[2])
b3, _ := strconv.Atoi(s[3])
return [4]byte{byte(b0), byte(b1), byte(b2), byte(b3)}
}
func random(min, max int) int {
return rand.Intn(max-min) + min
}
func interfaceAddress(ifaceName string ) string {
iface, err:= net.InterfaceByName(ifaceName)
if err != nil {
panic(err)
}
addr, err := iface.Addrs()
if err != nil {
panic(err)
}
addrStr := strings.Split(addr[0].String(), “/” )[0]
return addrStr
}
func portSplit(portRange *string) (uint16, uint16) {
ports := strings.Split(*portRange, “-“ )
minPort, err := strconv.ParseUint(ports[0], 10, 16)
if err !=nil {
panic(err)
}
maxPort, err := strconv.ParseUint(ports[1], 10, 16)
if err != nil {
panic(err)
}
if minPort > maxPort {
panic(errors.New( “minPort must greater than maxPort” ))
}
return uint16(minPort), uint16(maxPort)
}
func main () { }

　　然后利用go自身的build命令，將其打包成.so庫：

go build -buildmode=c-shared -o tcp_syn_scan.so tcp_syn_scan.go

　　打包后會得到一個tcp_syn_scan.so和一個tcp_syn_scan.h。然后利用下面的python代碼就可以調用Go代碼中的Scan()函數了，創建一個tcp_syn_scan.py文件。

#! -*- coding:utf-8 -*-
from ctypes import *
lib = cdll.LoadLibrary(u ‘./scan.so’ )
lib.Scan( “14.215.177.38” , “1-1024” , “eth0” ) # ip,端口范圍，網卡

　　代碼運行結果：

　　說明：相當原生的go，利用python去調用go會損耗一些性能，但總體上還可以。

　　后記

　　本文結論就是可以利用go開發掃描模塊(性能更佳)，並結合python調用。

　　本文代碼項目地址：https://github.com/tengzhangchao/PortScan