scapy学习笔记(3)
转自:@小五义:http://www.cnblogs/xiaowuyi
在安装完scapy(前两篇笔记有介绍)后,linux环境下,执行sudo scapy运行scapy。
一、简单的发送包
1、send()在第三层发送数据包,但没有接收功能。如:
>>> send(IP(dst="www.baidu.com",ttl=1)/ICMP())
.
Sent 1 packets.
这里相当于ping了下百度,ttl=1
2、sendp(),在第二层发送数据包,同样没有接收功能。如:
>>> sendp(Ether()/IP(dst="www.baidu.com",ttl=1)/ICMP())
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>> sendp(Ether()/IP(dst="127.0.0.1",ttl=1)/ICMP())
.
Sent 1 packets.
3、sr(),在第三层发送数据包,有接收功能。如:
>>> p=sr(IP(dst="www.baidu.com",ttl=1)/ICMP())
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
>>> p
(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> p[0]
<Results: TCP:0 UDP:0 ICMP:1 Other:0>
>>> p[0].show()
0000 IP / ICMP 27.214.222.160 > 61.135.169.105 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
再比如,连续发送ttl=1,2,3,4四个包的情况
>>> p=sr(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
Begin emission:
Finished to send 4 packets.
.*.*.*.*
Received 8 packets, got 4 answers, remaining 0 packets
>>> p
(<Results: TCP:0 UDP:0 ICMP:4 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> p[0].show()
0000 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0001 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 222.132.4.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0002 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 119.190.5.126 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0003 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 112.253.4.197 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
>>>
4、sr1(),在第三层发送数据包,有接收功能,但只接收第一个包。以上面的发送四个包为例:
>>> q=sr1(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
Begin emission:
Finished to send 4 packets.
.*.*.*.*
Received 8 packets, got 4 answers, remaining 0 packets
>>> q
<IP version=4L ihl=5L tos=0xc0 len=56 id=4773 flags= frag=0L ttl=255 proto=icmp chksum=0xb611 src=27.214.220.1 dst=27.214.222.160 options=[] |<ICMP type=time-exceeded code=ttl-zero-during-transit chksum=0xf4ff unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=28 id=1 flags= frag=0L ttl=1 proto=icmp chksum=0xd879 src=27.214.222.160 dst=61.135.169.105 options=[] |<ICMPerror type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>>
>>> q.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0xc0
len= 56
id= 4773
flags=
frag= 0L
ttl= 255
proto= icmp
chksum= 0xb611
src= 27.214.220.1
dst= 27.214.222.160
\options\
###[ ICMP ]###
type= time-exceeded
code= ttl-zero-during-transit
chksum= 0xf4ff
unused= 0
###[ IP in ICMP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1
flags=
frag= 0L
ttl= 1
proto= icmp
chksum= 0xd879
src= 27.214.222.160
dst= 61.135.169.105
\options\
###[ ICMP in ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
5、srloop(),在第三层工作,如下:
>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP())
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
^C
Sent 5 packets, received 5 packets. 100.0% hits.
>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP(),inter=3,count=2)
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror Sent 2 packets, received 2 packets. 100.0% hits.
这里第一条语句在执行时,将会不停的ping百度,第二条执行时每隔3秒ping一次,一共执行两次。inter表示间隔,count记录次数。
6、srp()、srp1()、srploop()与上面3、4、5相同,只是工作在第二层。
二、SYN扫描
SYN扫描:也叫“半开式扫描”(half-open scanning),因为它没有完成一个完整的TCP连接。这种方法向目标端口发送一个SYN分组(packet),如果目标端口返回SYN/ACK,那么可以肯定该端口处于检听状态;否则,返回的是RST/ACK。
>>> sr1(IP(dst="61.135.169.105")/TCP(dport=80,flags="S"))
Begin emission:
Finished to send 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=61.135.169.105 dst=27.214.222.160 options=[] |<TCP sport=http dport=ftp_data seq=3516051844L ack=1 dataofs=5L reserved=0L flags=SA window=8192 chksum=0x2aef urgptr=0 |>> >>> sr1(IP(dst="61.135.169.105")/TCP(dport=81,flags="S"))
Begin emission:
Finished to send 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=56 id=31986 flags= frag=0L ttl=249 proto=icmp chksum=0xd677 src=123.125.248.102 dst=27.214.222.160 options=[] |<ICMP type=dest-unreach code=communication-prohibited chksum=0xfc8d unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=27.214.222.160 dst=61.135.169.105 options=[] |<TCPerror sport=ftp_data dport=81 seq=0 |>>>>
从结果看,当扫描百度(61.135.169.105)的80端口时,返回的包中ACK=1或者flags=SA,说明该端口处于监听状态,当扫描81端口时,无ACK=1,或者flags=,说明其未处于监听状态。
如果要扫描多个端口,可以使用以下语句,如扫描百度的80-83端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=(80,83),flags="S"))
如要扫描21,80,3389等端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags="S"))
简单要显示结果:
>>>ans,unans=_
>>>ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))
http SA
81 RA
82 RA
83 RA
这里我在扫描80-83时,总是在不停的扫,用ctrl+C停止后,只能得到两个结果,目前没搞明白是什么原因。如下:
>>> sr(IP(dst="www.baidu.com",ttl=56)/TCP(dport=(80,83),flags="S"))
Begin emission:
Finished to send 4 packets.
.*.*.................................................................................
^C
Received 85 packets, got 2 answers, remaining 2 packets
(<Results: TCP:1 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>)
>>> ans,unans=_
>>> ans.summary()
IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:http S ==> IP / TCP 61.135.169.105:http > 27.214.134.124:ftp_data SA
IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:82 S ==> IP / ICMP 123.125.248.42 > 27.214.134.124 dest-unreach communication-prohibited / IPerror / TCPerror
>>> ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))
http SA
?? ??
三、TCP traceroute
traceroute:用来追踪出发点到目的地所经过的路径,通过Traceroute我们可以知道信息从你的计算机到互联网另一端的主机是走的什么路径。当然每次数据包由某一同样的出发点(source)到达某一同样的目的地(destination)走的路径可能会不一样,但基本上来说大部分时候所走的路由是相同的。
>>> ans,unans=sr(IP(dst="www.baidu.com",ttl=(4,25),id=RandShort())/TCP(flags=0x2))
Begin emission:
...*.*.*.*.*.*.*.*.*.*.*Finished to send 22 packets.
.*.*.*.*.*.*.*.*.*.*....^C
Received 48 packets, got 21 answers, remaining 1 packets
>>> for snd,rcv in ans:
... print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)
...
4 112.253.4.177 False
5 219.158.98.221 False
6 124.65.194.22 False
7 124.65.58.182 False
8 123.125.248.42 False
9 61.135.169.105 True
10 61.135.169.105 True
11 61.135.169.105 True
12 61.135.169.105 True
13 61.135.169.105 True
14 61.135.169.105 True
15 61.135.169.105 True
16 61.135.169.105 True
17 61.135.169.105 True
18 61.135.169.105 True
19 61.135.169.105 True
20 61.135.169.105 True
21 61.135.169.105 True
22 61.135.169.105 True
23 61.135.169.105 True
24 61.135.169.105 True
scapy学习笔记(3)的更多相关文章
- scapy学习笔记(3)发送包,SYN及TCP traceroute 扫描
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 在安装完scapy(前两篇笔记有介绍)后,linux环境下,执行sudo scapy运行scapy. 一.简单的发送包 1 ...
- scapy学习笔记(5)
1.ACK Scan >>>ans,unans=sr(IP(dst=,],flags="A") 扫描后,若要找出未过虑的端口: for s,r in ans: i ...
- scapy学习笔记(2)--包及包的定义
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 一.包 包(Packet)是TCP/IP协议通信传输中的数据单位,一般也称“数据包”.其主要由“目的IP地址”.“源IP地 ...
- scapy学习笔记(1)
转载请注明:小五义 http://www.cnblogs.com/xiaowuyi scapy是python写的一个功能强大的交互式数据包处理程序,可用来发送.嗅探.解析和伪造网络数据包,常常被用到网 ...
- scapy学习笔记(2)
一.包 包(Packet)是TCP/IP协议通信传输中的数据单位,一般也称“数据包”.其主要由“目的IP地址”.“源IP地址”.“净载数据”等部分构成,包括包头和包体,包头是固定长度,包体的长度不定, ...
- scapy学习笔记
1.ACK Scan >>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags=" ...
- scapy学习笔记(4)简单的sniffing 嗅探
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 利用sniff命令进行简单的嗅探,可以抓到一些简单的包.当不指定接口时,将对每一个接口进行嗅探,当指定接口时,仅对该接口进 ...
- js学习笔记:webpack基础入门(一)
之前听说过webpack,今天想正式的接触一下,先跟着webpack的官方用户指南走: 在这里有: 如何安装webpack 如何使用webpack 如何使用loader 如何使用webpack的开发者 ...
- PHP-自定义模板-学习笔记
1. 开始 这几天,看了李炎恢老师的<PHP第二季度视频>中的“章节7:创建TPL自定义模板”,做一个学习笔记,通过绘制架构图.UML类图和思维导图,来对加深理解. 2. 整体架构图 ...
随机推荐
- Cocos2d-x Lua中使用标签
游戏场景中的文字包括了静态文字和动态文字.静态文字如下图所示游戏场景中①号文字“COCOS2DX”,动态文字如图4-1所示游戏场景中的②号文字“Hello World”.静态文字一般是由美工使用Pho ...
- 160822、关于javascrip ==(等号) 和===(恒等)判断
说明 在JavaScript中,下面的值被当做假(false),除了下面列出的值,都被当做真(true): false null undefined 空字符串 数字 0 NaN //属性是代表非数字值 ...
- Linux 常用命令缩写及对应的
0.项目名: Linux -- LINUs' uniX (开个玩笑不是这样的,别当真) GNU -- Gnu is Not Unix1.目录名: /boot:顾名思义 /root :同上 /run:同 ...
- JS基础知识简介
使用js的三种方式 1.HTML标签内嵌js <button onclick="javascript:alert(真点啊)">有本事点我</button> ...
- cache与buffer的区别
Cache vs Buffer 高速缓存和缓冲区 缓存区cache和缓冲区buffer都是临时存储区,但它们在许多方面有所不同.缓冲区buffer主要存在于RAM中,作为CPU暂时存储数据的区域,例如 ...
- (4.6)sql server索引缺失提示
SQLSERVER如何查看索引缺失 sql server索引缺失提示 当大家发现数据库查询性能很慢的时候,大家都会想到加索引来优化数据库查询性能, 但是面对一个复杂的SQL语句,找到一个优化的索引组合 ...
- [Idea]安装avtiviti插件以及 插件中文乱码
安装插件 打开IDEA,按ctrl+alt+S,打开Pluging 乱码问题 idea 安转activiti插件后,编辑流程图发现保存后中文乱码,并且idea的字符集(Settings—>Edi ...
- graoovy资料
官网 http://www.groovy-lang.org/ 官方文档 http://www.groovy-lang.org/documentation.html Groovy入门教程 http:// ...
- 20170520 BADI增强学习
一.要求:Tcode:FF_5 导入数据运行时,产生财务凭证之前修改某些字段值.Exmp:FEBRE-VWEZWBKPF-XBLNRFEBEP-CHECTBSEG-ZUONR there is a b ...
- brew和brew cask安装
brew 是从下载源码解压然后 ./configure && make install ,同时会包含相关依存库.并自动配置好各种环境变量,而且易于卸载. 这个对程序员来说简直是福音,简 ...