scapy学习笔记(3)
转自:@小五义:http://www.cnblogs/xiaowuyi
在安装完scapy(前两篇笔记有介绍)后,linux环境下,执行sudo scapy运行scapy。
一、简单的发送包
1、send()在第三层发送数据包,但没有接收功能。如:
>>> send(IP(dst="www.baidu.com",ttl=1)/ICMP())
.
Sent 1 packets.
这里相当于ping了下百度,ttl=1
2、sendp(),在第二层发送数据包,同样没有接收功能。如:
>>> sendp(Ether()/IP(dst="www.baidu.com",ttl=1)/ICMP())
WARNING: Mac address to reach destination not found. Using broadcast.
.
Sent 1 packets.
>>> sendp(Ether()/IP(dst="127.0.0.1",ttl=1)/ICMP())
.
Sent 1 packets.
3、sr(),在第三层发送数据包,有接收功能。如:
>>> p=sr(IP(dst="www.baidu.com",ttl=1)/ICMP())
Begin emission:
..Finished to send 1 packets.
.*
Received 4 packets, got 1 answers, remaining 0 packets
>>> p
(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> p[0]
<Results: TCP:0 UDP:0 ICMP:1 Other:0>
>>> p[0].show()
0000 IP / ICMP 27.214.222.160 > 61.135.169.105 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
再比如,连续发送ttl=1,2,3,4四个包的情况
>>> p=sr(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
Begin emission:
Finished to send 4 packets.
.*.*.*.*
Received 8 packets, got 4 answers, remaining 0 packets
>>> p
(<Results: TCP:0 UDP:0 ICMP:4 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
>>> p[0].show()
0000 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0001 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 222.132.4.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0002 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 119.190.5.126 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
0003 IP / ICMP 27.214.222.160 > 61.135.169.125 echo-request 0 ==> IP / ICMP 112.253.4.197 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
>>>
4、sr1(),在第三层发送数据包,有接收功能,但只接收第一个包。以上面的发送四个包为例:
>>> q=sr1(IP(dst="www.baidu.com",ttl=(1,4))/ICMP())
Begin emission:
Finished to send 4 packets.
.*.*.*.*
Received 8 packets, got 4 answers, remaining 0 packets
>>> q
<IP version=4L ihl=5L tos=0xc0 len=56 id=4773 flags= frag=0L ttl=255 proto=icmp chksum=0xb611 src=27.214.220.1 dst=27.214.222.160 options=[] |<ICMP type=time-exceeded code=ttl-zero-during-transit chksum=0xf4ff unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=28 id=1 flags= frag=0L ttl=1 proto=icmp chksum=0xd879 src=27.214.222.160 dst=61.135.169.105 options=[] |<ICMPerror type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>>
>>> q.show()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0xc0
len= 56
id= 4773
flags=
frag= 0L
ttl= 255
proto= icmp
chksum= 0xb611
src= 27.214.220.1
dst= 27.214.222.160
\options\
###[ ICMP ]###
type= time-exceeded
code= ttl-zero-during-transit
chksum= 0xf4ff
unused= 0
###[ IP in ICMP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1
flags=
frag= 0L
ttl= 1
proto= icmp
chksum= 0xd879
src= 27.214.222.160
dst= 61.135.169.105
\options\
###[ ICMP in ICMP ]###
type= echo-request
code= 0
chksum= 0xf7ff
id= 0x0
seq= 0x0
5、srloop(),在第三层工作,如下:
>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP())
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
^C
Sent 5 packets, received 5 packets. 100.0% hits.
>>> p=srloop(IP(dst="www.baidu.com",ttl=1)/ICMP(),inter=3,count=2)
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror
RECV 1: IP / ICMP 27.214.220.1 > 27.214.222.160 time-exceeded ttl-zero-during-transit / IPerror / ICMPerror Sent 2 packets, received 2 packets. 100.0% hits.
这里第一条语句在执行时,将会不停的ping百度,第二条执行时每隔3秒ping一次,一共执行两次。inter表示间隔,count记录次数。
6、srp()、srp1()、srploop()与上面3、4、5相同,只是工作在第二层。
二、SYN扫描
SYN扫描:也叫“半开式扫描”(half-open scanning),因为它没有完成一个完整的TCP连接。这种方法向目标端口发送一个SYN分组(packet),如果目标端口返回SYN/ACK,那么可以肯定该端口处于检听状态;否则,返回的是RST/ACK。
>>> sr1(IP(dst="61.135.169.105")/TCP(dport=80,flags="S"))
Begin emission:
Finished to send 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=61.135.169.105 dst=27.214.222.160 options=[] |<TCP sport=http dport=ftp_data seq=3516051844L ack=1 dataofs=5L reserved=0L flags=SA window=8192 chksum=0x2aef urgptr=0 |>> >>> sr1(IP(dst="61.135.169.105")/TCP(dport=81,flags="S"))
Begin emission:
Finished to send 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=56 id=31986 flags= frag=0L ttl=249 proto=icmp chksum=0xd677 src=123.125.248.102 dst=27.214.222.160 options=[] |<ICMP type=dest-unreach code=communication-prohibited chksum=0xfc8d unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=40 id=1 flags= frag=0L ttl=56 proto=tcp chksum=0xa168 src=27.214.222.160 dst=61.135.169.105 options=[] |<TCPerror sport=ftp_data dport=81 seq=0 |>>>>
从结果看,当扫描百度(61.135.169.105)的80端口时,返回的包中ACK=1或者flags=SA,说明该端口处于监听状态,当扫描81端口时,无ACK=1,或者flags=,说明其未处于监听状态。
如果要扫描多个端口,可以使用以下语句,如扫描百度的80-83端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=(80,83),flags="S"))
如要扫描21,80,3389等端口:
>>>sr(IP(dst="www.baidu.com")/TCP(dport=[21,80,3389],flags="S"))
简单要显示结果:
>>>ans,unans=_
>>>ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))
http SA
81 RA
82 RA
83 RA
这里我在扫描80-83时,总是在不停的扫,用ctrl+C停止后,只能得到两个结果,目前没搞明白是什么原因。如下:
>>> sr(IP(dst="www.baidu.com",ttl=56)/TCP(dport=(80,83),flags="S"))
Begin emission:
Finished to send 4 packets.
.*.*.................................................................................
^C
Received 85 packets, got 2 answers, remaining 2 packets
(<Results: TCP:1 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:2 UDP:0 ICMP:0 Other:0>)
>>> ans,unans=_
>>> ans.summary()
IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:http S ==> IP / TCP 61.135.169.105:http > 27.214.134.124:ftp_data SA
IP / TCP 27.214.134.124:ftp_data > 61.135.169.105:82 S ==> IP / ICMP 123.125.248.42 > 27.214.134.124 dest-unreach communication-prohibited / IPerror / TCPerror
>>> ans.summary(lambda(s,r):r.sprintf("%TCP.sport% \t %TCP.flags%"))
http SA
?? ??
三、TCP traceroute
traceroute:用来追踪出发点到目的地所经过的路径,通过Traceroute我们可以知道信息从你的计算机到互联网另一端的主机是走的什么路径。当然每次数据包由某一同样的出发点(source)到达某一同样的目的地(destination)走的路径可能会不一样,但基本上来说大部分时候所走的路由是相同的。
>>> ans,unans=sr(IP(dst="www.baidu.com",ttl=(4,25),id=RandShort())/TCP(flags=0x2))
Begin emission:
...*.*.*.*.*.*.*.*.*.*.*Finished to send 22 packets.
.*.*.*.*.*.*.*.*.*.*....^C
Received 48 packets, got 21 answers, remaining 1 packets
>>> for snd,rcv in ans:
... print snd.ttl,rcv.src,isinstance(rcv.payload,TCP)
...
4 112.253.4.177 False
5 219.158.98.221 False
6 124.65.194.22 False
7 124.65.58.182 False
8 123.125.248.42 False
9 61.135.169.105 True
10 61.135.169.105 True
11 61.135.169.105 True
12 61.135.169.105 True
13 61.135.169.105 True
14 61.135.169.105 True
15 61.135.169.105 True
16 61.135.169.105 True
17 61.135.169.105 True
18 61.135.169.105 True
19 61.135.169.105 True
20 61.135.169.105 True
21 61.135.169.105 True
22 61.135.169.105 True
23 61.135.169.105 True
24 61.135.169.105 True
scapy学习笔记(3)的更多相关文章
- scapy学习笔记(3)发送包,SYN及TCP traceroute 扫描
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 在安装完scapy(前两篇笔记有介绍)后,linux环境下,执行sudo scapy运行scapy. 一.简单的发送包 1 ...
- scapy学习笔记(5)
1.ACK Scan >>>ans,unans=sr(IP(dst=,],flags="A") 扫描后,若要找出未过虑的端口: for s,r in ans: i ...
- scapy学习笔记(2)--包及包的定义
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 一.包 包(Packet)是TCP/IP协议通信传输中的数据单位,一般也称“数据包”.其主要由“目的IP地址”.“源IP地 ...
- scapy学习笔记(1)
转载请注明:小五义 http://www.cnblogs.com/xiaowuyi scapy是python写的一个功能强大的交互式数据包处理程序,可用来发送.嗅探.解析和伪造网络数据包,常常被用到网 ...
- scapy学习笔记(2)
一.包 包(Packet)是TCP/IP协议通信传输中的数据单位,一般也称“数据包”.其主要由“目的IP地址”.“源IP地址”.“净载数据”等部分构成,包括包头和包体,包头是固定长度,包体的长度不定, ...
- scapy学习笔记
1.ACK Scan >>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags=" ...
- scapy学习笔记(4)简单的sniffing 嗅探
转载请注明:@小五义:http://www.cnblogs/xiaowuyi 利用sniff命令进行简单的嗅探,可以抓到一些简单的包.当不指定接口时,将对每一个接口进行嗅探,当指定接口时,仅对该接口进 ...
- js学习笔记:webpack基础入门(一)
之前听说过webpack,今天想正式的接触一下,先跟着webpack的官方用户指南走: 在这里有: 如何安装webpack 如何使用webpack 如何使用loader 如何使用webpack的开发者 ...
- PHP-自定义模板-学习笔记
1. 开始 这几天,看了李炎恢老师的<PHP第二季度视频>中的“章节7:创建TPL自定义模板”,做一个学习笔记,通过绘制架构图.UML类图和思维导图,来对加深理解. 2. 整体架构图 ...
随机推荐
- ubuntu环境初始化
0. 在Ubuntu系统中永久修改主机名也比较简单.主机名存放在/etc/hostname文件中,修改主机名时,编辑hostname文件,在文件中输入新的主机名并保存该文件即可 1.打开termini ...
- 一道Google面试题——基数排序思想
题目描述: 一个大小为n的数组,里面的数都属于范围[0,n-1],有不确定的重复元素,找到至少一个重复元素,要求O(1)空间和O(n)时间. 算法分析: 这个题目要求用O(n)的时间复杂度,这意味着只 ...
- water mark
图片水印 https://www.oschina.net/p/watermarkjs?nocache=1542795300822 https://www.cnblogs.com/pengjunhao/ ...
- [Spring MVC]学习笔记--@RequestMapping
@RequestMapping是用来将请求的url,映射到整个类,或者里面的方法. @Controller @RequestMapping("/test") public clas ...
- iframe脸面的页面和父页面之间的交互方法
1.iframe父页面修改iframe中的页面的信息 var obj = document.getElementById("iframeId").contentWindow; ...
- CSS3随意记录
1.注释 注释语法:/* 注解注释内容 */ 2.带有透明度 rgba(255,0,0,0.5);rgba(0,255,0,0.5);rgba(0,0,255,0.5); 0.5就带有透明的,介于0和 ...
- <2013 12 01> 一篇很好的关于windows编程的入门指导(2013年末写的,比较前沿)
我之前做了不少嵌入式开发,从单片机到ARM到RTOS到Linux等等,可以说走的是电气工程师的路线,对编程也是实用性的,跟计算机学院的科班套路不同.最近同学做一个windowsCE的项目请我帮忙,之前 ...
- 扩展运算符和rest运算符
扩展运算符 扩展运算符用三个点号表示,功能是把数组或类数组对象展开成一系列用逗号隔开的值 一.拆分数组 扩展运算符可以直接把数组拆分成用逗号隔开的值 <template> <sect ...
- RemoveDuplicatesfromSortedArray
Given a sorted array, remove the duplicates in place such that each element appear only once and ret ...
- 006-重装yum
报错情况: There was a problem importing one of the Python modulesrequired to run yum. The error leading ...