-
Notifications
You must be signed in to change notification settings - Fork 3
/
10-emulating-nmap.html
154 lines (141 loc) · 9.64 KB
/
10-emulating-nmap.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<title>Emulating nmap Functions</title>
<link rel="stylesheet" href="stylesheets/styles.css">
<link rel="stylesheet" href="stylesheets/pygment_trac.css">
<link href="stylesheets/font-awesome.min.css" rel="stylesheet">
<script src="javascripts/scale.fix.js"></script>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<!--[if lt IE 9]>
<script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body>
<div class="wrapper">
<header>
<h1 class="header"><a href="index.html">Scapy for Network Tools</a></h1>
<p class="header">Using the power of Python + Scapy to build network tools</p>
<ul>
<li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/zipball/master">Download ZIP</a></li>
<li class="download"><a class="buttons" href="https://github.com/thepacketgeek/building-network-tools-with-scapy/tarball/master">Download TAR</a></li>
<li><a class="buttons github" href="https://github.com/thepacketgeek/building-network-tools-with-scapy">View On GitHub</a></li>
</ul>
<p class="header">This project is maintained by <a class="header name" href="https://github.com/thepacketgeek">thepacketgeek</a></p>
</header>
<section>
<h3 id="01">
10 - Emulating nmap Functions
</h3>
<p>We've seen a lot of cool applications for scapy in your network tools, but a good inspiration for new tools is to look at existing tools to figure out how they do their job. We will be emulating some nmap & Angry IP Scanner type features and creating the following tools: </p>
<ul>
<li><a href="#port-scanner">TCP Port Range Scanner</a></li>
<li><a href="#ping-sweep">ICMP Ping Sweep</a></li>
<li><a href="#sweep-and-scan">Combining the Two</a></li>
</ul>
<h4 id="port-scanner">TCP Port Range Scanner</h4>
<p>This is a fairly basic tool to test whether a host has specific TCP ports open and listening. We start out by defining our host and ports to scan and then move on to the fun stuff. Using a random TCP source port to help obfuscate the attack (although most firewalls are smarter than this nowadays), we send a TCP SYN packet to each destination TCP port specified. If we get no response or a TCP RST in return, we know that the host is filtering or not listening on that port. If we get an ICMP unreachable or error response, we also know the host is not willing to take requests on that port. But, if we get an expected TCP SYN/ACK response, we will send a RST so the host doesn't keep listening for our ACK since we already know the host is listening on that port. Here's the code:</p>
<script type="text/javascript" src="https://gist.github.com/thepacketgeek/7109130.js"></script>
<pre><code>============================Console Output:===========================
www.facebook.com:22 is filtered (silently dropped).
www.facebook.com:23 is filtered (silently dropped).
www.facebook.com:80 is open.
www.facebook.com:443 is open.
www.facebook.com:449 is filtered (silently dropped).</code></pre>
<p class="caption">For more information on TCP behavior and how this was created, visit: <a target = "_blank" href="http://resources.infosecinstitute.com/port-scanning-using-scapy/">Port Scanning Using Scapy</a></p>
<h4 id="ping-sweep">ICMP Ping Sweep</h4>
<p>For this utility, we will need the <a target = "_blank" href="http://pythonhosted.org/netaddr/index.html">netaddr</a> module for iterating through an IP subnet. Read the docs and install the module with these links:</p>
<ul>
<li><a target = "_blank" href="http://pythonhosted.org/netaddr/index.html"></a>netaddr Docs</li>
<li><a target = "_blank" href="http://pythonhosted.org/netaddr/installation.html">Installing netaddr</a></li>
</ul>
<p>This script is just an expansion of our ICMP ping utility from the <a href="06-sending-and-receiving.html">Sending and Receiving</a> example. We will use a network given with a CIDR mask to specify the hosts to run the ping scan on. Then, using a Python <code>for</code> loop we iterate through each address and try pinging. If the response times out or returns an ICMP error (such as unreachable or admin deny), we know that the host is not up or is blocking ICMP. Otherwise, if we receive a response we know that host is online. Check out the code here: </p>
<script type="text/javascript" src="https://gist.github.com/thepacketgeek/7109829.js"></script>
<pre><code>============================Console Output:===========================
172.16.20.1 is responding.
WARNING: Mac address to reach destination not found. Using broadcast.
172.16.20.2 is down or not responding.
WARNING: Mac address to reach destination not found. Using broadcast.
172.16.20.3 is down or not responding.
172.16.20.4 is responding.
172.16.20.5 is responding.
172.16.20.6 is responding.
172.16.20.7 is responding.
WARNING: Mac address to reach destination not found. Using broadcast.
172.16.20.8 is down or not responding.
WARNING: Mac address to reach destination not found. Using broadcast.
172.16.20.9 is down or not responding.
172.16.20.10 is responding.
172.16.20.11 is responding.
... (truncated)
Out of 254 hosts, 19 are online.</code></pre>
<p>In this example, the <code>WARNING: Mac address to reach destination not found. Using broadcast.</code> is telling us that Scapy doesn't know the destination ARP address to send the packet to. This is only showing up because I am running this test on my locally connected network. If I were running this scan on a different network, Scapy would use the gateway MAC address for the L2 destination. </p>
<h4 id="sweep-and-scan">Combining the Two</h4>
<p>Those first two tools are cool, but you know what would be cooler? Combining them! With a new tool that combines those two features, we can scan a subnet for online hosts and then also run a TCP scan on the online hosts.</p>
<p>To get this new tool up and running, we can pretty much use the existing code with just a couple changes. We can get rid of the single <code>host</code> variable since we'll be using the network statment (this can define a single host using the /32 CIDR mask). Also, to keep the code clean and easy to understand we should move our TCP scan to it's own function so we can call that on any hosts that respond to the ICMP ping request. Here's the code and some example output:</p>
<script type="text/javascript" src="https://gist.github.com/thepacketgeek/7125485.js"></script>
<pre><code>============================Console Output:===========================
172.16.20.1:22 is filtered (silently dropped).
172.16.20.1:23 is filtered (silently dropped).
172.16.20.1:80 is filtered (silently dropped).
172.16.20.1:443 is filtered (silently dropped).
172.16.20.1:449 is filtered (silently dropped).
172.16.20.2:22 is closed.
172.16.20.2:23 is closed.
172.16.20.2:80 is open.
172.16.20.2:443 is closed.
172.16.20.2:449 is closed.
172.16.20.3:22 is filtered (silently dropped).
172.16.20.3:23 is filtered (silently dropped).
172.16.20.3:80 is filtered (silently dropped).
172.16.20.3:443 is filtered (silently dropped).
172.16.20.3:449 is filtered (silently dropped).
172.16.20.4 is down or not responding.
172.16.20.5:22 is closed.
172.16.20.5:23 is closed.
172.16.20.5:80 is open.
172.16.20.5:443 is open.
172.16.20.5:449 is closed.
172.16.20.6:22 is closed.
172.16.20.6:23 is closed.
172.16.20.6:80 is open.
172.16.20.6:443 is closed.
172.16.20.6:449 is closed.
Out of 8 hosts, 5 are online.</code></pre>
<p>That output is a little noisy for my taste, so if we remove some of the print statements like in this example <a title="10-scan-and-sweep-2.py" target="_blank" href="https://gist.github.com/thepacketgeek/7125755">here</a>, we get the following output:</p>
<pre><code>============================Console Output:===========================
172.16.20.1 is responding.
172.16.20.2 is responding.
172.16.20.2:80 is open.
172.16.20.3 is responding.
172.16.20.5 is responding.
172.16.20.5:80 is open.
172.16.20.5:443 is open.
172.16.20.6 is responding.
172.16.20.6:80 is open.
Out of 8 hosts, 5 are online.</code></pre>
<p>This is just the basics for building tools like this. The formatting can be customized to print out how you want and you can scan more ports if needed. Use these as starting points to build The Ultimate Network Tool and let me know what you create! </p>
<nav>
<p class="previous"><a href="09-scapy-and-dns.html"><i class="icon-arrow-left"></i> Previous</a></p>
<p class="next"><a href="11-scapy-resources.html">Next <i class="icon-arrow-right"></i></a></p>
</nav>
</section>
</div>
<footer>
<p>Hosted on GitHub Pages — Theme by <a href="https://github.com/orderedlist">orderedlist</a></p>
</footer>
<!--[if !IE]><script>fixScale(document);</script><![endif]-->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-44238008-3");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html>