全连接扫描,根据三次握手的完整性来判断端口是否存在
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃隐蔽端口扫描 ┃
┃Syn—–syn/ack—–rst ┃
┃Scapy ┃
┃ sr1(IP(dst=”192.168.60.3”)/TCP(dport=80),timeout=1,verbose=1) ┃
┃ ./syn_scan.py ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
Scapy Scapy是一个可以让用户发送、侦听和解析并伪装网络报文的Python程序。
首先进入scapy
然后构造包
先不要发送,因为是实验,所以打开wireshark来监听
然后
a.display()
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> a=sr1(IP(dst="192.168.1.134")/TCP(dport=80),timeout=1,verbose=1)
>>>a.display
>>> a=sr1(IP(dst="192.168.1.134")/TCP(flags="S"dport=22),timeout=1)
>>> a=sr1(IP(dst="192.168.1.134")/TCP(flags="S"dport=2222),timeout=1)
操作系统会认为这是一个没来由的sYn,ack;返回rst.我们没有建立握手,你莫名其妙给我发syn,拒绝
我们可以使用python脚本来扫描一个ip的端口
[syn_scan.py]
#!/usr/bin/python
import loggging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv)!=4;
print "Usage - ./syn_scan.py [Target.IP] [First Port] [Las Port]"
print "Example - ./syn_scan.py 1.1.1.5 1 100"
print "Example will TCP SYN port 1 thorough 100 om 10.0.0.5"
sys.exit()
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3]
for port in range(start,end);
a=str(IP(dst=ip)/UDP(dport=prot),timeout=1,verbose=0)
if a==None;
pass
else;
if(int(a(TCP),flags)==18;
print port
else
pass
1,2,4,8,16,ack+syn=18
防火墙会拦截
╋━━━━━━━━━━━━━━━━━━━╋
┃隐蔽端口扫描 ┃
┃nmap -sS 1.1.1.1 -p 80,21,25,110,443 ┃
┃nmap -sS 1.1.1.1 -p 1-65535 --open ┃
┃nmap -sS 1.1.1.1 -p- --open ┃
┃nmap -sS -iL iplist.txt -p 80 ┃
╋━━━━━━━━━━━━━━━━━━━╋
root@kali:~# nmap 192.168.1.134 -p1-100
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-10-01 23:01 CST
Nmap scan report for 192.168.1.134
Host is up (0.00068s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtb
53/tcp open domain