scapy学习笔记(5)

时间:2022-08-20 14:33:41

1、ACK Scan

>>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[,],flags="A")

扫描后,若要找出未过虑的端口:

for s,r in ans:

    if s[TCP].dport==r[TCP].sport:

        print str(s[TCP].dport)+"is  unfiltered."

过滤过的:

for s in unans:

    print str(s[TCP].dport)+"is filtered."

2、Xmas Scan

>>>ans,unans=sr(IP(dst="192.168.1.1")/TCP(dport=,flags="FPU"))

RST表示端口关闭。

3、IP Scan

>>> ans,unans=sr(IP(dst="192.168.1.1",proto=(,))/"SCAPY",retry=)

4、ARP ping

>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=)

结果显示:

>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )
5、ICMP ping
>>> ans,unans=sr(IP(dst="192.168.1.1-254")/ICMP())

结果显示用下面的语句:

>>> ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )

6、TCP ping

>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=,flags="S") )

结果显示用下面的语句:

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

7、UDP ping

>>> ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=) )

结果:

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

8、ARP cache poisoning

>>> send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client),inter=RandNum(,), loop= )

9、TCP Port Scanning

>>> res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(,)) )

10、IKE Scanning

>>> res,unans = sr( IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(), exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()))

Visualizing the results in a list:

>>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) )

11、Advanced traceroute

(1)TCP SYN traceroute

>>> ans,unans=sr(IP(dst="4.2.2.1",ttl=(,))/TCP(dport=,flags="S"))

Results would be:

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))

192.168.1.1          time-exceeded

68.86.90.162        time-exceeded

4.79.43.134          time-exceeded

4.79.43.133          time-exceeded

4.68.18.126          time-exceeded

4.68.123.38          time-exceeded

4.2.2.1                  SA

(2)UDP traceroute

>>> res,unans = sr(IP(dst="target", ttl=(,))/UDP()/DNS(qd=DNSQR(qname="test.com"))

We can visualize the results as a list of routers:

>>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src))

(3)DNS traceroute

>>> ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))

Begin emission:

..*....******...******.***...****Finished to send  packets.

*****...***...............................

Received  packets, got  answers, remaining  packets

4.2.2.1:udp53

 192.168.1.1

 68.86.90.162

 4.79.43.134

 4.79.43.133

 4.68.18.62

 4.68.123.6

 4.2.2.1

(4)Etherleaking

>>> sr1(IP(dst="172.16.1.232")/ICMP())

<IP src=172.16.1.232 proto= [...] |<ICMP code= type= [...]|

<Padding load=’0O\x02\x01\x00\x04\x06public\xa2B\x02\x02\x1e’ |>>>

(5)ICMP leaking

>>> sr1(IP(dst="172.16.1.1", options="\x02")/ICMP())

<IP src=172.16.1.1 [...] |<ICMP code= type= [...] |

<IPerror src=172.16.1.24 options=’\x02\x00\x00\x00’ [...] |

<ICMPerror code= type= id=0x0 seq=0x0 chksum=0xf7ff |

<Padding load=’\x00[...]\x00\x1d.\x00V\x1f\xaf\xd9\xd4;\xca’ |>>>>>

(6)VLAN hopping

>>> sendp(Ether()/Dot1Q(vlan=)/Dot1Q(vlan=)/IP(dst=target)/ICMP())

(7)Wireless sniffing

>>> sniff(iface="ath0",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}"))

The above command will produce output similar to the one below:

::::: netgear  6L ESS+privacy+PBCC

::::: wireless_100 6L short-slot+ESS+privacy

::::: linksys 6L  short-slot+ESS+privacy

::::: NETGEAR 6L  short-slot+ESS+privacy+short-preamble

相关文章