Linux攻防（一）——python扫描目标主机端口

网络攻击的一般步骤就是找到目标网络，扫描目标主机开放端口，找到主机弱点，隐藏地址并发动攻击，抹除攻击痕迹并留下后门。

扫描端口windows有很多软件可以使用，但是Linux可以自己写一个小脚本来实现简单的扫描端口。

下面是多进程扫描目的ip的python代码

#!/usr/local/python3.6.3/bin/python3.6
# coding = utf-8

import socket
import datetime
import re
from concurrent.futures import ThreadPoolExecutor, wait

DEBUG = False

def check_ip(ipAddr):
    compile_ip = re.compile('^(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|[1-9])\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)\.(1\d{2}|2[0-4]\d|25[0-5]|[1-9]\d|\d)$')
    if compile_ip.match(ipAddr):
        return True
    else:
        return Fals

def portscan(ip, port):
    try:
        s = socket.socket()
        s.settimeout(0.2)
        s.connect((ip, port))
        openstr = f'[+] {ip} port:{port} open'
        print(openstr)
    except Exception as e:
        if DEBUG is True:
            print(ip + str(port) + str(e))
        else:
            return f'[+] {ip} port:{port} error'
    finally:
        s.close

def main():
    while True:
        ip = input("enter ip:")
        if check_ip(ip):
            start_time = datetime.datetime.now()
            executor = ThreadPoolExecutor(max_workers=100)
            t = [executor.submit(portscan, ip, n) for n in range(1, 65536)]
            if wait(t, return_when='ALL_COMPLETED'):
                end_time = datetime.datetime.now()
                print("扫描完成,用时:", (end_time - start_time).seconds)
                break


if __name__ == '__main__':
    main()

这里再写一个扫描域名端口的

# -*- coding:utf-8 -*-
'''
使用多线程，检测一个目标地址的端口开放情况，目标地址由用户输入，端口暂时定义为0~1024,
检测TCP连接是否成功，如果连接成功，则端口开放，不成功则端口关闭
'''

import socket
import threading

def main():
    host = input('please input domain:')
    portList = range(0,11025)
    openPorts = threadingPortScan(host, portList)
    print(host,'open ports:', openPorts)

# 对给定的(ip, port)进行TCP连接扫描
def tcpPortScan(ip, port, openPort):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  # 创建套接字
    sock.settimeout(0.1)            # 设置延时时间
    try:
        result = sock.connect_ex((ip, port))
        if result == 0:
            openPort.append(port)   # 如果端口开放，就把端口port赋给openPort
    except:
        pass
    sock.close()                    # 关闭套接字


def threadingPortScan(host, portList, openPorts = []):

    hostIP = socket.gethostbyname(host)    # 获取域名对应的IP地址
    nloops = range(len(portList))
    threads = []

    for i in nloops:
        threads[i].join()
    return openPorts                       # 返回值为该域名下开放的端口列表

if __name__ == '__main__':
    main()

    for i in nloops:
        t = threading.Thread(target=tcpPortScan, args=(hostIP, portList[i], openPorts))
        threads.append(t)

    for i in nloops:
        threads[i].start()

以上python版本为3.7

程序运行结果我就不展示了，大家可以自己试一试。