端口扫描器的几种代码实现方案
搞安全的应该都知道端口扫描在渗透测试、漏洞扫描过程中的重要性,其与URL爬虫等技术构成了漏洞扫描的第一阶段,即目标信息收集。因此能否开发出一款高效稳定的端口扫描器,往往决定了漏洞扫描器的好坏。那么说到端口扫描器,我们往往会先想到nmap、masscan等神器,它们是这个领域的标杆。但本篇并不是为了介绍这几款工具,而是谈谈如何自研一款高效稳定的端口扫描器。
端口扫描器,顾名思义就是为了探测服务器上的某个端口是否开放,究其原理可以分为很多种探测方式,比如tcp三次握手扫描,syn扫描等等,本篇并不打算详细介绍这些扫描方式的区别,有兴趣的可以看下nmap的文档,对这几种扫描方式有详细的介绍。
那么说下本文重点,基于这几天我研究并尝试利用python、go开发tcp扫描器、tcp-syn扫描器,以及对比它们之间的速度性能、稳定性差异情况,将测试结果在此做个记录,并分享一下代码以及方案。
说明:文章结尾将给出本篇所使用代码的Github地址,可供大家测试,代码测试环境为centos7。
scan for Python Socket
Python的Socket模块可以创建套接字,创建tcp三次握手连接,以此探测目标端口是否存活。本篇将使用socket模块编写tcp扫描以及syn扫描,并对比两者的差异。
tcp scan
快来看代码:
1 #! -*- coding:utf-8 -*- 2 import time 3 import socket 4 socket_timeout = 0.1 5 def tcp_scan(ip,port): 6 try: 7 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 8 s.settimeout(socket_timeout) 9 c=s.connect_ex((ip,port)) 10 if c==0: 11 print “%s:%s is open” % (ip,port) 12 else : 13 # print “%s:%s is not open” % (ip,port) 14 pass 15 except Exception,e: 16 print e 17 s.close() 18 if __name__== “__main__” : 19 s_time = time.time() 20 ip = “14.215.177.38” 21 for port in range(0,1024): 22 ” ‘ 此处可用协作 ‘ ” 23 tcp_scan(ip,port) 24 e_time = time.time() 25 print “scan time is “ ,e_time-s_time
运行结果:
说明一下:可以看到此代码扫描1024个端口用了102s,当然代码并没有用多线程、协程等方式提高扫描效率(使用协程测试过扫65535个端口用时400s左右),因为python在这方面的能力比较弱;由于扫描过程中会建立tcp三次握手,因此比较消耗资源。
tcp syn scan
相对tcp扫描,tcp syn扫描方式更为隐蔽,也更节省资源,那么如何利用socket模块实现tcp syn扫描呢?这里需要用到SOCK_RAW,这个在socket编程中相对少用,资料也不多。
1 # -*- coding: UTF-8 -*- 2 import time 3 import random 4 import socket 5 import sys 6 from struct import * 7 ” ‘ 8 Warning:must run it as root 9 yum install python-devel libpcap-devel 10 pip install pcap 11 ‘ ” 12 def checksum(msg): 13 ” ‘ Check Summing ‘ ” 14 s = 0 15 for i in range(0,len(msg),2): 16 w = (ord(msg[i]) << 8) + (ord(msg[i+1])) 17 s = s+w 18 s = (s>>16) + (s & 0xffff) 19 s = ~s & 0xffff 20 return s 21 def CreateSocket(source_ip,dest_ip): 22 ” ‘ create socket connection ‘ ” 23 try: 24 s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) 25 except socket.error, msg: 26 print ‘Socket create error: ‘ ,str(msg[0]), ‘message: ‘ ,msg[1] 27 sys.exit() 28 ” ‘ Set the IP header manually ‘ ” 29 s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) 30 return s 31 def CreateIpHeader(source_ip, dest_ip): 32 ” ‘ create ip header ‘ ” 33 # packet = ” 34 # ip header option 35 headerlen = 5 36 version = 4 37 tos = 0 38 tot_len = 20 + 20 39 id = random.randrange(18000,65535,1) 40 frag_off = 0 41 ttl = 255 42 protocol = socket.IPPROTO_TCP 43 check = 10 44 saddr = socket.inet_aton ( source_ip ) 45 daddr = socket.inet_aton ( dest_ip ) 46 hl_version = (version << 4) + headerlen 47 ip_header = pack( ‘!BBHHHBBH4s4s’ , hl_version, tos, tot_len, id, frag_off, ttl, protocol, check, saddr, daddr) 48 return ip_header 49 def create_tcp_syn_header(source_ip, dest_ip, dest_port): 50 ” ‘ create tcp syn header function ‘ ” 51 source = random.randrange(32000,62000,1) # randon select one source_port 52 seq = 0 53 ack_seq = 0 54 doff = 5 55 ” ‘ tcp flags ‘ ” 56 fin = 0 57 syn = 1 58 rst = 0 59 psh = 0 60 ack = 0 61 urg = 0 62 window = socket.htons (8192) # max windows size 63 check = 0 64 urg_ptr = 0 65 offset_res = (doff << 4) + 0 66 tcp_flags = fin + (syn<<1) + (rst<<2) + (psh<<3) + (ack<<4) + (urg<<5) 67 tcp_header = pack( ‘!HHLLBBHHH’ , source , dest_port, seq, ack_seq, offset_res, tcp_flags, window, check, urg_ptr) 68 ” ‘ headers option ‘ ” 69 source_address = socket.inet_aton( source_ip ) 70 dest_address = socket.inet_aton( dest_ip ) 71 placeholder = 0 72 protocol = socket.IPPROTO_TCP 73 tcp_length = len(tcp_header) 74 psh = pack( ‘!4s4sBBH’ , source_address, dest_address, placeholder, protocol, tcp_length); 75 psh = psh + tcp_header; 76 tcp_checksum = checksum(psh) 77 ” ‘ Repack the TCP header and fill in the correct checksum ‘ ” 78 tcp_header = pack( ‘!HHLLBBHHH’ , source , dest_port, seq, ack_seq, offset_res, tcp_flags, window, tcp_checksum, urg_ptr) 79 return tcp_header 80 def syn_scan(source_ip, dest_ip, des_port) : 81 s = CreateSocket(source_ip, dest_ip) 82 ip_header = CreateIpHeader(source_ip, dest_ip) 83 tcp_header = create_tcp_syn_header(source_ip, dest_ip, des_port) 84 packet = ip_header + tcp_header 85 s.sendto(packet, (dest_ip, 0)) 86 data = s.recvfrom(1024) [0][0:] 87 ip_header_len = (ord(data[0]) & 0x0f) * 4 88 # ip_header_ret = data[0: ip_header_len – 1] 89 tcp_header_len = (ord(data[32]) & 0xf0)>>2 90 tcp_header_ret = data[ip_header_len:ip_header_len+tcp_header_len – 1] 91 ” ‘ SYN/ACK flags ‘ ” 92 if ord(tcp_header_ret[13]) == 0x12: 93 print “%s:%s is open” % (dest_ip,des_port) 94 else : 95 print “%s:%s is not open” % (dest_ip,des_port) 96 if __name__== “__main__” : 97 t_s = time.time() 98 source_ip = ” # 填写本机ip 99 dest_ip = ‘14.215.177.38’ 100 for des_port in range(1024): 101 syn_scan(source_ip, dest_ip, des_port) 102 t_e = time.time() 103 print “time is “ ,(t_e-t_s)
有一点需要注意的,运行这段代码前,需要在系统上安装依赖:
yum install python-devel libpcap-devel pip install pcap
运行结果:
说明:从运行结果上来看,并没有很准确,而且速度也不快,不清楚是不是代码上有问题。
scan for Python scapy
除了socket模块外,python还有一个scapy模块,可以用来模拟发包,但只能在linux下使用,其他操作系统不建议使用此模块。
tcp syn csan
代码在这里:
1 #! -*- coding:utf-8 -*- 2 import time 3 from scapy.all import * 4 ip = “14.215.177.38” 5 TIMEOUT = 0.5 6 threads = 500 7 port_range = 1024 8 retry = 1 9 def is_up(ip): 10 “” ” Tests if host is up “ “” 11 icmp = IP(dst=ip)/ICMP() 12 resp = sr1(icmp, timeout=TIMEOUT) 13 if resp == None: 14 return False 15 else : 16 return True 17 def reset_half_open(ip, ports): 18 # Reset the connection to stop half-open connections from pooling up 19 sr(IP(dst=ip)/TCP(dport=ports, flags= ‘AR’ ), timeout=TIMEOUT) 20 def is_open(ip, ports): 21 to_reset = [] 22 results = [] 23 p = IP(dst=ip)/TCP(dport=ports, flags= ‘S’ ) # Forging SYN packet 24 answers, un_answered = sr(p, verbose=False, retry=retry ,timeout=TIMEOUT) # Send the packets 25 for req, resp in answers: 26 if not resp.haslayer(TCP): 27 continue 28 tcp_layer = resp.getlayer(TCP) 29 if tcp_layer.flags == 0x12: 30 # port is open 31 to_reset.append(tcp_layer.sport) 32 results.append(tcp_layer.sport) 33 elif tcp_layer.flags == 0x14: 34 # port is open 35 pass 36 reset_half_open(ip, to_reset) 37 return results 38 def chunks(l, n): 39 “” “Yield successive n-sized chunks from l.” “” 40 for i in range(0, len(l), n): 41 yield l[i:i + n] 42 if __name__ == ‘__main__’ : 43 start_time = time.time() 44 open_port_list = [] 45 for ports in chunks(list(range(port_range)), threads): 46 results = is_open(ip, ports) 47 if results: 48 open_port_list += results 49 end_time = time.time() 50 print “%s %s” % (ip,open_port_list) 51 print “%s Scan Completed in %fs” % (ip, end_time-start_time)
运行结果:
说明:由于scapy可以一次性发多个syn包,因此速度相对socket更快一些,但稳定性没有很好。
scan for python+nmap
文章开头提到了nmap,其实在python中也可以直接调用nmap,看代码:
1 #! -*- coding:utf-8 -*- 2 ” ‘ 3 pip install python-nmap 4 ‘ ” 5 import nmap 6 nm =nmap.PortScanner() 7 def scan(ip,port,arg): 8 try: 9 nm.scan(ip, arguments=arg+str(port)) 10 except nmap.nmap.PortScannerError: 11 print “Please run -O method for root privileges” 12 else : 13 for host in nm.all_hosts(): 14 for proto in nm[host].all_protocols(): 15 lport = nm[host][proto].keys() 16 lport.sort() 17 for port in lport: 18 print ( ‘port : %ststate : %s’ % (port, nm[host][proto][port][ ‘state’ ])) 19 if __name__== “__main__” : 20 port= “80,443,22,21” 21 scan(ip= “14.215.177.38” ,port=port,arg= “-sS -Pn -p” ) 22 # tcp scan -sT 23 # tcp syn scan -sS
运行结果:
由于nmap扫描速度相对比较慢,因此这里只演示扫描4个端口,不做速度的对比,当然其稳定性还是可以的。
scan for go
前文一直在介绍使用python语言开发端口扫描器,然而由于python在多线程方面的弱势,扫描器的性能可想而知,因此我又利用go语言的高并发性优势,尝试开发端口扫描器。(题外话:为此我花了半天时间看了下go语言的基础,勉强看懂了扫描代码,并做了一些修改)
tcp scan
直接看代码吧:
1 package main 2 // port tcp scan 3 import ( 4 “fmt” 5 “net” 6 “os” 7 “runtime” 8 “strconv” 9 “sync” 10 “time” 11 ) 12 func loop(inport chan int, startport, endport int) { 13 for i := startport; i <= endport; i++ { 14 inport <- i 15 } 16 close(inport) 17 } 18 type ScanSafeCount struct { 19 // 结构体 20 count int 21 mux sync.Mutex 22 } 23 var scanCount ScanSafeCount 24 func scanner(inport int, outport chan int, ip string, endport int) { 25 // 扫描函数 26 in := inport // 定义要扫描的端口号 27 // fmt.Printf( ” %d “ , in ) // 输出扫描的端口 28 host := fmt.Sprintf( “%s:%d” , ip, in ) // 类似(ip,port) 29 tcpAddr, err := net.ResolveTCPAddr( “tcp4” , host) // 根据域名查找ip 30 if err != nil { 31 // 域名解析ip失败 32 outport <- 0 33 } else { 34 conn, err := net.DialTimeout( “tcp” , tcpAddr.String(), 10*time.Second) //建立tcp连接 35 if err != nil { 36 // tcp连接失败 37 outport <- 0 38 } else { 39 // tcp连接成功 40 outport <- in // 将端口写入outport信号 41 fmt.Printf( “n *************( %d 可以 )*****************n” , in ) 42 conn.Close() 43 } 44 } 45 // 线程锁 46 scanCount.mux.Lock() 47 scanCount.count = scanCount.count – 1 48 if scanCount.count <= 0 { 49 close(outport) 50 } 51 scanCount.mux.Unlock() 52 } 53 func main () { 54 runtime.GOMAXPROCS(runtime.NumCPU()) // 设置最大可使用的cpu核数 55 // 定义变量 56 inport := make(chan int) // 信号变量,类似python中的queue 57 outport := make(chan int) 58 collect := []int{} // 定义一个切片变量,类似python中的list 59 // fmt.Println(os.Args, len(os.Args)) // 获取命令行参数并输出 60 if len(os.Args) != 4 { 61 // 命令行参数个数有误 62 fmt.Println( “使用方式:port_scanner IP startport endport” ) 63 os.Exit(0) 64 } 65 s_time := time.Now().Unix() 66 // fmt.Println( “扫描开始:” ) // 获取当前时间 67 ip := string(os.Args[1]) // 获取参数中的ip 68 startport, _ := strconv.Atoi(os.Args[2]) // 获取参数中的启始端口 69 endport, _ := strconv.Atoi(os.Args[3]) // 获取参数中的结束端口 70 if startport > endport { 71 fmt.Println( “Usage: scanner IP startport endport” ) 72 fmt.Println( “Endport must be larger than startport” ) 73 os.Exit(0) 74 } else { 75 // 定义scanCount变量为ScanSafeCount结构体,即计算扫描的端口数量 76 scanCount = ScanSafeCount{count: (endport – startport + 1)} 77 } 78 fmt.Printf( “扫描 %s:%d———-%dn” , ip, startport, endport) 79 go loop(inport, startport, endport) // 执行loop函数将端口写入input信号 80 for v := range inport { 81 // 开始循环input 82 go scanner(v, outport, ip, endport) 83 } 84 // 输出结果 85 for port := range outport { 86 if port != 0 { 87 collect = append(collect, port) 88 } 89 } 90 fmt.Println( “–“ ) 91 fmt.Println(collect) 92 e_time := time.Now().Unix() 93 fmt.Println( “扫描时间:” , e_time-s_time) 94 }
代码我就不解释了(我在代码中加了些注释,应该大致可以看懂),本文也不打算介绍go的用法,毕竟自己也是刚开始学习go,有兴趣的可以看看go的文档,然后再回过头来看看这段代码。
代码运行结果:
说明:由于是tcp扫描,所以多少还是占资源的,而且测试发现稳定性不是很好。
tcp syn scan
看代码看代码:
1 package main 2 // port tcp syn scan 3 import ( 4 “bytes” 5 “encoding/binary” 6 “flag” 7 “fmt” 8 “log” 9 “math/rand” 10 “net” 11 “os” 12 “strconv” 13 “strings” 14 “time” 15 “errors” 16 ) 17 //TCPHeader test 18 type TCPHeader struct { 19 SrcPort uint16 20 DstPort uint16 21 SeqNum uint32 22 AckNum uint32 23 Flags uint16 24 Window uint16 25 ChkSum uint16 26 UrgentPointer uint16 27 } 28 //TCPOption test 29 type TCPOption struct { 30 Kind uint8 31 Length uint8 32 Data []byte 33 } 34 type scanResult struct { 35 Port uint16 36 Opened bool 37 } 38 type scanJob struct { 39 Laddr string 40 Raddr string 41 SPort uint16 42 DPort uint16 43 Stop uint8 44 } 45 var stopFlag = make(chan uint8, 1) 46 func main () { 47 rate := time.Second / 400 48 throttle := time.Tick(rate) 49 jobs := make(chan *scanJob, 65536) 50 results := make(chan *scanResult, 1000) 51 for w := 0; w < 10; w++ { 52 go worker(w, jobs , throttle, results) 53 } 54 // 获取命令行参数 55 ifaceName := flag.String( “i” , “eth0” , “Specify network” ) 56 remote := flag.String( “r” , “” , “remote address” ) 57 portRange := flag.String( “p” , “1-1024” , “port range: -p 1-1024” ) 58 flag.Parse() 59 // ifaceName := &interfaceName_ 60 // remote := &remote_ 61 // portRange := &portRange_ 62 s_time := time.Now().Unix() 63 laddr := interfaceAddress(*ifaceName) // 64 raddr := *remote 65 minPort , maxPort := portSplit(portRange) 66 // fmt.Println(laddr, raddr) // 输出源ip地址,目标ip地址 67 go func(num int){ 68 for i := 0; i < num; i++ { 69 recvSynAck(laddr, raddr, results) 70 } 71 }(10) 72 go func(jobLength int) { 73 for j := minPort; j < maxPort + 1; j++ { 74 s := scanJob{ 75 Laddr: laddr, 76 Raddr: raddr, 77 SPort: uint16(random(10000, 65535)), 78 DPort: uint16(j + 1), 79 } 80 jobs <- &s 81 } 82 jobs <- &scanJob{Stop: 1} 83 }(1024) 84 for { 85 select { 86 case res := <-results: 87 fmt.Println( “扫描到开放的端口:” ,res.Port) 88 case <-stopFlag: 89 e_time := time.Now().Unix() 90 fmt.Println( “总共用了多少时间(s):” ,e_time-s_time) 91 os.Exit(0) 92 } 93 } 94 } 95 func worker(id int, jobs <-chan *scanJob, th <-chan time.Time, results chan<- *scanResult) { 96 for j := range jobs { 97 if j.Stop != 1 { 98 sendSyn(j.Laddr, j.Raddr, j.SPort, j.DPort) 99 } else { 100 stopFlag <- j.Stop 101 } 102 <-th 103 } 104 } 105 func checkError(err error) { 106 // 错误check 107 if err != nil { 108 log.Println(err) 109 } 110 } 111 //CheckSum test 112 func CheckSum(data []byte, src, dst [4]byte) uint16 { 113 pseudoHeader := []byte{ 114 src[0], src[1], src[2], src[3], 115 dst[0], dst[1], dst[2], dst[3], 116 0, 117 6, 118 0, 119 byte(len(data)), 120 } 121 totalLength := len(pseudoHeader) + len(data) 122 if totalLength%2 != 0 { 123 totalLength++ 124 } 125 d := make([]byte, 0, totalLength) 126 d = append(d, pseudoHeader…) 127 d = append(d, data…) 128 return ^mySum(d) 129 } 130 func mySum(data []byte) uint16 { 131 var sum uint32 132 for i := 0; i < len(data)-1; i += 2 { 133 sum += uint32(uint16(data[i])<<8 | uint16(data[i+1])) 134 } 135 sum = (sum >> 16) + (sum & 0xffff) 136 sum = sum + (sum >> 16) 137 return uint16(sum) 138 } 139 func sendSyn(laddr, raddr string, sport, dport uint16) { 140 conn, err := net.Dial( “ip4:tcp” , raddr) 141 checkError(err) 142 defer conn.Close() 143 op := []TCPOption{ 144 TCPOption{ 145 Kind: 2, 146 Length: 4, 147 Data: []byte{0x05, 0xb4}, 148 }, 149 TCPOption{ 150 Kind: 0, 151 }, 152 } 153 tcpH := TCPHeader{ 154 SrcPort: sport, 155 DstPort: dport, 156 SeqNum: rand.Uint32(), 157 AckNum: 0, 158 Flags: 0x8002, 159 Window: 8192, 160 ChkSum: 0, 161 UrgentPointer: 0, 162 } 163 buff := new(bytes.Buffer) 164 err = binary.Write(buff, binary.BigEndian, tcpH) 165 checkError(err) 166 for i := range op { 167 binary.Write(buff, binary.BigEndian, op[i].Kind) 168 binary.Write(buff, binary.BigEndian, op[i].Length) 169 binary.Write(buff, binary.BigEndian, op[i].Data) 170 } 171 binary.Write(buff, binary.BigEndian, [6]byte{}) 172 data := buff.Bytes() 173 checkSum := CheckSum(data, ipstr2Bytes(laddr), ipstr2Bytes(raddr)) 174 //fmt.Printf( “CheckSum 0x%Xn” , checkSum) 175 tcpH.ChkSum = checkSum 176 buff = new(bytes.Buffer) 177 binary.Write(buff, binary.BigEndian, tcpH) 178 for i := range op { 179 binary.Write(buff, binary.BigEndian, op[i].Kind) 180 binary.Write(buff, binary.BigEndian, op[i].Length) 181 binary.Write(buff, binary.BigEndian, op[i].Data) 182 } 183 binary.Write(buff, binary.BigEndian, [6]byte{}) 184 data = buff.Bytes() 185 //fmt.Printf( “% Xn” , data) 186 _, err = conn.Write(data) 187 checkError(err) 188 } 189 func recvSynAck(laddr, raddr string, res chan<- *scanResult) error { 190 listenAddr, err := net.ResolveIPAddr( “ip4” , laddr) // 解析域名为ip 191 checkError(err) 192 conn, err := net.ListenIP( “ip4:tcp” , listenAddr) 193 defer conn.Close() 194 checkError(err) 195 for { 196 buff := make([]byte, 1024) 197 _, addr, err := conn.ReadFrom(buff) 198 if err != nil { 199 continue 200 } 201 if addr.String() != raddr || buff[13] != 0x12 { 202 continue 203 } 204 var port uint16 205 binary.Read(bytes.NewReader(buff), binary.BigEndian, &port) 206 res <- &scanResult{ 207 Port: port, 208 Opened: true , 209 } 210 } 211 } 212 func ipstr2Bytes(addr string) [4]byte { 213 s := strings.Split(addr, “.” ) 214 b0, _ := strconv.Atoi(s[0]) 215 b1, _ := strconv.Atoi(s[1]) 216 b2, _ := strconv.Atoi(s[2]) 217 b3, _ := strconv.Atoi(s[3]) 218 return [4]byte{byte(b0), byte(b1), byte(b2), byte(b3)} 219 } 220 func random(min, max int) int { 221 return rand.Intn(max-min) + min 222 } 223 func interfaceAddress(ifaceName string ) string { 224 iface, err:= net.InterfaceByName(ifaceName) 225 if err != nil { 226 panic(err) 227 } 228 addr, err := iface.Addrs() 229 if err != nil { 230 panic(err) 231 } 232 addrStr := strings.Split(addr[0].String(), “/” )[0] 233 return addrStr 234 } 235 func portSplit(portRange *string) (uint16, uint16) { 236 ports := strings.Split(*portRange, “-“ ) 237 minPort, err := strconv.ParseUint(ports[0], 10, 16) 238 if err !=nil { 239 panic(err) 240 } 241 maxPort, err := strconv.ParseUint(ports[1], 10, 16) 242 if err != nil { 243 panic(err) 244 } 245 if minPort > maxPort { 246 panic(errors.New( “minPort must greater than maxPort” )) 247 } 248 return uint16(minPort), uint16(maxPort) 249 }
代码运行结果:
没错,就是2s!我测试了扫描全端口(0-65535),大概120s左右,而且稳定性不错。
scan for go+python
经过前面的测试我们不难发现,在并发的性能上,go完胜python,但go不适合做复杂的逻辑处理,以及web开发之类的。因此如何整合python跟go呢?这里我想了两种方案,第一种将go语言打包成.so动态连接库,利用python的ctypes模块可以调用;第二种是go写成接口,提供python调用。写成接口的方式相对简单一些,因此这里不介绍了,说说如何打包go,即如何利用python调用go的方法或者说函数。
先看下修改过后的tcp_syn_scan.go代码:
1 package main 2 // port tcp syn scan 3 import ( 4 “C” 5 “os” 6 “bytes” 7 “encoding/binary” 8 “fmt” 9 “log” 10 “math/rand” 11 “net” 12 “strconv” 13 “strings” 14 “time” 15 “errors” 16 ) 17 //TCPHeader test 18 type TCPHeader struct { 19 SrcPort uint16 20 DstPort uint16 21 SeqNum uint32 22 AckNum uint32 23 Flags uint16 24 Window uint16 25 ChkSum uint16 26 UrgentPointer uint16 27 } 28 //TCPOption test 29 type TCPOption struct { 30 Kind uint8 31 Length uint8 32 Data []byte 33 } 34 type scanResult struct { 35 Port uint16 36 Opened bool 37 } 38 type scanJob struct { 39 Laddr string 40 Raddr string 41 SPort uint16 42 DPort uint16 43 Stop uint8 44 } 45 var stopFlag = make(chan uint8, 1) 46 // export Scan 47 func Scan(remote_ *C.char, portRange_ *C.char, interfaceName_ *C.char) { 48 rate := time.Second / 400 49 throttle := time.Tick(rate) 50 jobs := make(chan *scanJob, 65536) 51 results := make(chan *scanResult, 1000) 52 for w := 0; w < 10; w++ { 53 go worker(w, jobs , throttle, results) 54 } 55 // 获取命令行参数 56 // ifaceName := flag.String( “i” , “eth0” , “Specify network” ) 57 // remote := flag.String( “r” , “” , “remote address” ) 58 // portRange := flag.String( “p” , “1-1024” , “port range: -p 1-1024” ) 59 // flag.Parse() 60 interfaceName_1 := C.GoString(interfaceName_) 61 remote_1 := C.GoString(remote_) 62 portRange_1 := C.GoString(portRange_) 63 ifaceName := &interfaceName_1 64 remote := &remote_1 65 portRange := &portRange_1 66 s_time := time.Now().Unix() 67 laddr := interfaceAddress(*ifaceName) // 68 raddr := *remote 69 minPort , maxPort := portSplit(portRange) 70 fmt.Println(laddr, raddr) // 输出源ip地址,目标ip地址 71 go func(num int){ 72 for i := 0; i < num; i++ { 73 recvSynAck(laddr, raddr, results) 74 } 75 }(10) 76 go func(jobLength int) { 77 for j := minPort; j < maxPort + 1; j++ { 78 s := scanJob{ 79 Laddr: laddr, 80 Raddr: raddr, 81 SPort: uint16(random(10000, 65535)), 82 DPort: uint16(j + 1), 83 } 84 jobs <- &s 85 } 86 jobs <- &scanJob{Stop: 1} 87 }(1024) 88 for { 89 select { 90 case res := <-results: 91 fmt.Println( “扫描到开放的端口:” ,res.Port) //输出开放的端口号 92 case <-stopFlag: 93 e_time := time.Now().Unix() 94 fmt.Println( “本次扫描总共耗时(s):” ,e_time-s_time) 95 os.Exit(0) 96 } 97 } 98 } 99 func worker(id int, jobs <-chan *scanJob, th <-chan time.Time, results chan<- *scanResult) { 100 for j := range jobs { 101 if j.Stop != 1 { 102 sendSyn(j.Laddr, j.Raddr, j.SPort, j.DPort) 103 } else { 104 stopFlag <- j.Stop 105 } 106 <-th 107 } 108 } 109 func checkError(err error) { 110 // 错误check 111 if err != nil { 112 log.Println(err) 113 } 114 } 115 //CheckSum test 116 func CheckSum(data []byte, src, dst [4]byte) uint16 { 117 pseudoHeader := []byte{ 118 src[0], src[1], src[2], src[3], 119 dst[0], dst[1], dst[2], dst[3], 120 0, 121 6, 122 0, 123 byte(len(data)), 124 } 125 totalLength := len(pseudoHeader) + len(data) 126 if totalLength%2 != 0 { 127 totalLength++ 128 } 129 d := make([]byte, 0, totalLength) 130 d = append(d, pseudoHeader…) 131 d = append(d, data…) 132 return ^mySum(d) 133 } 134 func mySum(data []byte) uint16 { 135 var sum uint32 136 for i := 0; i < len(data)-1; i += 2 { 137 sum += uint32(uint16(data[i])<<8 | uint16(data[i+1])) 138 } 139 sum = (sum >> 16) + (sum & 0xffff) 140 sum = sum + (sum >> 16) 141 return uint16(sum) 142 } 143 func sendSyn(laddr, raddr string, sport, dport uint16) { 144 conn, err := net.Dial( “ip4:tcp” , raddr) 145 checkError(err) 146 defer conn.Close() 147 op := []TCPOption{ 148 TCPOption{ 149 Kind: 2, 150 Length: 4, 151 Data: []byte{0x05, 0xb4}, 152 }, 153 TCPOption{ 154 Kind: 0, 155 }, 156 } 157 tcpH := TCPHeader{ 158 SrcPort: sport, 159 DstPort: dport, 160 SeqNum: rand.Uint32(), 161 AckNum: 0, 162 Flags: 0x8002, 163 Window: 8192, 164 ChkSum: 0, 165 UrgentPointer: 0, 166 } 167 buff := new(bytes.Buffer) 168 err = binary.Write(buff, binary.BigEndian, tcpH) 169 checkError(err) 170 for i := range op { 171 binary.Write(buff, binary.BigEndian, op[i].Kind) 172 binary.Write(buff, binary.BigEndian, op[i].Length) 173 binary.Write(buff, binary.BigEndian, op[i].Data) 174 } 175 binary.Write(buff, binary.BigEndian, [6]byte{}) 176 data := buff.Bytes() 177 checkSum := CheckSum(data, ipstr2Bytes(laddr), ipstr2Bytes(raddr)) 178 //fmt.Printf( “CheckSum 0x%Xn” , checkSum) 179 tcpH.ChkSum = checkSum 180 buff = new(bytes.Buffer) 181 binary.Write(buff, binary.BigEndian, tcpH) 182 for i := range op { 183 binary.Write(buff, binary.BigEndian, op[i].Kind) 184 binary.Write(buff, binary.BigEndian, op[i].Length) 185 binary.Write(buff, binary.BigEndian, op[i].Data) 186 } 187 binary.Write(buff, binary.BigEndian, [6]byte{}) 188 data = buff.Bytes() 189 //fmt.Printf( “% Xn” , data) 190 _, err = conn.Write(data) 191 checkError(err) 192 } 193 func recvSynAck(laddr, raddr string, res chan<- *scanResult) error { 194 listenAddr, err := net.ResolveIPAddr( “ip4” , laddr) // 解析域名为ip 195 checkError(err) 196 conn, err := net.ListenIP( “ip4:tcp” , listenAddr) 197 defer conn.Close() 198 checkError(err) 199 for { 200 buff := make([]byte, 1024) 201 _, addr, err := conn.ReadFrom(buff) 202 if err != nil { 203 continue 204 } 205 if addr.String() != raddr || buff[13] != 0x12 { 206 continue 207 } 208 var port uint16 209 binary.Read(bytes.NewReader(buff), binary.BigEndian, &port) 210 res <- &scanResult{ 211 Port: port, 212 Opened: true , 213 } 214 } 215 } 216 func ipstr2Bytes(addr string) [4]byte { 217 s := strings.Split(addr, “.” ) 218 b0, _ := strconv.Atoi(s[0]) 219 b1, _ := strconv.Atoi(s[1]) 220 b2, _ := strconv.Atoi(s[2]) 221 b3, _ := strconv.Atoi(s[3]) 222 return [4]byte{byte(b0), byte(b1), byte(b2), byte(b3)} 223 } 224 func random(min, max int) int { 225 return rand.Intn(max-min) + min 226 } 227 func interfaceAddress(ifaceName string ) string { 228 iface, err:= net.InterfaceByName(ifaceName) 229 if err != nil { 230 panic(err) 231 } 232 addr, err := iface.Addrs() 233 if err != nil { 234 panic(err) 235 } 236 addrStr := strings.Split(addr[0].String(), “/” )[0] 237 return addrStr 238 } 239 func portSplit(portRange *string) (uint16, uint16) { 240 ports := strings.Split(*portRange, “-“ ) 241 minPort, err := strconv.ParseUint(ports[0], 10, 16) 242 if err !=nil { 243 panic(err) 244 } 245 maxPort, err := strconv.ParseUint(ports[1], 10, 16) 246 if err != nil { 247 panic(err) 248 } 249 if minPort > maxPort { 250 panic(errors.New( “minPort must greater than maxPort” )) 251 } 252 return uint16(minPort), uint16(maxPort) 253 } 254 func main () { }
然后利用go自身的build命令,将其打包成.so库:
go build -buildmode=c-shared -o tcp_syn_scan.so tcp_syn_scan.go
打包后会得到一个tcp_syn_scan.so和一个tcp_syn_scan.h。然后利用下面的python代码就可以调用Go代码中的Scan()函数了,创建一个tcp_syn_scan.py文件。
1 #! -*- coding:utf-8 -*- 2 from ctypes import * 3 lib = cdll.LoadLibrary(u ‘./scan.so’ ) 4 lib.Scan( “14.215.177.38” , “1-1024” , “eth0” ) # ip,端口范围,网卡
代码运行结果:
说明:相当原生的go,利用python去调用go会损耗一些性能,但总体上还可以。
后记
本文结论就是可以利用go开发扫描模块(性能更佳),并结合python调用。
本文代码项目地址:https://github.com/tengzhangchao/PortScan