• Introduce

    Port scanning is defined by the client to a range of server ports to send the corresponding request to confirm the use of the port. While not a malicious network activity, it is also an important means for a network attacker to detect a target host service in order to exploit the known vulnerabilities of the service. The main purpose of port scanning is still only to confirm the availability of a remote machine service.

    Scanning multiple hosts for a specific port is known as port sweeping (Portsweep), in order to obtain a specific service. For example, a MySQL server will clean up the same port on a large number of hosts to establish a TCP connection on port 3306.

    The simplest port scanning tool uses TCP connection scanning, which takes advantage of the native network capabilities of the operating system and is often used as an alternative to SYN scanning. Nmap calls this mode a connection scan because a Unix-like connect () command is used. If the port is open, the operating system will be able to complete the TCP three-way handshake, and then port scan tool will immediately close the newly established connection to prevent denial of service attacks. The advantage of this scanning mode is that users do not need special privileges. But the use of the operating system can not achieve the underlying function of the underlying network control, so this scan is not popular. And TCP scanning is easy to find, especially as a means of port cleaning: these services will record the sender’s IP address, intrusion detection system may trigger an alarm.

    There is another way to scan the SYN scan, port scanning tool does not use the operating system native network function, but to generate, send IP packets, and monitor its response. This scanning mode is called “semi-open scanning” because it never establishes a complete TCP connection. The port scan tool generates a SYN packet, which returns a SYN-ACK packet if the target port is open. The scanning end responds to an RST packet and then closes the connection before handshaking is complete. If the port is closed but no filtering is used, the destination port should continue to return to the RST packet. This coarse network utilization has several advantages: giving the scan tool full control over packet sending and waiting for response time, allowing for more detailed response analysis. The advantage of a SYN scan is that it never establishes a complete connection, since there is some debate as to what type of scanning the target host is less invasive. However, RST packets can cause network congestion, especially with simple network devices such as printers.

    The use of the first scan, direct use of the operating system socket connection interface, the initial test of the target server port can be connected, if possible, then return to open the port state.

    Writing

    Step 1: Identifying the port and target server
    Directly to the target server and port range as parameters passed to our program, the program running parameters:
    python portscan.py 
    Program using sys.argv [] to read and preliminary processing, please refer to the specific syntax python sys.argv []. Usage :

    #!/usr/bin/python
    # -*- coding: UTF-8 -*-
    import sys
    # portscan.py <host> <start_port>-<end_port>
    host = sys.argv[1]
    portstrs = sys.argv[2].split(‘-‘)
    start_port = int(portstrs[0])
    end_port = int(portstrs[1])

    Step 2: 

    Test the TCP port connection
    We enter into a loop in which the ports in the port range are tested in turn.

    First of all, in the beginning of the introduction of the document socket package:
    From socket import *
    The connection test method is:

    • create socket
    • call the connect () function
    • Close the connection

    This is in turn achieved as follows:

    Get the destination IP address:
    target_ip = gethostbyname (host)

    Enter the loop to start the connection:

    opened_ports = []
    for port in range(start_port, end_port + 1):
    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(10)
    result = sock.connect_ex((target_ip, port))
    if result == 0:
    opened_ports.append(port)

    Step 3: Output the open port results

    This step is very simple, only need to print opened_ports list:
    print(“Opened ports:”)
    for i in opened_ports:
    print(i)

    The complete code is as follows:

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import sys
    from socket import *
    # port_scan.py <host> <start_port>-<end_port>
    host = sys.argv[1]
    portstrs = sys.argv[2].split(‘-‘)
    start_port = int(portstrs[0])
    end_port = int(portstrs[1])
    target_ip = gethostbyname(host)
    opened_ports = []
    for port in range(start_port, end_port):
    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(10)
    result = sock.connect_ex((target_ip, port))
    if result == 0:
    opened_ports.append(port)
    print(“Opened ports:”)
    for i in opened_ports:
    print(i)

    Test portscan.py: