scapy学习笔记-白红宇

scapy学习笔记

阅读量：4954 次

发布时间：2019-06-12

本文共 3356 字，大约阅读时间需要 11 分钟。

1、ACK Scan

>>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags="A")

扫描后，若要找出未过虑的端口：

for s,r in ans:    if s[TCP].dport==r[TCP].sport:        print str(s[TCP].dport)+"is  unfiltered."

过滤过的：

for s in unans:    print str(s[TCP].dport)+"is filtered."

2、Xmas Scan

>>>ans,unans=sr(IP(dst="192.168.1.1")/TCP(dport=666,flags="FPU"))

RST表示端口关闭。

3、IP Scan

>>> ans,unans=sr(IP(dst="192.168.1.1",proto=(0,255))/"SCAPY",retry=2)

4、ARP ping

>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2)

结果显示：

>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )

5、ICMP ping

>>> ans,unans=sr(IP(dst="192.168.1.1-254")/ICMP())

结果显示用下面的语句：

>>> ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )

6、TCP ping

>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )

结果显示用下面的语句：

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

7、UDP ping

>>> ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=0) )

结果：

>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

8、ARP cache poisoning

>>> send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client),inter=RandNum(10,40), loop=1 )

9、TCP Port Scanning

>>> res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(1,1024)) )

10、IKE Scanning

>>> res,unans = sr( IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8), exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal()))Visualizing the results in a list:>>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) )

11、Advanced traceroute

（1）TCP SYN traceroute

>>> ans,unans=sr(IP(dst="4.2.2.1",ttl=(1,10))/TCP(dport=53,flags="S"))Results would be:>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}"))192.168.1.1          time-exceeded68.86.90.162        time-exceeded4.79.43.134          time-exceeded4.79.43.133          time-exceeded4.68.18.126          time-exceeded4.68.123.38          time-exceeded4.2.2.1                  SA

（2）UDP traceroute

>>> res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com"))We can visualize the results as a list of routers:>>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src))

（3）DNS traceroute

>>> ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))Begin emission:..*....******...******.***...****Finished to send 30 packets.*****...***...............................Received 75 packets, got 28 answers, remaining 2 packets4.2.2.1:udp531 192.168.1.1 114 68.86.90.162 115 4.79.43.134 116 4.79.43.133 117 4.68.18.62 118 4.68.123.6 119 4.2.2.1

（4）Etherleaking

>>> sr1(IP(dst="172.16.1.232")/ICMP())
     
      >>

（5）ICMP leaking

>>> sr1(IP(dst="172.16.1.1", options="\x02")/ICMP())
     
      >>>>

（6）VLAN hopping

>>> sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP())

（7）Wireless sniffing

>>> sniff(iface="ath0",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}"))The above command will produce output similar to the one below:00:00:00:01:02:03 netgear  6L ESS+privacy+PBCC11:22:33:44:55:66 wireless_100 6L short-slot+ESS+privacy44:55:66:00:11:22 linksys 6L  short-slot+ESS+privacy12:34:56:78:90:12 NETGEAR 6L  short-slot+ESS+privacy+short-preamble

转载于:https://www.cnblogs.com/nul1/p/11007374.html

你可能感兴趣的文章

String类型转int类型方法

查看>>

客户数据库出现大量cache buffer chains latch

查看>>

機械の総合病院 [MISSION LEVEL: C]

查看>>

实战练习细节（分行／拼接字符串/字符串转int/weak和copy）

查看>>

Strict Standards: Only variables should be passed by reference

查看>>