#!/usr/bin/python# To run this. you to go to the import os, subprocess, sys,

1. #!/usr/bin/python
2. # To run this. you to go to the
3. import os, subprocess, sys, socket, itertools
4. from threading import Thread
5. from threading import active_count
6. from Queue import Queue
7. from optparse import OptionParser
8. from struct import *
9. from time import sleep
10.  
11. source_ips = {}
12. try:
13. ips = sys.argv[1]
14. except Exception:
15. print("IP must be first argument")
16. sys.exit(1)
17.  
18. devnull = open(os.devnull,'w')
19. ip_queue = Queue()
20. socket_queue = Queue()
21. parser = OptionParser()
22. parser.add_option("-t", "--threads", type="int", dest="threads", default=64, help="Set number of threads")
23. parser.add_option("--timeout", type="int", dest="timeout", default=5, help="Set timeout value (for ping and TCP)")
24. parser.add_option("-s", type="string", dest="scan_type", default="T", help="Set the scan type\n\tT = TCP full connect\n\tS = TCP Syn Scan")
25. parser.add_option("--ping","--ping-scan", action="store_true", dest="ping_only",default=False, help="Perform a ping-only scan")
26. parser.add_option("-P", type="string",dest="ping", default="y",help="Use -PN or -Pn to skip pinging targets")
27. parser.add_option("-p","--ports",type="string",dest="ports", help="Ports to scan. Format is comma separated, and accepts ranges with a \"-\"")
28. parser.add_option("--source",type="string",dest="source",default="auto", help="Optional. Set a source IP if using -sS option. Skips sending UDP packets to auto-determine source IP")
29. parser.add_option("-v","--verbose",action="store_true",dest="verbose",default=False, help="Verbose output (for debugging)")
30. parser.add_option("--example",help="Example usage: ./scan 192.168.0-10.0-255 -sS -Pn -p 20-80,400-500\n./scan 1.1.1.1 --ping --threads 1 --timeout 10")
31. options,args = parser.parse_args()
32. print(options)
33.  
34. def tcp_listener():
35. listen = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
36. ips_of_interest = [n for n in convert_ips(ips)]
37. print("Starting Listener")
38. while True:
39. raw_packet = listen.recvfrom(65565)
40. packet = raw_packet[0]
41. ip_header = unpack('!BBHHHBBH4s',packet[0:16])
42. ip_header_length = (ip_header[0] & 0xf) * 4
43. src_addr = socket.inet_ntoa(ip_header[8])
44.  
45. tcp_header_raw = packet[ip_header_length:ip_header_length+14]
46. tcp_header = unpack('!HHLLBB',tcp_header_raw)
47.  
48. src_port = tcp_header[0]
49. dst_port = tcp_header[1]
50. flag = tcp_header[5]
51.  
52. if flag == 18:
53. if src_addr in ips_of_interest and src_port in options.ports:
54. sys.stdout.write("OPEN: \t{} : {}\n".format(src_addr,src_port))
55.  
56. def ping(ip_q):
57. while True:
58. ip = ip_q.get()
59. if ip == "HALT":
60. ip_q.task_done()
61. return
62. if "win" in sys.platform.lower():
63. command = ["ping","-n","1","-w",str(options.timeout*1000),ip]
64. else:
65. command = ["ping","-c 1","-W {}".format(options.timeout),ip]
66. ret_value = subprocess.call(command, stdin=devnull, stdout=devnull, stderr=devnull)
67. if ret_value == 0:
68. sys.stdout.write("UP: \t{0}\n".format(ip))
69. if options.ping_only != True:
70. for port in options.ports:
71. if options.verbose: sys.stdout.write("Placing ({},{}) in socket queue\n".format(ip,port))
72. socket_queue.put((ip,port))
73. if options.verbose: print(socket_queue.queue)
74. if options.verbose: sys.stdout.write("DONE: {} ping\n".format(ip))
75. ip_q.task_done()
76.  
77. def port_check(socket_q):
78. while True:
79. ip,port = socket_q.get()
80. if options.scan_type.upper() == "T":
81. send_full_connect_syn(ip,port)
82. elif options.scan_type.upper() == "S":
83. send_raw_syn(ip,port)
84. else:
85. sys.stderr.write("Invalid port scan type, doing nothing...\n")
86. socket_q.task_done()
87.  
88. def convert_ips(ips):
89. octets = []
90. for ip in ips.split("."):
91. if "-" in ip:
92. lo,hi = ip.split("-")
93. octets.append(range(int(lo),int(hi)+1))
94. else:
95. octets.append([int(ip)])
96. for ip in itertools.product(octets[0],octets[1],octets[2],octets[3]):
97. yield "{}.{}.{}.{}".format(ip[0],ip[1],ip[2],ip[3])
98.  
99. def convert_ports(ports):
100. if ports == None: return [21,22,23,25,80,443,110,111,135,139,445,8080,8443,53,143,989,990,3306,1080,5554,6667,2222,4444,666,6666,1337,2020,31337]
101. else:
102. if "-" not in ports:
103. tports = ports.split(",")
104. print(tports)
105. else:
106. ports = ports.split(",")
107. tports = []
108. for port in ports:
109. if "-" not in port: tports.append(int(port))
110. else: tports.extend(range(int(port.split("-")[0]),int(port.split("-")[1])+1)) #I made this one line because I wanted to
111. ports = [int(n) for n in tports if int(n) > 0 and int(n) < 65536]
112. if options.verbose: print("Converted ports: {}".format(ports))
113. return ports
114.  
115. class TCPHeader():
116. def __init__(self,src_port=47123,dst_port=80,seqnum=1000,acknum=0,data_offset=80,fin=0,syn=1,rst=0,psh=0,ack=0,urg=0,window=5840,check=0,urg_ptr=0):
117. self.order = "!HHLLBBHHH"
118. self.src_port = src_port
119. self.dst_port = dst_port
120. self.seqnum = seqnum
121. self.acknum = acknum
122. self.data_offset = data_offset
123. self.fin = fin
124. self.syn = syn
125. self.rst = rst
126. self.psh = psh
127. self.ack = ack
128. self.urg = urg
129. self.window = socket.htons(window)
130. self.check = check
131. self.urg_ptr = urg_ptr
132. def flags(self):
133. return self.fin + (self.syn << 1) + (self.rst << 2) + (self.psh <<3) + (self.ack << 4) + (self.urg << 5)
134. def get_struct(self,check=False,checksummed=False):
135. if check != False: self.check = check
136. if checksummed:
137. return pack('!HHLLBBH',self.src_port,self.dst_port,self.seqnum,self.acknum,self.data_offset,self.flags(),self.window)+pack('H',self.check)+pack('!H',self.urg_ptr)
138. else:
139. return pack(self.order,self.src_port,self.dst_port,self.seqnum,self.acknum,self.data_offset,self.flags(),self.window,self.check,self.urg_ptr)
140.  
141. def checksum(msg):
142. sum = 0
143. for i in range(0,len(msg),2):
144. w = ord(msg[i]) + (ord(msg[i+1]) << 8 )
145. sum = sum + w
146.  
147. sum = (sum>>16) + (sum & 0xffff)
148. sum = sum + (sum >> 16)
149. sum = ~sum & 0xffff
150. return sum
151.  
152. def tcp_checksum(source_ip,dest_ip,tcp_header,user_data=''):
153. tcp_length = len(tcp_header) + len(user_data)
154. ip_header = pack('!4s4sBBH',socket.inet_aton(source_ip),socket.inet_aton(dest_ip),0,socket.IPPROTO_TCP,tcp_length)
155. packet = ip_header + tcp_header + user_data
156. return checksum(packet)
157.  
158. def send_raw_syn(dest_ip,dst_port):
159. try:
160. s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
161. except Exception:
162. sys.stderr.write("Error creating socket in send_raw_syn\n")
163. if options.source == "auto":
164. src_addr = get_source_ip(dest_ip)
165. else:
166. src_addr = options.source
167. src_port = 54321
168. make_tcpheader = TCPHeader(src_port,dst_port)
169. tcp_header = make_tcpheader.get_struct()
170. packet = make_tcpheader.get_struct(check=tcp_checksum(src_addr,dest_ip,tcp_header),checksummed=True)
171. if options.verbose: sys.stdout.write("SEND: SYN packet {} {}\n".format(dest_ip,dst_port))
172. try: s.sendto(packet,(dest_ip,0))
173. except Exception: sys.stderr.write("Error utilizing raw socket in send_raw_syn\n")
174.  
175. def send_full_connect_syn(ip,port):
176. try:
177. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
178. s.settimeout(options.timeout)
179. except Exception:
180. sys.stdout.write("Error creating socket in send_full_connect_syn\n")
181. try:
182. if options.verbose: sys.stdout.write("START: {} {} port\n".format(ip,port))
183. s.connect((ip,port))
184. sys.stdout.write("OPEN: \t{0} : {1}\n".format(ip,port))
185. s.close()
186. except Exception:
187. pass
188. if options.verbose: sys.stdout.write("DONE: {} {} port\n".format(ip,port))
189.  
190. def populate_queues():
191. options.ports = convert_ports(options.ports)
192. for ip in convert_ips(ips):
193. if options.ping.lower() == "n":
194. for port in options.ports:
195. if options.verbose: sys.stdout.write("Placing ({},{}) in socket queue\n".format(ip,port))
196. if options.verbose: print(socket_queue.queue)
197. socket_queue.put((ip,port))
198. else:
199. ip_queue.put(ip)
200.  
201. def start_ping_threads():
202. for index in range(options.threads):
203. if options.ping == "y":
204. ping_worker = Thread(target=ping, args=(ip_queue,))
205. ping_worker.setDaemon(True)
206. ping_worker.start()
207.  
208. if options.verbose: print("THREADS inside ping: {}".format(active_count()))
209. ip_queue.join()
210. print("********* IP QUEUE BLOCK RELEASED ************")
211.  
212. def start_port_threads():
213. if options.scan_type.lower() == "s":
214. listen_thread = Thread(target=tcp_listener)
215. listen_thread.setDaemon(True)
216. listen_thread.start()
217. for index in range(options.threads):
218. port_worker = Thread(target=port_check, args=(socket_queue,))
219. port_worker.setDaemon(True)
220. port_worker.start()
221.  
222. if options.verbose: print("THREADS inside port: {}".format(active_count()))
223. socket_queue.join()
224. if options.scan_type.lower() == "s": sleep(options.timeout)
225. print("********* SOCKET QUEUE BLOCK RELEASED *************")
226.  
227. def halt_ping_threads():
228. if options.ping == "y":
229. for i in range(options.threads):
230. ip_queue.put("HALT")
231.  
232. def get_source_ip(dst_addr):
233. global source_ips
234. try:
235. if dst_addr in source_ips:
236. return source_ips[dst_addr]
237. else:
238. source_ips[dst_addr] = [(s.connect((dst_addr, 53)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]
239. return source_ips[dst_addr]
240. except Exception:
241. sys.stderr.write("Something went wrong in get_source_ip, results might be wrong\n")
242.  
243. populate_queues()
244. start_ping_threads()
245. halt_ping_threads()
246. if options.ping_only != True:
247. start_port_threads()