1、ACK Scan
>>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags="A")
扫描后,若要找出未过虑的端口:
for s,r in ans:
if s[TCP].dport==r[TCP].sport:
print str(s[TCP].dport)+"is unfiltered."
过滤过的:
for s in unans:
print str(s[TCP].dport)+"is filtered."
2、Xmas Scan
>>>ans,unans=sr(IP(dst="192.168.1.1")/TCP(dport=666,flags="FPU"))
RST表示端口关闭。
3、IP Scan
>>> ans,unans=sr(IP(dst="192.168.1.1",proto=(0,255))/"SCAPY",retry=2)
4、ARP ping
>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2)
结果显示:
>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )
5、ICMP ping
>>> ans,unans=sr(IP(dst="192.168.1.1-254")/ICMP())
结果显示用下面的语句:
>>> ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )
6、TCP ping
>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
结果显示用下面的语句:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )
7、UDP ping
>>> ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=0) )
结果:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )
8、ARP cache poisoning
>>> send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client),inter=RandNum(10,40), loop=1 )
9、TCP Port Scanning
>>> res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(1,1024)) )
10、IKE Scanning
>>> res,unans = sr( IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8), exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal())) Visualizing the results in a list: >>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) )
11、Advanced traceroute
(1)TCP SYN traceroute
>>> ans,unans=sr(IP(dst="4.2.2.1",ttl=(1,10))/TCP(dport=53,flags="S"))
Results would be:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% {ICMP:%ICMP.type%} {TCP:%TCP.flags%}"))
192.168.1.1 time-exceeded
68.86.90.162 time-exceeded
4.79.43.134 time-exceeded
4.79.43.133 time-exceeded
4.68.18.126 time-exceeded
4.68.123.38 time-exceeded
4.2.2.1 SA
(2)UDP traceroute
>>> res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com")) We can visualize the results as a list of routers: >>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src))
(3)DNS traceroute
>>> ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org")))
Begin emission:
..*....******...******.***...****Finished to send 30 packets.
*****...***...............................
Received 75 packets, got 28 answers, remaining 2 packets
4.2.2.1:udp53
1 192.168.1.1 11
4 68.86.90.162 11
5 4.79.43.134 11
6 4.79.43.133 11
7 4.68.18.62 11
8 4.68.123.6 11
9 4.2.2.1
(4)Etherleaking
>>> sr1(IP(dst="172.16.1.232")/ICMP()) <IP src=172.16.1.232 proto=1 [...] |<ICMP code=0 type=0 [...]| <Padding load=’0Ox02x01x00x04x06publicxa2Bx02x02x1e’ |>>>
(5)ICMP leaking
>>> sr1(IP(dst="172.16.1.1", options="x02")/ICMP()) <IP src=172.16.1.1 [...] |<ICMP code=0 type=12 [...] | <IPerror src=172.16.1.24 options=’x02x00x00x00’ [...] | <ICMPerror code=0 type=8 id=0x0 seq=0x0 chksum=0xf7ff | <Padding load=’x00[...]x00x1d.x00Vx1fxafxd9xd4;xca’ |>>>>>
(6)VLAN hopping
>>> sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP())
(7)Wireless sniffing
>>> sniff(iface="ath0",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3% %Dot11Beacon.info% %PrismHeader.channel% Dot11Beacon.cap%}"))
The above command will produce output similar to the one below:
00:00:00:01:02:03 netgear 6L ESS+privacy+PBCC
11:22:33:44:55:66 wireless_100 6L short-slot+ESS+privacy
44:55:66:00:11:22 linksys 6L short-slot+ESS+privacy
12:34:56:78:90:12 NETGEAR 6L short-slot+ESS+privacy+short-preamble