1、ACK Scan
>>>ans,unans=sr(IP(dst="www.baidu.com")/TCP(dport=[80,666],flags="A")
扫描后,若要找出未过虑的端口:
for s,r in ans: if s[TCP].dport==r[TCP].sport: print str(s[TCP].dport)+"is unfiltered."
过滤过的:
for s in unans: print str(s[TCP].dport)+"is filtered."
2、Xmas Scan
>>>ans,unans=sr(IP(dst="192.168.1.1")/TCP(dport=666,flags="FPU"))
RST表示端口关闭。
3、IP Scan
>>> ans,unans=sr(IP(dst="192.168.1.1",proto=(0,255))/"SCAPY",retry=2)
4、ARP ping
>>> ans,unans=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"),timeout=2)
结果显示:
>>> ans.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%") )
5、ICMP ping
>>> ans,unans=sr(IP(dst="192.168.1.1-254")/ICMP())
结果显示用下面的语句:
>>> ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )
6、TCP ping
>>> ans,unans=sr( IP(dst="192.168.1.*")/TCP(dport=80,flags="S") )
结果显示用下面的语句:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )
7、UDP ping
>>> ans,unans=sr( IP(dst="192.168.*.1-10")/UDP(dport=0) )
结果:
>>> ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )
8、ARP cache poisoning
>>> send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client),inter=RandNum(10,40), loop=1 )
9、TCP Port Scanning
>>> res,unans = sr( IP(dst="target")/TCP(flags="S", dport=(1,1024)) )
10、IKE Scanning
>>> res,unans = sr( IP(dst="192.168.1.*")/UDP()/ISAKMP(init_cookie=RandString(8), exch_type="identity prot.")/ISAKMP_payload_SA(prop=ISAKMP_payload_Proposal())) Visualizing the results in a list: >>> res.nsummary(prn=lambda (s,r): r.src, lfilter=lambda (s,r): r.haslayer(ISAKMP) )
11、Advanced traceroute
(1)TCP SYN traceroute
>>> ans,unans=sr(IP(dst="4.2.2.1",ttl=(1,10))/TCP(dport=53,flags="S")) Results would be: >>> ans.summary( lambda(s,r) : r.sprintf("%IP.src%\t{ICMP:%ICMP.type%}\t{TCP:%TCP.flags%}")) 192.168.1.1 time-exceeded 68.86.90.162 time-exceeded 4.79.43.134 time-exceeded 4.79.43.133 time-exceeded 4.68.18.126 time-exceeded 4.68.123.38 time-exceeded 4.2.2.1 SA
(2)UDP traceroute
>>> res,unans = sr(IP(dst="target", ttl=(1,20))/UDP()/DNS(qd=DNSQR(qname="test.com")) We can visualize the results as a list of routers: >>> res.make_table(lambda (s,r): (s.dst, s.ttl, r.src))
(3)DNS traceroute
>>> ans,unans=traceroute("4.2.2.1",l4=UDP(sport=RandShort())/DNS(qd=DNSQR(qname="thesprawl.org"))) Begin emission: ..*....******...******.***...****Finished to send 30 packets. *****...***............................... Received 75 packets, got 28 answers, remaining 2 packets 4.2.2.1:udp53 1 192.168.1.1 11 4 68.86.90.162 11 5 4.79.43.134 11 6 4.79.43.133 11 7 4.68.18.62 11 8 4.68.123.6 11 9 4.2.2.1
(4)Etherleaking
>>> sr1(IP(dst="172.16.1.232")/ICMP()) <IP src=172.16.1.232 proto=1 [...] |<ICMP code=0 type=0 [...]| <Padding load=’0O\x02\x01\x00\x04\x06public\xa2B\x02\x02\x1e’ |>>>
(5)ICMP leaking
>>> sr1(IP(dst="172.16.1.1", options="\x02")/ICMP()) <IP src=172.16.1.1 [...] |<ICMP code=0 type=12 [...] | <IPerror src=172.16.1.24 options=’\x02\x00\x00\x00’ [...] | <ICMPerror code=0 type=8 id=0x0 seq=0x0 chksum=0xf7ff | <Padding load=’\x00[...]\x00\x1d.\x00V\x1f\xaf\xd9\xd4;\xca’ |>>>>>
(6)VLAN hopping
>>> sendp(Ether()/Dot1Q(vlan=2)/Dot1Q(vlan=7)/IP(dst=target)/ICMP())
(7)Wireless sniffing
>>> sniff(iface="ath0",prn=lambda x:x.sprintf("{Dot11Beacon:%Dot11.addr3%\t%Dot11Beacon.info%\t%PrismHeader.channel%\tDot11Beacon.cap%}")) The above command will produce output similar to the one below: 00:00:00:01:02:03 netgear 6L ESS+privacy+PBCC 11:22:33:44:55:66 wireless_100 6L short-slot+ESS+privacy 44:55:66:00:11:22 linksys 6L short-slot+ESS+privacy 12:34:56:78:90:12 NETGEAR 6L short-slot+ESS+privacy+short-preamble
