端口扫描之僵尸扫描

 僵尸扫描是一种极其隐蔽的端口扫描,被扫描的主机基本上察觉不到扫描者。

但是实现条件比较苛刻。

  条件1:可伪造源地址(Scanner 发的IP包里的源地址要伪造成Zombie的)

  条件2:Zombie机的系统足够闲置,基本上没有和外界进行IP通信

  条件3:Zombie机发的IP包中的IPID是递增的(这是判断端口是否开放的依据)

  PS:有些系统IPID是随机的,或者为0.像WIN7 ,WIN XP ,WIN 2000为递增。

目标主机端口开放状态下 扫描者从Zombie机得到的两个RST包中的 IPID相差2:

 

 

 

 

 目标主机端口关闭状态下 扫描者从Zombie机得到的两个RST包中的 IPID相差1:

 

   脚本:

#!/usr/bin/python
# -*- coding: UTF-8 -*-
#History:
#2019/4/13                   MWQ            First  
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def ipid(zombie):
    reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
    send(IP(dst=zombie)/TCP(flags="SA"),verbose=0)
    reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
    try:
        if reply2[IP].id==(reply1[IP].id+2):
            print("IPID sequence is incremental and target to be idle.ZOMBIE LOCATED")
            response = raw_input("Do you want to use this zombie to perfoem a scan? (Y  or  N):")
            if response == "Y":
                target=raw_input("Enter IP address of the target system:")
                zombiescan(target,zombie)
        else:
            print("Either the IPID sequence is not incremental or the target is not idle.NOT A GOOD ZIMBIE")
    except:
		print("zombie may not turndwon firewall!")        
def zombiescan(target,zombie):
    print("\n Scanning target "+target+" with zombie "+zombie)
    print("\n -----------------Open Ports On Target -----------------\n")
    for port in range(1,200):
        try:
            start_val = sr1(IP(dst=zombie)/TCP(flags="SA",dport=port),timeout=2,verbose=0)
            send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)
            end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
            if end_val[IP].id==(start_val[IP].id+2):
                print(port)
        except:
			pass 
               
print("-----------------Zombie Scan Suite-----------------\n")
print("1           Identify Zombie Host \n")
print("2           Perform   Zombie Host \n")
ans=raw_input("select an Option (1  or 2 ):")
if ans == "1":
    zombie=raw_input("Enter IP address to text IPID sequence:")
    ipid(zombie)
else:
    if ans =="2":
        zombie =raw_input("Enter IP address for zombie system:")
        target=raw_input("Enter IP address for scan target:")
        zombiescan(target,zombie)

   演示:

 

  对比一下成功率还很高!

  

 

  

 

posted on 2019-04-16 10:55  0xcreed  阅读(463)  评论(0)    收藏  举报
博客园  ©  2004-2025
浙公网安备 33010602011771号 浙ICP备2021040463号-3