def _port_ping(self, hosts: Queue, interface: str, results: set):
self.logger.debug("{}: Starting TCP SYN ping thread.".format(threading.current_thread().name))
while True:
ip = hosts.get() # type: IPAddress
ip_str = str(ip)
# Send SYN with random Src Port for each Dst port
for dstPort in self.portstoscan:
srcPort = random.randint(1025, 65534)
resp = sr1(IP(dst=ip_str) / TCP(sport=srcPort, dport=dstPort, flags=ScapyTCPFlag.SYN), timeout=1,
verbose=False,
iface=interface)
if resp and resp.haslayer(TCP):
if resp[TCP].flags == (TCPFlag.SYN | TCPFlag.ACK) or resp[TCP].flags == (TCPFlag.RST | TCPFlag.ACK):
# Send Reset packet (RST)
send(IP(dst=ip_str) / TCP(sport=srcPort, dport=dstPort, flags=ScapyTCPFlag.RST),
iface=interface, verbose=False)
# We know the port is closed or opened (we got a response), so we deduce that the host exists
node = NetworkNode()
node.ip = ip
node.mac = EUI(resp.src)
node.host = resolve_ip(resp[IP].src)
results.add(node)
self.logger.debug(
"Found a live host by pinging port {port_nbr}: {live_host}.".format(port_nbr=dstPort,
live_host=str(node)))
# We don't need to test the other ports. We know the host exists.
break
hosts.task_done()
def scan(self):
try:
for interface, network in config.interfaces_networks.items():
if not network.is_private():
self.logger.info(
"Skipping arp ping scan on network {0:s} because it's a public network".format(str(network)))
continue
self.logger.info("Executing arp ping scan on network {0:s}...".format(str(network)))
discovered_hosts = set()
ans, unans = arping(str(network), iface=interface, timeout=1, verbose=False)
for s, r in ans.res:
node = NetworkNode()
node.ip = IPAddress(r[ARP].psrc)
node.mac = EUI(r[Ether].src)
node.host = resolve_ip(r[ARP].psrc)
discovered_hosts.add(node)
self.scan_results[network] = discovered_hosts
except socket.error as e:
if e.errno == socket.errno.EPERM: # Operation not permitted
self.logger.error("%s. Did you run as root?", e.strerror)
else:
raise
self.logger.info("Arp ping scan done. Found %d unique hosts.", self.number_of_hosts_found)
def _ping(self, hosts: Queue, interface: str, results: set):
self.logger.debug("{}: Starting ICMP ping thread.".format(threading.current_thread().name))
while True:
ip = hosts.get() # type: IPAddress
ip_str = str(ip)
res = sr1(IP(dst=ip_str) / ICMP(), iface=interface, timeout=0.1, verbose=False)
if res:
node = NetworkNode()
node.ip = ip
node.mac = EUI(res.src)
node.host = resolve_ip(res[IP].src)
results.add(node)
hosts.task_done()
def scan(self):
try:
from scapy.sendrecv import sniff
self.logger.info("Executing passive sniffer scan...")
for interface, network in config.interfaces_networks.items():
discovered_hosts = set()
ans = sniff(timeout=config.snifferdiscovery_timeout, iface=interface)
for i in ans:
from scapy.layers.inet import IP
from scapy.layers.l2 import ARP
if IP in i:
src = IPAddress(i[IP].src)
dst = IPAddress(i[IP].dst)
elif ARP in i:
src = IPAddress(i[ARP].psrc)
dst = IPAddress(i[ARP].pdst)
else:
continue
if src in network.cidr and src not in discovered_hosts:
host = resolve_ip(str(src))
discovered_hosts.add(NetworkNode(src, EUI(i.src), host))
if dst in network.cidr and dst not in discovered_hosts and i.dst != 'ff:ff:ff:ff:ff:ff':
host = resolve_ip(str(src))
discovered_hosts.add(NetworkNode(dst, EUI(i.dst), host))
self.scan_results[network] = discovered_hosts
except socket.error as e:
if e.errno == errno.EPERM: # Operation not permitted
self.logger.error("%s. Did you run as root?", e.strerror)
else:
raise
self.logger.info("Passive sniffer scan done. Found %d unique hosts.", self.number_of_hosts_found)
