Advertisement
opexxx

shscan.py

Sep 1st, 2014
385
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.13 KB | None | 0 0
  1.  
  2. #!/usr/bin/python
  3. import sys
  4. import re
  5. import subprocess
  6. import paramiko
  7. import socket
  8. import time
  9. from threading import Thread
  10. from optparse import OptionParser
  11. # global debug flag
  12. DEBUG_FLAG = False
  13. # confirm that the host is up; this can be done with a simple
  14. # ping. Also detect if we're getting ICMP prohibited responses; this means
  15. # we're probably getting denied by a firewall/router or the system is
  16. # configured to deny icmp echo requests.
  17. def check_host ( addr ):
  18. global DEBUG_FLAG
  19. try:
  20. process = subprocess.Popen(['ping', '-c', '2', '-W', '1', addr],
  21. stdout = subprocess.PIPE,
  22. stderr = subprocess.PIPE)
  23. process.wait()
  24. line = process.stdout.read().decode("utf-8")
  25. if DEBUG_FLAG: print "[dbg] Host returned: \n%s"%line
  26. up = re.search("\d.*? received", line)
  27. proh = re.search("Host Prohibited", line)
  28. if proh:
  29. print '[-] Host actively prohibiting our pings, but active.'
  30. return True
  31. # check if 0 is anywhere in the transmit return string, ergo:
  32. # 2 packets transmitted, 2 received
  33. if re.search("0", up.group(0)) is None:
  34. return True
  35. else:
  36. return False
  37. except Exception:
  38. return False
  39. # look for shells returned to us and dish out some fake creds.
  40. # This is loud, but it's also more accurate than fingerprinting TCP packets.
  41. def shscan(ip, port):
  42. try:
  43. ssh = paramiko.SSHClient()
  44. ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  45. w = ssh.connect(ip, port, username='test',
  46. password='test', timeout=1.0)
  47. ssh.close()
  48. except paramiko.AuthenticationException, j:
  49. ssh.close()
  50. print '[+] SSH found at port %s'%port
  51. return
  52. except Exception, e:
  53. ssh.close()
  54. return
  55. # simple port scanner for some basic stuff
  56. def port_scan(addr, port):
  57. global DEBUG_FLAG
  58. sock = socket.socket()
  59. sock.settimeout(1.0)
  60. try:
  61. sock.connect((addr, port))
  62. print '[+] Open port at %s'%port
  63. sock.close()
  64. sock = None
  65. return True
  66. except socket.error, e:
  67. sock.close()
  68. sock = None
  69. return False
  70. except Exception, j:
  71. sock.close()
  72. sock = None
  73. return False
  74. # get the systems thread limit.
  75. # This is calculated by total RAM / ulimit -s
  76. # Systems generally have different settings for thread caps
  77. # both with totals and per process. So instead of hard coding
  78. # a default, just automatically calculate and return a thread max.
  79. # There's also now a command for manually setting the thread count.
  80. def thread_limit():
  81. global DEBUG_FLAG
  82. try:
  83. proc = subprocess.Popen(['ulimit -s'], shell=True,
  84. stdout = subprocess.PIPE,
  85. stderr = subprocess.PIPE)
  86. total_t = int((proc.stdout.read().decode("utf-8")))/1024
  87. proc = subprocess.Popen(['free | grep Mem | awk \'{print $2}\''],
  88. shell=True,
  89. stdout = subprocess.PIPE,
  90. stderr = subprocess.PIPE)
  91. total_mem = int(proc.stdout.read().decode("utf-8"))
  92. MAX = int(total_mem/1024) / total_t
  93. if DEBUG_FLAG:
  94. print '[dbg] Mem: %d'%int(total_mem/1024)
  95. print '[dbg] Threads: %d'%int(total_t)
  96. print '[dbg] Net max threads: %d'%MAX
  97. return MAX
  98. except Exception, j:
  99. print '[-] Couldn\'t get thread max: \'%s\''%j
  100. return
  101. # entry
  102. def main():
  103. global DEBUG_FLAG
  104. parser = OptionParser(epilog=
  105. "The default scan searches only the first 1023 ports.")
  106. parser.add_option("-s", help="Skip host discovery", action="store_true",
  107. default=False, dest="skip")
  108. parser.add_option("-r", metavar="x-y", help="Specify a range of ports, "
  109. "or give it a single port", action="store", dest="p_range" )
  110. parser.add_option("-i", help="The address to scan",
  111. action="store", dest="addr")
  112. parser.add_option("-a", help="Scan all 65,535 ports",
  113. action="store_true", default=False, dest="all_ports")
  114. parser.add_option("-p", help="Do a port scan of the given ports",
  115. action="store_true", default=False, dest="port_scan")
  116. parser.add_option("-v", help="Verbose output with debug",
  117. action="store_true", default=False, dest="verbose")
  118. parser.add_option("-t", help="Manually set thread count", dest="threads",
  119. action="store" )
  120. # parse options, set global debug flag
  121. (options, args) = parser.parse_args()
  122. DEBUG_FLAG = options.verbose
  123. # set thread max
  124. if options.threads is not None:
  125. THREAD_MAX = int(options.threads)
  126. else:
  127. THREAD_MAX = thread_limit()
  128. if DEBUG_FLAG:
  129. print '[dbg] Using %d threads'%THREAD_MAX
  130. # ditch if they didn't give us an addr
  131. if options.addr is None:
  132. print 'Use -i to specify an address (-h for help)'
  133. sys.exit(0)
  134. # lets see if the host is up
  135. if options.skip is False:
  136. print '[+] Checking address \'%s\''%options.addr
  137. if check_host(options.addr) is False:
  138. print '[-] No route to host. Host might be down or dropping probes.'
  139. print '[-] Trying running with \'-s\' to skip if you know it\'s up.'
  140. sys.exit(0)
  141. else:
  142. print '[+] Host is up.'
  143. # shscan
  144. # Sleep the loop if we max out current threads, allowing them
  145. # time to close up
  146. if options.port_scan is False:
  147. print '[+] Scanning \'%s\''%options.addr
  148. try:
  149. if options.p_range is not None:
  150. # if the - is not found, it's a single port
  151. if not "-" in options.p_range:
  152. shscan(options.addr, int(options.p_range))
  153. sys.exit(0)
  154. (lower, sep, upper) = options.p_range.partition("-")
  155. for i in range(int(lower),int(upper)):
  156. if i%THREAD_MAX == 0:
  157. time.sleep(1)
  158. thread = Thread(target=shscan, args=(options.addr, i))
  159. thread.start()
  160. # scan ALL the ports!
  161. elif options.all_ports:
  162. for i in range(65535):
  163. if i%THREAD_MAX == 0:
  164. time.sleep(1)
  165. thread = Thread(target=shscan, args=(options.addr, i))
  166. thread.start()
  167. # else scan all the well known ports
  168. else:
  169. for i in range(1023):
  170. if i%THREAD_MAX == 0:
  171. time.sleep(1)
  172. thread = Thread(target=shscan, args=(options.addr, i))
  173. thread.start()
  174. except Exception, j:
  175. print '[-] %s'%j
  176. # port scan.
  177. if options.port_scan is True:
  178. print '[+] Port scanning \'%s\''%options.addr
  179. # scan the given range
  180. if options.p_range is not None:
  181. # or the single port
  182. if not '-' in options.p_range:
  183. port_scan(options.addr, int(options.p_range))
  184. sys.exit(0)
  185. (lower, sep, upper) = options.p_range.partition("-")
  186. for i in range(int(lower), int(upper)):
  187. if i%THREAD_MAX == 0:
  188. time.sleep(2)
  189. thread = Thread(target=port_scan, args=(options.addr, i))
  190. thread.start()
  191. # scan only the top 1023 ports
  192. else:
  193. for i in range(1023):
  194. if i%THREAD_MAX == 0:
  195. time.sleep(2)
  196. thread = Thread(target=port_scan, args=(options.addr, i))
  197. thread.start()
  198. # real entry
  199. if __name__=="__main__":
  200. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement