API tools faq
paste
Advertisement
opexxx

shscan.py

opexxx
Sep 1st, 2014
383
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.13 KB | None | 0 0
raw download clone embed print report
  1.  
  2. #!/usr/bin/python
  3. import sys
  4. import re
  5. import subprocess
  6. import paramiko
  7. import socket
  8. import time
  9. from threading import Thread
  10. from optparse import OptionParser
  11. # global debug flag
  12. DEBUG_FLAG = False
  13. # confirm that the host is up; this can be done with a simple
  14. # ping. Also detect if we're getting ICMP prohibited responses; this means
  15. # we're probably getting denied by a firewall/router or the system is
  16. # configured to deny icmp echo requests.
  17. def check_host ( addr ):
  18. global DEBUG_FLAG
  19. try:
  20. process = subprocess.Popen(['ping', '-c', '2', '-W', '1', addr],
  21. stdout = subprocess.PIPE,
  22. stderr = subprocess.PIPE)
  23. process.wait()
  24. line = process.stdout.read().decode("utf-8")
  25. if DEBUG_FLAG: print "[dbg] Host returned: \n%s"%line
  26. up = re.search("\d.*? received", line)
  27. proh = re.search("Host Prohibited", line)
  28. if proh:
  29. print '[-] Host actively prohibiting our pings, but active.'
  30. return True
  31. # check if 0 is anywhere in the transmit return string, ergo:
  32. # 2 packets transmitted, 2 received
  33. if re.search("0", up.group(0)) is None:
  34. return True
  35. else:
  36. return False
  37. except Exception:
  38. return False
  39. # look for shells returned to us and dish out some fake creds.
  40. # This is loud, but it's also more accurate than fingerprinting TCP packets.
  41. def shscan(ip, port):
  42. try:
  43. ssh = paramiko.SSHClient()
  44. ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  45. w = ssh.connect(ip, port, username='test',
  46. password='test', timeout=1.0)
  47. ssh.close()
  48. except paramiko.AuthenticationException, j:
  49. ssh.close()
  50. print '[+] SSH found at port %s'%port
  51. return
  52. except Exception, e:
  53. ssh.close()
  54. return
  55. # simple port scanner for some basic stuff
  56. def port_scan(addr, port):
  57. global DEBUG_FLAG
  58. sock = socket.socket()
  59. sock.settimeout(1.0)
  60. try:
  61. sock.connect((addr, port))
  62. print '[+] Open port at %s'%port
  63. sock.close()
  64. sock = None
  65. return True
  66. except socket.error, e:
  67. sock.close()
  68. sock = None
  69. return False
  70. except Exception, j:
  71. sock.close()
  72. sock = None
  73. return False
  74. # get the systems thread limit.
  75. # This is calculated by total RAM / ulimit -s
  76. # Systems generally have different settings for thread caps
  77. # both with totals and per process. So instead of hard coding
  78. # a default, just automatically calculate and return a thread max.
  79. # There's also now a command for manually setting the thread count.
  80. def thread_limit():
  81. global DEBUG_FLAG
  82. try:
  83. proc = subprocess.Popen(['ulimit -s'], shell=True,
  84. stdout = subprocess.PIPE,
  85. stderr = subprocess.PIPE)
  86. total_t = int((proc.stdout.read().decode("utf-8")))/1024
  87. proc = subprocess.Popen(['free | grep Mem | awk \'{print $2}\''],
  88. shell=True,
  89. stdout = subprocess.PIPE,
  90. stderr = subprocess.PIPE)
  91. total_mem = int(proc.stdout.read().decode("utf-8"))
  92. MAX = int(total_mem/1024) / total_t
  93. if DEBUG_FLAG:
  94. print '[dbg] Mem: %d'%int(total_mem/1024)
  95. print '[dbg] Threads: %d'%int(total_t)
  96. print '[dbg] Net max threads: %d'%MAX
  97. return MAX
  98. except Exception, j:
  99. print '[-] Couldn\'t get thread max: \'%s\''%j
  100. return
  101. # entry
  102. def main():
  103. global DEBUG_FLAG
  104. parser = OptionParser(epilog=
  105. "The default scan searches only the first 1023 ports.")
  106. parser.add_option("-s", help="Skip host discovery", action="store_true",
  107. default=False, dest="skip")
  108. parser.add_option("-r", metavar="x-y", help="Specify a range of ports, "
  109. "or give it a single port", action="store", dest="p_range" )
  110. parser.add_option("-i", help="The address to scan",
  111. action="store", dest="addr")
  112. parser.add_option("-a", help="Scan all 65,535 ports",
  113. action="store_true", default=False, dest="all_ports")
  114. parser.add_option("-p", help="Do a port scan of the given ports",
  115. action="store_true", default=False, dest="port_scan")
  116. parser.add_option("-v", help="Verbose output with debug",
  117. action="store_true", default=False, dest="verbose")
  118. parser.add_option("-t", help="Manually set thread count", dest="threads",
  119. action="store" )
  120. # parse options, set global debug flag
  121. (options, args) = parser.parse_args()
  122. DEBUG_FLAG = options.verbose
  123. # set thread max
  124. if options.threads is not None:
  125. THREAD_MAX = int(options.threads)
  126. else:
  127. THREAD_MAX = thread_limit()
  128. if DEBUG_FLAG:
  129. print '[dbg] Using %d threads'%THREAD_MAX
  130. # ditch if they didn't give us an addr
  131. if options.addr is None:
  132. print 'Use -i to specify an address (-h for help)'
  133. sys.exit(0)
  134. # lets see if the host is up
  135. if options.skip is False:
  136. print '[+] Checking address \'%s\''%options.addr
  137. if check_host(options.addr) is False:
  138. print '[-] No route to host. Host might be down or dropping probes.'
  139. print '[-] Trying running with \'-s\' to skip if you know it\'s up.'
  140. sys.exit(0)
  141. else:
  142. print '[+] Host is up.'
  143. # shscan
  144. # Sleep the loop if we max out current threads, allowing them
  145. # time to close up
  146. if options.port_scan is False:
  147. print '[+] Scanning \'%s\''%options.addr
  148. try:
  149. if options.p_range is not None:
  150. # if the - is not found, it's a single port
  151. if not "-" in options.p_range:
  152. shscan(options.addr, int(options.p_range))
  153. sys.exit(0)
  154. (lower, sep, upper) = options.p_range.partition("-")
  155. for i in range(int(lower),int(upper)):
  156. if i%THREAD_MAX == 0:
  157. time.sleep(1)
  158. thread = Thread(target=shscan, args=(options.addr, i))
  159. thread.start()
  160. # scan ALL the ports!
  161. elif options.all_ports:
  162. for i in range(65535):
  163. if i%THREAD_MAX == 0:
  164. time.sleep(1)
  165. thread = Thread(target=shscan, args=(options.addr, i))
  166. thread.start()
  167. # else scan all the well known ports
  168. else:
  169. for i in range(1023):
  170. if i%THREAD_MAX == 0:
  171. time.sleep(1)
  172. thread = Thread(target=shscan, args=(options.addr, i))
  173. thread.start()
  174. except Exception, j:
  175. print '[-] %s'%j
  176. # port scan.
  177. if options.port_scan is True:
  178. print '[+] Port scanning \'%s\''%options.addr
  179. # scan the given range
  180. if options.p_range is not None:
  181. # or the single port
  182. if not '-' in options.p_range:
  183. port_scan(options.addr, int(options.p_range))
  184. sys.exit(0)
  185. (lower, sep, upper) = options.p_range.partition("-")
  186. for i in range(int(lower), int(upper)):
  187. if i%THREAD_MAX == 0:
  188. time.sleep(2)
  189. thread = Thread(target=port_scan, args=(options.addr, i))
  190. thread.start()
  191. # scan only the top 1023 ports
  192. else:
  193. for i in range(1023):
  194. if i%THREAD_MAX == 0:
  195. time.sleep(2)
  196. thread = Thread(target=port_scan, args=(options.addr, i))
  197. thread.start()
  198. # real entry
  199. if __name__=="__main__":
  200. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!