为什么 nmap 在扫描端口时给我的结果与 Python 不同?
Why nmap is giving me different results than Python when scanning ports?
我是渗透测试学生,我非常喜欢完成任务
使用 Python 版本。
我有一个 IP 为 192.168.41.2 和端口扫描的易受攻击的盒子
nmap 结果:
nmap -T4 -p- 192.168.41.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 15:13 EDT
Nmap scan report for 192.168.41.2
Host is up (0.00024s latency).
All 65535 scanned ports on 192.168.41.2 are closed
MAC Address: 00:50:56:EA:44:EB (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds
告诉我没有开放端口。然后我用 Python 脚本检查结果:
from scapy.all import *
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('ip')
args = parser.parse_args()
ip = args.ip
ports = [i for i in range(65535)]
def synScan(host):
resp, _ = sr(IP(dst=host)/TCP(sport=5555, dport=ports, flags='S'), timeout=2, verbose=0)
print(f'Open ports on {host}:\n')
for s, r in resp:
if s[TCP].dport == r[TCP].sport:
print(f'TCP Port {s[TCP].dport} is open.')
synScan(ip)
由 运行 python3 port_scanner.py 192.168.41.2
执行的脚本导致:
Open ports on host 192.168.41.2:
TCP Port 0 is open.
TCP Port 1 is open.
TCP Port 2 is open.
TCP Port 3 is open.
TCP Port 4 is open.
TCP Port 5 is open.
TCP Port 6 is open.
TCP Port 7 is open.
TCP Port 8 is open.
TCP Port 9 is open.
TCP Port 10 is open.
TCP Port 11 is open.
TCP Port 12 is open.
TCP Port 13 is open.
TCP Port 14 is open.
TCP Port 15 is open.
TCP Port 16 is open.
TCP Port 17 is open.
TCP Port 18 is open.
TCP Port 19 is open.
TCP Port 20 is open.
TCP Port 21 is open.
TCP Port 22 is open.
TCP Port 23 is open.
TCP Port 24 is open.
...
...
我的问题是我应该更信任哪种扫描? Nmap 是非常流行的网络扫描仪,scapy 也很流行,但在这里你可以看到结果。
如果您收到对 SYN
数据包的答复,scapy 脚本会得出端口已打开的结论。这是错误的。例如,如果答案是 RST
数据包,则端口关闭。该脚本会告诉您端口是否被过滤。
因此,如果您想使用 scapy,您还必须检查答案数据包是否也设置了 SYN
数据包。
我是渗透测试学生,我非常喜欢完成任务 使用 Python 版本。
我有一个 IP 为 192.168.41.2 和端口扫描的易受攻击的盒子 nmap 结果:
nmap -T4 -p- 192.168.41.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 15:13 EDT
Nmap scan report for 192.168.41.2
Host is up (0.00024s latency).
All 65535 scanned ports on 192.168.41.2 are closed
MAC Address: 00:50:56:EA:44:EB (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds
告诉我没有开放端口。然后我用 Python 脚本检查结果:
from scapy.all import *
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('ip')
args = parser.parse_args()
ip = args.ip
ports = [i for i in range(65535)]
def synScan(host):
resp, _ = sr(IP(dst=host)/TCP(sport=5555, dport=ports, flags='S'), timeout=2, verbose=0)
print(f'Open ports on {host}:\n')
for s, r in resp:
if s[TCP].dport == r[TCP].sport:
print(f'TCP Port {s[TCP].dport} is open.')
synScan(ip)
由 运行 python3 port_scanner.py 192.168.41.2
执行的脚本导致:
Open ports on host 192.168.41.2:
TCP Port 0 is open.
TCP Port 1 is open.
TCP Port 2 is open.
TCP Port 3 is open.
TCP Port 4 is open.
TCP Port 5 is open.
TCP Port 6 is open.
TCP Port 7 is open.
TCP Port 8 is open.
TCP Port 9 is open.
TCP Port 10 is open.
TCP Port 11 is open.
TCP Port 12 is open.
TCP Port 13 is open.
TCP Port 14 is open.
TCP Port 15 is open.
TCP Port 16 is open.
TCP Port 17 is open.
TCP Port 18 is open.
TCP Port 19 is open.
TCP Port 20 is open.
TCP Port 21 is open.
TCP Port 22 is open.
TCP Port 23 is open.
TCP Port 24 is open.
...
...
我的问题是我应该更信任哪种扫描? Nmap 是非常流行的网络扫描仪,scapy 也很流行,但在这里你可以看到结果。
如果您收到对 SYN
数据包的答复,scapy 脚本会得出端口已打开的结论。这是错误的。例如,如果答案是 RST
数据包,则端口关闭。该脚本会告诉您端口是否被过滤。
因此,如果您想使用 scapy,您还必须检查答案数据包是否也设置了 SYN
数据包。