The following content and challenges are from samsclass CNIT 124:Advanced Ethical Hacking. I will be covering project 1 and 1x which are the extra credit challenges.
When it comes to port scanning the first thing that comes to mind is NMAP. In high school this was the first tool I was exposed to. NMAP is a great scanner, but what do you do if you do not have access to NMAP or when you need a more customized port scan done?
We can create a simple port scanner using python. From there we can add more specific capabilities later.
import socket socket.setdefaulttimeout(2) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) target= raw_input('Target URL: ') tport= int(raw_input('Target Port: ')) s.connect((target,tport)) print s.recv(1024) s.close()
- Imports the library "socket" which contains functions that are used for networking
- Create a default timeout so our program does not hang if a port is unreachable
- Create a socket object called "s"
- Take in user input for desired target
- Take in user input for desired port
- Connect our socket object to the desired target and port
- Receive data from the server with a maximize amount of characters set at 1024
- Close the connection
Now that we know how to setup a basic port scanner lets see if we can do a couple of challenges:
There is another service listening on attack.samsclass.info on a port number ending in 000; that is, one of these: 1000, 2000, 3000, etc.
The service you want has a banner starting with "Congratulations! You found the hidden"
Hunt for it until you find it.
There is a hidden service on port 3003. To open it, you must send these packets to "knock":
- A SYN to port 3100 (Note: a connect() call sends a SYN)
- Another SYN to a secret hidden port, which is one of these: (3100, 3200, 3300, 3400, 3500, 3600, 3700, 3800, 3900)
- A 2-second delay (see this link)
Try these challenges out by yourself before looking at the answers below
Challenge 1 solution:
import socket socket.setdefaulttimeout(2) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) i=1000 target= 'attack.samsclass.info' while i<10000: try: s.connect((target,i)) s.send('HEAD / HTTP/1.1\nHost: '+ target +'\n\n') print s.recv(1024) s.close() except socket.error,v: print 'Port',i,'does not work' i=i+1000
Challenge 2 solution:
import socket import time socket.setdefaulttimeout(2) s=socket.socket() a=socket.socket() p=socket.socket() i=3000 target= 'attack.samsclass.info' s.connect((target,3100)) print 'Connected to port: 3100' while i<4000: a.connect((target,i)) print 'Connected to 2nd port' print 'Knocking...' time.sleep(2) try: p.connect((target,3003)) p.send('HEAD / HTTP/1.1\nHost: '+ target +'\n\n') print p.recv(1024) i=4000 except socket.error,v: print 'Port',i,'does not work' i=i+100 continue a.close() s.close() p.close()