in ctf samsclass

Python Port Scanner

The following content and challenges are from samsclass CNIT 124:Advanced Ethical Hacking. I will be covering project 1 and 1x which are the extra credit challenges.
When it comes to port scanning the first thing that comes to mind is NMAP. In high school this was the first tool I was exposed to. NMAP is a great scanner, but what do you do if you do not have access to NMAP or when you need a more customized port scan done?

We can create a simple port scanner using python. From there we can add more specific capabilities later.

import socket
socket.setdefaulttimeout(2)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target= raw_input('Target URL: ')
tport= int(raw_input('Target Port: '))
s.connect((target,tport))
print s.recv(1024)
s.close()

Explanation:

  1. Imports the library "socket" which contains functions that are used for networking
  2. Create a default timeout so our program does not hang if a port is unreachable
  3. Create a socket object called "s"
  4. Take in user input for desired target
  5. Take in user input for desired port
  6. Connect our socket object to the desired target and port
  7. Receive data from the server with a maximize amount of characters set at 1024
  8. Close the connection

Now that we know how to setup a basic port scanner lets see if we can do a couple of challenges:

Challenge 1:
There is another service listening on attack.samsclass.info on a port number ending in 000; that is, one of these: 1000, 2000, 3000, etc.
The service you want has a banner starting with "Congratulations! You found the hidden"
Hunt for it until you find it.

Challenge 2:
There is a hidden service on port 3003. To open it, you must send these packets to "knock":

  1. A SYN to port 3100 (Note: a connect() call sends a SYN)
  2. Another SYN to a secret hidden port, which is one of these: (3100, 3200, 3300, 3400, 3500, 3600, 3700, 3800, 3900)
  3. A 2-second delay (see this link)
When the server receives the correct knock, port 3003 will open for 5 seconds and then close. You must grab the banner from port 3003 during that brief period. The correct banner starts with "Congratulations!"

Try these challenges out by yourself before looking at the answers below

Challenge 1 solution: 

import socket
socket.setdefaulttimeout(2)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
i=1000
target= 'attack.samsclass.info'
while i<10000:
     try:
        s.connect((target,i))
        s.send('HEAD / HTTP/1.1\nHost: '+ target +'\n\n')
        print s.recv(1024)
        s.close()
     except socket.error,v:
        print 'Port',i,'does not work'
        i=i+1000
port1chall

Challenge 2 solution:

import socket
import time

socket.setdefaulttimeout(2)
s=socket.socket()
a=socket.socket()
p=socket.socket()
i=3000
target= 'attack.samsclass.info'
s.connect((target,3100))
print 'Connected to port: 3100'
while i<4000:
     a.connect((target,i))
     print 'Connected to 2nd port'
     print 'Knocking...'
     time.sleep(2)
     try:
         p.connect((target,3003))
         p.send('HEAD / HTTP/1.1\nHost: '+ target +'\n\n')
         print p.recv(1024)
         i=4000
     except socket.error,v:
         print 'Port',i,'does not work'
         i=i+100
         continue
a.close()
s.close()
p.close()
port2