This is a small network scanning tool I wrote in Python. It can do port scans, os guessing and traceroute. Though its no Nmap.
#!/usr/bin/python
import sys, socket, random
try:
from scapy.all import *
conf.verb = 0
except ImportError:
print "Module Scapy not installed, will not be able to perform traceroute or OS fingerprint"
if len(sys.argv) <= 1:
print "Usage: ./jcannon.py target [all-range-mode, traceroute, oscan"
sys.exit()
host = socket.gethostbyname(sys.argv[1])
if "traceroute" in sys.argv and "ICMP" in dir(): # make sure Scapy is installed
for timeout in range(1, 40):
reply = sr1(IP(dst=host, ttl=timeout)/ICMP())
print timeout, reply.src
if reply.src == host:
break
print timeout, "hop(s) between", host, "\n"
if "oscan" in sys.argv and "ICMP" in dir():
for timeout in range(1, 40):
reply = sr1(IP(dst=host, ttl=timeout)/ICMP())
if reply.src == host:
break
timeout += sr1(IP(dst=host, ttl=64)/ICMP()).ttl
if timeout in range(25, 35):
print "Host:", host, "Running OS: Windows 9x"
elif timeout in range(60, 70):
print "Host:", host, "Running OS: Linux/Unix variants"
elif timeout in range(120, 130):
print "Host:", host, "Running OS: Windows 2000+"
elif timeout in range(250, 260):
print "Host:", host, "Running OS: BSD/Solaris"
else:
print "Host:", host, "Appears to be offline"
print "\n"
if "all-range-mode" in sys.argv:
ports = []
print "Scanning all ports..."
port = 0
while port < 65536:
s = socket.socket()
s.settimeout(.3)
result = s.connect_ex((host, port))
if result == 0: # connection was successful, and port is open
print "Port", port, "open @", host
ports.append(port)
port += 1
if len(ports) == 0:
print "All scanned ports on ", host, " are closed"
sys.exit()
mail = [25, 109, 110]
web = [80, 53, 443, 631]
database = [118, 156, 1521, 3306]
high_risk = [21, 22, 23, 79, 161, 445, 513, 514, 5900]
elite = [3127, 4444, 12345, 31337]
open_ports = [] # reserved for open ports
all_ports = mail + web + database + high_risk + elite; random.shuffle(all_ports)
services = {21:"ftp", 22:"ssh", 23:"telnet", 25:"smtp", 53:"dns", 79:"finger", 80:"http", 109:"pop2", 110:"pop3", 118:"sql", 156:"sql", 161:"snmp", 443:"https", 445:"ms-ds",
513:"rlogin", 514:"shell", 631:"cups", 1521:"oracle", 3127:"mydoom", 3306:"mysql", 4444:"backdoor", 12345:"netbus", 31337:"trojan"}
print "Scanning host..."
for port in all_ports:
s = socket.socket()
s.settimeout(.3)
if s.connect_ex((host, port)) == 0:
open_ports.append(port)
open_ports.sort() # arrange the open ports for pretty output
if len(open_ports) == 0:
print "All scanned ports on " + host + " are closed"
sys.exit()
def get_service(poop):
if poop in mail:
return "Mail"
elif poop in web:
return "Web"
elif poop in database:
return "Database"
elif poop in high_risk:
return "High_risk"
else:
return "Elite"
for port in open_ports:
print "Port " + str(port) + " open @ " + host + " (" + services[port] + ") " + get_service(port)
