燈塔(ARL)裏面有一個namp掃描模塊,裏面有配置可以學習一下
首先上代碼
class PortScan:
def __init__(self, targets, ports=None, service_detect=False, os_detect=False,
port_parallelism=None, port_min_rate=None, custom_host_timeout=None):
self.targets = " ".join(targets)
self.ports = ports
self.max_hostgroup = 128
self.alive_port = "22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25"
self.nmap_arguments = "-sT -n --open"
self.max_retries = 3
self.host_timeout = 60*5
self.parallelism = port_parallelism # 默認 32
self.min_rate = port_min_rate # 默認64
if service_detect:
self.host_timeout += 60 * 5
self.nmap_arguments += " -sV"
if os_detect:
self.host_timeout += 60 * 4
self.nmap_arguments += " -O"
if len(self.ports.split(",")) > 60:
self.nmap_arguments += " -PE -PS{}".format(self.alive_port)
self.max_retries = 2
else:
if self.ports != "0-65535":
self.nmap_arguments += " -Pn"
if self.ports == "0-65535":
self.max_hostgroup = 8
self.min_rate = max(self.min_rate, 400)
self.nmap_arguments += " -PE -PS{}".format(self.alive_port)
self.host_timeout += 60 * 2
self.max_retries = 2
self.nmap_arguments += " --max-rtt-timeout 800ms"
self.nmap_arguments += " --min-rate {}".format(self.min_rate)
self.nmap_arguments += " --script-timeout 6s"
self.nmap_arguments += " --max-hostgroup {}".format(self.max_hostgroup)
# 依據傳過來的超時爲準
if custom_host_timeout is not None:
if int(custom_host_timeout) > 0:
self.host_timeout = custom_host_timeout
self.nmap_arguments += " --host-timeout {}s".format(self.host_timeout)
self.nmap_arguments += " --min-parallelism {}".format(self.parallelism)
self.nmap_arguments += " --max-retries {}".format(self.max_retries)
def run(self):
logger.info("nmap target {} ports {} arguments {}".format(
self.targets[:20], self.ports[:20], self.nmap_arguments))
nm = nmap.PortScanner()
nm.scan(hosts=self.targets, ports=self.ports, arguments=self.nmap_arguments)
ip_info_list = []
for host in nm.all_hosts():
port_info_list = []
for proto in nm[host].all_protocols():
port_len = len(nm[host][proto])
for port in nm[host][proto]:
# 對於開了很多端口的直接丟棄
if port_len > 600 and (port not in [80, 443]):
continue
port_info = nm[host][proto][port]
item = {
"port_id": port,
"service_name": port_info["name"],
"version": port_info["version"],
"product": port_info["product"],
"protocol": proto
}
port_info_list.append(item)
osmatch_list = nm[host].get("osmatch", [])
os_info = self.os_match_by_accuracy(osmatch_list)
ip_info = {
"ip": host,
"port_info": port_info_list,
"os_info": os_info
}
ip_info_list.append(ip_info)
return ip_info_list
def os_match_by_accuracy(self, os_match_list):
for os_match in os_match_list:
accuracy = os_match.get('accuracy', '0')
if int(accuracy) > 90:
return os_match
return {}
入口是run
首先是掃描策略的配置
其中涉及到的配置
-
-sT 全連接掃描會和服務器建立完整的三次握手
-
-n 不做dns解析
-
—open 只顯示開放或可能開放的端口
-
-sV 探測開放端口的服務
-
-O 啓用操作系統版本探測
-
-PE 基於ICMP的echo的主機發現
-
-PS[portlist] 基於TCP SYN指定端口的主機發現
-
-Pn 跳過主機發現,視所有主機都在線
然後是對於掃描結果的處理
- 如果一個ip的端口開放了600個以上,則只留下80和443端口的信息