garyconstable
3/16/2015 - 11:19 PM

Python network penetration test - scan ssh and ftp ports for a range of IP Addresses

Python network penetration test - scan ssh and ftp ports for a range of IP Addresses


'''
             .-') _ .-') _    ('-. _  .-')      .-') _  ('-.  .-') _           .-')              ('-.        .-') _  
            ( OO ) (  OO) ) _(  OO( \( -O )    ( OO ) _(  OO)(  OO) )         ( OO ).           ( OO ).-.   ( OO ) ) 
  ,-.-'),--./ ,--,'/     '.(,------,------.,--./ ,--,(,------/     '._       (_)---\_)  .-----. / . --. ,--./ ,--,'  
  |  |OO|   \ |  |\|'--...__|  .---|   /`. |   \ |  |\|  .---|'--...__)      /    _ |  '  .--./ | \-.  \|   \ |  |\  
  |  |  |    \|  | '--.  .--|  |   |  /  | |    \|  | |  |   '--.  .--'      \  :` `.  |  |('-.-'-'  |  |    \|  | ) 
  |  |(_|  .     |/   |  | (|  '--.|  |_.' |  .     |(|  '--.   |  |          '..`''.)/_) |OO  \| |_.'  |  .     |/  
 ,|  |_.|  |\    |    |  |  |  .--'|  .  '.|  |\    | |  .--'   |  |         .-._)   \||  |`-'| |  .-.  |  |\    |   
(_|  |  |  | \   |    |  |  |  `---|  |\  \|  | \   | |  `---.  |  |         \       (_'  '--'\ |  | |  |  | \   |   
  `--'  `--'  `--'    `--'  `------`--' '--`--'  `--' `------'  `--'          `-----'   `-----' `--' `--`--'  `--'   

'''

import nmap
import pymysql
import pexpect
import getpass
import time
from socket import *
from threading import *


'''
CREATE TABLE `hosts` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `host` varchar(255) DEFAULT NULL,
  `address` varchar(255) DEFAULT NULL,
  `port` int(11) DEFAULT NULL,
  `status` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;


CREATE TABLE `scanned` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `host` varchar(255) DEFAULT NULL,
  `address` varchar(255) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=1219 DEFAULT CHARSET=utf8;

'''

screenLock = Semaphore(value=1)
port_for   = 9871
ssh_cmd    = 'ssh root@xxx.67.xxx.24 -L ' + str(port_for) + ':localhost:3306'
cur        = None
db_attempt = 3
th_attenpt = 10


'''
create the ssh tunnel to the database server 
'''
def createTunnel():
	ps = pexpect.spawn ('ps')
	time.sleep (1)
	index = ps.expect (['/usr/bin/ssh', pexpect.EOF, pexpect.TIMEOUT])
	if index == 2:
		print('----> Perspex timeout.')
		print(str(ps))
		time.sleep (2)
	if index == 1:
		print('----> Starting Tunnel: ' + ssh_cmd)
		try:
		    ssh_tunnel = pexpect.spawn (ssh_cmd % globals())
		    i = ssh_tunnel.expect([pexpect.TIMEOUT, 'password: '])
		    ssh_tunnel.sendline ('xxxx')
		    time.sleep (5)
		    print('----> Tunnel Open')
		except Exception as e:
		    print('----> err(0):')
		    print(str(e))
		    exit(0)
	else:
		print('----> err(1):')
		exit(0)


'''
Connect to the database and get the cursor
'''
def connectDb():
	global cur
	global db_attempt
	print('----> Connect to database.')
	host   = '127.0.0.1'
	user   = 'root'
	port   = port_for
	passwd = 'xxxx'
	db	   = 'hacking' 
	db_attempt = db_attempt - 1
	try:
		db = pymysql.connect(host=host, port=port, user=user, passwd=passwd, db=db) 
		cur = db.cursor() 
		time.sleep(2)
	except:
		print('----> Excption cannont connect to database.')
		time.sleep(2)
		if db_attempt > 0:
			connectDb()
		else:
			exit(0)


'''
insert open ports into the table
'''
def insertOpenPort(host, address, port, status):
	global cur
	sql = 'insert into hosts(host, address, port, status)values("'+str(host)+'", "'+str(address)+'", "'+str(port)+'", "'+str(status)+'" )'
	cur.execute(sql)
	#cur.commit()


'''
insert the last scanned address
'''
def insertLastAddress(host, address):
	global cur
	sql = 'insert into scanned(host, address)values("'+str(host)+'", "'+str(address)+'")'
	cur.execute(sql)
	

'''
find the last scanned address
'''
def lastScannedAddress():
	global cur
	sql = ' select address from scanned order by id desc limit 1'
	cur.execute(sql)
	for row in cur:
		return row[0]


'''
nmap scan
'''

def nmapScan(tgtHost, tgtPort, tgtName):
	nmScan = nmap.PortScanner()
	nmScan.scan(tgtHost, tgtPort)
	try:
		screenLock.acquire()
		state = nmScan[tgtHost]['tcp'][int(tgtPort)]['state']

		#if that port was open insert into database
		if state == 'open':
			insertOpenPort(tgtName, tgtHost, tgtPort, state)

		print (" [*] " + tgtHost + " tcp/" + tgtPort + " " + state)

	except:
		screenLock.acquire()
		print (" [*] " + tgtHost + " tcp/" + tgtPort + " N/A")
	finally:
		screenLock.release()



'''
Scan the host : port
'''
def portScan(tgtHost, tgtPorts):
	hostname = None
	try:
		tgtIP = gethostbyname(tgtHost)
	except:
		print ("[-] Cannot resolve '%s': Unknown host " %tgtHost)
		return
	try:
		tgtName = gethostbyaddr(tgtIP)
		hostname = tgtName[0]
		print ('\n[+] Scan results for: ' + tgtName[0])
	except:
		hostname = tgtIP
		print ('\n[+] Scan results for: ' + tgtIP)


	#add this address to the list of scanned addresses
	insertLastAddress(hostname, tgtHost)

	time.sleep(1)

	#scan that address for each port
	for tgtPort in tgtPorts:
		t = Thread(target=nmapScan, args=(tgtHost, str(tgtPort), hostname))
		t.start()
	

'''
loop through the ip adress ranges
'''
def main():

	#create the tunnel
	createTunnel()

	#connect to the db
	connectDb()

	#ports to test
	portList = [21, 20, 22, 80, 110, 143, 443, 548, 631]

	#ip range
	W = [220, 255]
	X = [  1, 255]
	Y = [  1, 255]
	Z = [  1, 255]

	#last scanned address
	lastScanned = lastScannedAddress()
	parts = lastScanned.split('.')
	
	#increment the ip addresses
	if parts:
		W[0] = int(parts[0])
		X[0] = int(parts[1])
		Y[0] = int(parts[2])
		Z[0] = int(parts[3])

	#go through the address gen loops
	for w in range(W[0],W[1]):

		for x in range(X[0],X[1]):

			for y in range(Y[0],Y[1]):

				for z in range(Z[0],Z[1]):

					#create the ip address from the loop vars
					ip_address = str(w) + '.' + str(x) + '.' + str(y) + '.' + str(z) 
					
					#scan the current address for each of the ports
					portScan(ip_address, portList)

		

if __name__ == '__main__':
    main ()