Python network penetration test - scan ssh and ftp ports for a range of IP Addresses
'''
.-') _ .-') _ ('-. _ .-') .-') _ ('-. .-') _ .-') ('-. .-') _
( OO ) ( OO) ) _( OO( \( -O ) ( OO ) _( OO)( OO) ) ( OO ). ( OO ).-. ( OO ) )
,-.-'),--./ ,--,'/ '.(,------,------.,--./ ,--,(,------/ '._ (_)---\_) .-----. / . --. ,--./ ,--,'
| |OO| \ | |\|'--...__| .---| /`. | \ | |\| .---|'--...__) / _ | ' .--./ | \-. \| \ | |\
| | | \| | '--. .--| | | / | | \| | | | '--. .--' \ :` `. | |('-.-'-' | | \| | )
| |(_| . |/ | | (| '--.| |_.' | . |(| '--. | | '..`''.)/_) |OO \| |_.' | . |/
,| |_.| |\ | | | | .--'| . '.| |\ | | .--' | | .-._) \|| |`-'| | .-. | |\ |
(_| | | | \ | | | | `---| |\ \| | \ | | `---. | | \ (_' '--'\ | | | | | \ |
`--' `--' `--' `--' `------`--' '--`--' `--' `------' `--' `-----' `-----' `--' `--`--' `--'
'''
import nmap
import pymysql
import pexpect
import getpass
import time
from socket import *
from threading import *
'''
CREATE TABLE `hosts` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`host` varchar(255) DEFAULT NULL,
`address` varchar(255) DEFAULT NULL,
`port` int(11) DEFAULT NULL,
`status` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
CREATE TABLE `scanned` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`host` varchar(255) DEFAULT NULL,
`address` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=1219 DEFAULT CHARSET=utf8;
'''
screenLock = Semaphore(value=1)
port_for = 9871
ssh_cmd = 'ssh root@xxx.67.xxx.24 -L ' + str(port_for) + ':localhost:3306'
cur = None
db_attempt = 3
th_attenpt = 10
'''
create the ssh tunnel to the database server
'''
def createTunnel():
ps = pexpect.spawn ('ps')
time.sleep (1)
index = ps.expect (['/usr/bin/ssh', pexpect.EOF, pexpect.TIMEOUT])
if index == 2:
print('----> Perspex timeout.')
print(str(ps))
time.sleep (2)
if index == 1:
print('----> Starting Tunnel: ' + ssh_cmd)
try:
ssh_tunnel = pexpect.spawn (ssh_cmd % globals())
i = ssh_tunnel.expect([pexpect.TIMEOUT, 'password: '])
ssh_tunnel.sendline ('xxxx')
time.sleep (5)
print('----> Tunnel Open')
except Exception as e:
print('----> err(0):')
print(str(e))
exit(0)
else:
print('----> err(1):')
exit(0)
'''
Connect to the database and get the cursor
'''
def connectDb():
global cur
global db_attempt
print('----> Connect to database.')
host = '127.0.0.1'
user = 'root'
port = port_for
passwd = 'xxxx'
db = 'hacking'
db_attempt = db_attempt - 1
try:
db = pymysql.connect(host=host, port=port, user=user, passwd=passwd, db=db)
cur = db.cursor()
time.sleep(2)
except:
print('----> Excption cannont connect to database.')
time.sleep(2)
if db_attempt > 0:
connectDb()
else:
exit(0)
'''
insert open ports into the table
'''
def insertOpenPort(host, address, port, status):
global cur
sql = 'insert into hosts(host, address, port, status)values("'+str(host)+'", "'+str(address)+'", "'+str(port)+'", "'+str(status)+'" )'
cur.execute(sql)
#cur.commit()
'''
insert the last scanned address
'''
def insertLastAddress(host, address):
global cur
sql = 'insert into scanned(host, address)values("'+str(host)+'", "'+str(address)+'")'
cur.execute(sql)
'''
find the last scanned address
'''
def lastScannedAddress():
global cur
sql = ' select address from scanned order by id desc limit 1'
cur.execute(sql)
for row in cur:
return row[0]
'''
nmap scan
'''
def nmapScan(tgtHost, tgtPort, tgtName):
nmScan = nmap.PortScanner()
nmScan.scan(tgtHost, tgtPort)
try:
screenLock.acquire()
state = nmScan[tgtHost]['tcp'][int(tgtPort)]['state']
#if that port was open insert into database
if state == 'open':
insertOpenPort(tgtName, tgtHost, tgtPort, state)
print (" [*] " + tgtHost + " tcp/" + tgtPort + " " + state)
except:
screenLock.acquire()
print (" [*] " + tgtHost + " tcp/" + tgtPort + " N/A")
finally:
screenLock.release()
'''
Scan the host : port
'''
def portScan(tgtHost, tgtPorts):
hostname = None
try:
tgtIP = gethostbyname(tgtHost)
except:
print ("[-] Cannot resolve '%s': Unknown host " %tgtHost)
return
try:
tgtName = gethostbyaddr(tgtIP)
hostname = tgtName[0]
print ('\n[+] Scan results for: ' + tgtName[0])
except:
hostname = tgtIP
print ('\n[+] Scan results for: ' + tgtIP)
#add this address to the list of scanned addresses
insertLastAddress(hostname, tgtHost)
time.sleep(1)
#scan that address for each port
for tgtPort in tgtPorts:
t = Thread(target=nmapScan, args=(tgtHost, str(tgtPort), hostname))
t.start()
'''
loop through the ip adress ranges
'''
def main():
#create the tunnel
createTunnel()
#connect to the db
connectDb()
#ports to test
portList = [21, 20, 22, 80, 110, 143, 443, 548, 631]
#ip range
W = [220, 255]
X = [ 1, 255]
Y = [ 1, 255]
Z = [ 1, 255]
#last scanned address
lastScanned = lastScannedAddress()
parts = lastScanned.split('.')
#increment the ip addresses
if parts:
W[0] = int(parts[0])
X[0] = int(parts[1])
Y[0] = int(parts[2])
Z[0] = int(parts[3])
#go through the address gen loops
for w in range(W[0],W[1]):
for x in range(X[0],X[1]):
for y in range(Y[0],Y[1]):
for z in range(Z[0],Z[1]):
#create the ip address from the loop vars
ip_address = str(w) + '.' + str(x) + '.' + str(y) + '.' + str(z)
#scan the current address for each of the ports
portScan(ip_address, portList)
if __name__ == '__main__':
main ()