Brief Analysis of Several Efficient Port Scanning Methods

Brief Analysis of Several Port Scanning Methods

My Blog [My Blog]: New Zero Cloud Blog - Cloud Wing Campus Program

Everyone can learn!!!

Article Directory

1.nmap probe port

nmap can set the parameter - min-hostgroup when scanning multiple hosts. Setting this parameter can scan multiple hosts in parallel

Divide the hosts into groups and scan one group at a time.Convenient and fast

Give an example:

- min-hostgroup 50 nmap is a group of 50 hosts, the results will not be displayed until 50 hosts are scanned. See nmap website for details.

import nmap 
from queue import Queue
from threading import Thread
def portscan(ip):
    portlist = []
    nm = nmap.PortScannerYield()
    for r in nm.scan(ip,ports='1-10000',arguments='-sS --min-hostgroup'):
        m = r[1]['scan'][ip]['tcp']
        for p in m:
            temp = str(p) + "----" +m[p]['state']
class Consumer(Thread):
    def __init__(self, q):
        self.q = q
    def run(self):
        while  not self.q.empty():
            ip = self.q.get()
            except Exception as e:
def producer(ip_list):
    num = 10
    threads = []
    q = Queue()
    for i in ip_list:
    threads = [Consumer(q) for i in range(0,int(num))]
    for t in threads:
    for t in threads:
ip_list =['', '', '', '', '', '', '', '', '', '']

2.masscan probe port

(1) Call python masscan

By default, masscan sends syn packets, and if the target host returns ack+syn, the port is open.The specific process is as follows


B: Open port 3306

(1)A->B syn

(2)B->A syn+ack

(3)A->B RST

Detect Open Ports

A->B syn

B->A rst

Give an example:

def portscan(ip):
    mas = masscan.PortScanner()

Detect using system commands
Usage method

Scan class B subnet for port 443
Masscan -p443

Scan Class B Subnets for Ports 80 or 443
Masscan -p80,443

Scan Class B subnets for 100 common ports, 100,000 packets per second
Masscan  --top-ports 100 -rate 100000

Output of Results
 -oX filename: XML output to filename.
-oG filename: The grepable format output to filename.
-oJ filename: Output to filename in JSON format.

3.socket detection port

The socket probe port does not send a complete three-time handshake package as follows.


B: Open port 3306

A discards data after receiving syn+ack packets returned by B.

Detect Open Port

A sends syn,B does not open port 33, so RST packets are returned.

ef portscan(ip,port):
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        status = s.connect_ex((ip,port))
        if status == 0:
            temp_str = str(ip) + "---" + str(port) + "---open"
    except Exception as e:

4.telnet probe port

The telnet probe port uses a full three-time handshake connection, using the command telnet ip port, and the outgoing process is as follows


B: Open port 3306

telnet 3306

The process is as follows:

Connect using TCP three-time handshake: SYN -> SYN + ACK + ACK

Probe for non-existent ports, send SYN packets, and then discard RST packets

If there is a return value, the port is open, otherwise the port is closed.

def portscan(ip,port):
         t = telnetlib.Telnet(ip,port=port,timeout=0.2)
         if t:
             temp_str = str(ip) + '---' + str(port)
 except Exception as e:
     pass probe port

The NC probing port uses a full three-time handshake connection, using the command nc-v-w 1-z IP port, and the outgoing process is the same as telent probing.

Detect open port packets

Detect Packets on Unopened Ports

The port is open with a return value of 0, which can be used as a basis for judgment.

def portscan(ip,port):
     command = 'nc -v -w 1 -z {0} {1}'.format(ip,port)
     m = os.system(command)
     if m == 0:
         temp_str = str(ip) + "---" + str(port)

6. Summary

The results of nmap as a scanner port are more detailed than those of several other methods.Slow
If efficiency is a concern, socket s are recommended.Not detailed

Each has its own merits and demerits

Follow the new Zero Cloud blog and get the original PDF!

More original tutorials to follow blog
I have sorted out my original technology series articles, self-learning experience summary into PDF with catalog, which makes it easy for everyone to download and learn, and keep updating. I can share the content on PDF with me, not only to learn technology, but also to communicate learning methods together!Keep growing beyond coding!Free tutorial video for everyone!

Forty-nine original articles were published, 58 were praised, and 30,000 visits were received.
Private letter follow

Keywords: socket Python xml JSON

Added by sh0tgun on Tue, 11 Feb 2020 05:52:02 +0200