In [20]:
# Jupyter stuff, feel free to ignore
from IPython.display import Image

# Used for Code
import subprocess
import socket
import sys
from tqdm import tqdm_notebook as tqdm

# Introduction to Port Scanning 
## Overview
This Notebook gives a brief overview of: 
- BSD Sockets in Python 3
- Python equivalent commands for some common UNIX networking commands 
- How to write a basic Port Scanner. 

## Prerequisites 
- Basic understanding of the TCP networking protocol
- Basic Understanding of socket application programming interface
## Disclaimer: 
- I take no responsibility for silly or illegal things you do. See License for more details.  

# Sockets
## 10,000 ft Overview
You are encouraged to read the documentation found [here](https://docs.python.org/3/library/socket.html).

The socket module in Python 3 provides a pure python API access to the BSD socket interface. Out of the box, it comes with
- A socket class, for handling the actual data channel
- unctions for network-related tasks
    - For example: mapping server names to IP addresses
    
## Initializing a Socket
- The most common way of initializing a socket in python is to call the socket constructor as follows: 
    - `sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)`
    - Note the variable name you assign it to doesn't matter, but by convention and for readability, a selection is typically made from $\{\text{s,sock} \}$
## Breaking down the Command
- The INET sockets, account for the vast majority of sockets in use. 
    - `AF_INET` corresponds to network protocol IPv4. For IPv6 use `AF_INET6 `
- Stream sockets/connection-oriented sockets send and receive data over Transmission Control Protocol (TCP)
    - Technically speaking, they could also send/receive data using SCTP and also DCCP. We will only worry about TCP 

In [18]:
# Basic  usage
import socket

socket.setdefaulttimeout(.5)

# create a IPV4 TCP socket. 


# Great, now what can we do with it?
- We can connect to a IP:Port pair. Lets try http://example.com/ 
    - We can also send, and receive data but for now we will only focus on connecting. 
- To do this, we first resolve the URL into an IP address
- We then connect to the site using one of the default HTTP port numbers (80, 443, 8080...etc)

In [17]:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

target_url = 'www.example.com'
target_port = 80
host_ip = socket.gethostbyname(target_url)
print("IP Address for {} is {}".format(target_url,host_ip))
try:
    sock.connect((host_ip, target_port))
    print("Success! We connected to {}:{}".format(host_ip, target_port))
except socket.timeout:
    print("Timeout error encountered.")
    

IP Address for www.example.com is 93.184.216.34
Success! We connected to 93.184.216.34:80


# Discovering Open Ports
As I am sure you have noticed, if we can check if a connection can be established on port 80, what is stopping us from checking if we can connect to arbitrary ports?
    - Answer: Nothing. 
    
## Port Scanner Algorithm
- Initialize Host IP to `w.x.y.z`:
- `for p in range(1, upper_port):`
    - Try to connect to `w.x.y.z:p`
    - If successful this port is open. 

In [22]:
def port_scan(host, port):
    """
    Attempts to connect to a host as a particular port
    @Arguments:
    host -- the ip address or server hostname to scan
    port -- port to connect to
    """

    # (AF_INET, SOCK_STREAM) <==> (IPV4, TCP)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        # Try to connect to host:port.
        con = sock.connect((host,port))
        print( "Port {}:      Open".format(port))
        sock.close()
        return port
    except socket.timeout:
        # If theres a time out, the port is probably closed
        return False

# Identifying Open Ports on a Website: 
- Lets test this out on a real website. In particular, lets try and identify open ports on https://www.hackthissite.org/. 
- We can do this because they give **explicit legal permission to do so ** [here](Express permission given here: https://www.hackthissite.org/info/about)

## DISCLAIMER: I AM NOT A LAWYER
![BirdLaw](https://media1.tenor.com/images/1493636f391a486ca2e960b4de698d1d/tenor.gif?itemid=8142507)
- Port Scanning is in a legal gray area. While technically not illegal, if you accidentally break something while port scanning, and the entity that owns the thing you broke has deep pockets, it is very  probable that they will  make your life miserable in the form of a lawsuit. 

In [23]:
# Lets try to port scan http://hackthissite.org
# Express premission given here: https://www.hackthissite.org/info/about
target_url = 'www.hackthissite.org'
ip = socket.gethostbyname(target_url)
port_range = range(1,1024)

# tqdpm is a nice tool for tracking progress
# on single threaded processes
for port in tqdm(port_range):
    port_scan(ip, port)
    



HBox(children=(IntProgress(value=0, max=1023), HTML(value='')))

Port 22:      Open
Port 80:      Open
Port 443:      Open



# What is next?
- For a Command Line Interface, see portscan.py
- If you have ever used nmap, you probably noticed that this program is extremely slow compared to nmap. For one, NMAP is **multithreaded** meaning it can scan multiple ports concurrently. 
