# Writing a network and port scanner with Scapy
- replicate some basic features of Nmap and other network scanning tools

In [None]:
!nmap

In [None]:
# ping scan using nmap - ping scan mac host
! nmap -sn 192.168.65.1

## ping can be blocked
- disable ping on host and scan again

In [None]:
! nmap -sn 192.168.65.1

In [None]:
# enable os fingerprinting
! nmap -sS -A 192.168.65.1

In [2]:
! pip install netaddr

Collecting netaddr
[?25l  Downloading https://files.pythonhosted.org/packages/ba/97/ce14451a9fd7bdb5a397abf99b24a1a6bb7a1a440b019bebd2e9a0dbec74/netaddr-0.7.19-py2.py3-none-any.whl (1.6MB)
[K    100% |████████████████████████████████| 1.6MB 8.8MB/s eta 0:00:01    78% |█████████████████████████▏      | 1.3MB 6.8MB/s eta 0:00:01
[?25hInstalling collected packages: netaddr
Successfully installed netaddr-0.7.19


## scapy ping scan
- scan the network with ping/icmp packets and scan for ports on the live hosts

In [3]:
#! /usr/bin/python3

# Adapted for Python 3 from : https://thepacketgeek.com/scapy-p-10-emulating-nmap-functions/

from scapy.all import *
import netaddr
import random

def pingHost(host):
    resp = sr1(IP(dst=str(host))/ICMP(), timeout=2, verbose=0)
    up = False
    #resp.show()
    if not resp:
        print(str(host) + " is down or not responding.")
    elif resp.haslayer(ICMP):
        if (int(resp.getlayer(ICMP).type)==3 and int(resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            print(str(host) + " is blocking ICMP.")
        elif (int(resp.getlayer(ICMP).type) == 0): # icmp-response received 
            up = True
        else:
            print("icmp type = {}".format(int(resp.getlayer(ICMP).type)))
            print(str(addr) + " is acting weird.")
    return up

# Send ICMP ping request, wait for answer
def pingScanNetwork(addresses):
    liveHosts = []
    for addr in addresses:
        if (addr == addresses.network or addr == addresses.broadcast):
            continue

        print("Trying on {}".format(addr))
        if pingHost(str(addr)):
            liveHosts.append(str(addr))
                
    return liveHosts

## scan a host

In [4]:
host = 'www.facebook.com'
live = pingHost(host)
if live:
    print('{} host is up!'.format(host))

www.facebook.com host is up!


## scan a whole subnet

In [None]:
# Define IP range to scan
network = "192.168.47.1/24"
# Define TCP port range
portRange = [22,23,80,443,449]
# make list of addresses out of network, set live host counter
addresses = netaddr.IPNetwork(network)
liveHosts = pingScanNetwork(addresses)

Trying on 192.168.47.1
192.168.47.1 is down or not responding.
Trying on 192.168.47.2
192.168.47.2 is down or not responding.
Trying on 192.168.47.3
192.168.47.3 is down or not responding.
Trying on 192.168.47.4
192.168.47.4 is down or not responding.
Trying on 192.168.47.5
192.168.47.5 is down or not responding.
Trying on 192.168.47.6
192.168.47.6 is down or not responding.
Trying on 192.168.47.7
192.168.47.7 is down or not responding.
Trying on 192.168.47.8
192.168.47.8 is down or not responding.
Trying on 192.168.47.9
192.168.47.9 is down or not responding.
Trying on 192.168.47.10
192.168.47.10 is down or not responding.
Trying on 192.168.47.11
192.168.47.11 is down or not responding.
Trying on 192.168.47.12
192.168.47.12 is down or not responding.
Trying on 192.168.47.13
192.168.47.13 is down or not responding.
Trying on 192.168.47.14
192.168.47.14 is down or not responding.
Trying on 192.168.47.15
192.168.47.15 is down or not responding.
Trying on 192.168.47.16
192.168.47.16 is do

## scapy port scanner
- tcp syn scan to map open ports

In [1]:
#! /usr/bin/python3
# Adapted from: https://thepacketgeek.com/scapy-p-10-emulating-nmap-functions/
# Fixed some bugs and ported for Python3

from scapy.all import *
import random
# Define end host and TCP port range

# Send SYN with random Src Port for each Dst port
def scanPorts(host, portRange):
    for dstPort in portRange:
        print("Trying port {:6}".format(dstPort))
        srcPort = random.randint(1025,65534)
        resp = sr1(IP(dst=host)/TCP(sport=srcPort,dport=dstPort,flags="S"),timeout=1,verbose=0)
        if resp:
            if (str(type(resp)) == "<type 'NoneType'>"):
                print(host + ":" + str(dstPort) + " is filtered (silently dropped).")
            elif(resp.haslayer(TCP)):
                if(resp.getlayer(TCP).flags == 0x12):
                    send_rst = sr(IP(dst=host)/TCP(sport=srcPort,dport=dstPort,flags="R"),timeout=1,verbose=0)
                    print (host + ":" + str(dstPort) + " is open.")
            elif (resp.getlayer(TCP).flags == 0x14):
                print (host + ":" + str(dstPort) + " is closed.")
            elif(resp.haslayer(ICMP)):
                if(int(resp.getlayer(ICMP).type)==3 and int(resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
                    print (host + ":" + str(dstPort) + " is filtered (silently dropped).")
        else:
            print("No response received.")
            

In [2]:
host = "www.facebook.com"
portRange = [22,23,80,443,3389]
scanPorts(host, portRange)

Trying port     22
No response received.
Trying port     23
No response received.
Trying port     80
www.facebook.com:80 is open.
Trying port    443
www.facebook.com:443 is open.
Trying port   3389
No response received.
