Py Net Scan is a very basic TCP network scanner built in Python. Why? Py Net Scan is built using standard Python libraries which means that no external dependencies are required. This is great for a situation where you have a foothold on a network but don’t have sudo privileges to install extra tools like netcat or nmap. Nearly every Linux or MacOS version has some native installation of Python, hence making that the language of choice.
For the time being, only TCP scanning is supported because of the way that scanning is implemented. The scan is largely revolved around the following lines of code and just involves interpreting the different return results of a socket connection in Python:
try:
s.connect((target, port))
return "OPEN"
except socket.timeout:
return "CLOSED"
except PermissionError:
return "UNABLE"
except ConnectionRefusedError:
return "REJECTED"
except OSError as error:
# no route to host
if error.errno == 65:
return "CLOSED"
All inputs are supplied by command line arguments and can be reviewed by running --help
Be sneaky
Upon running a scan, the script will also indicate how many connections will be made depending on the number of targets and ports specified. This is useful information if you want to fly under the radar from security toolsets. Similarly, you can also specify --wait_time which will increase the amount of time made between connections, increasing the overall scan duration. This can be helpful to circumvent security toolsets where their strategy is to identify a large burst of failed connections in a short amount of time. There is also an (untested) theory that by using Python sockets, it will make it harder for security toolsets to fingerprint the OS running the scans, thus providing some obscurity to the source of the scan.
Similar to nmap there is the ability to do a predefined scan, which can be helpful. For example, specify a quick scan with: -st quick_ports which will target common ports. Run --help to see all predefined scan types. If you want to add your own scan types, you can append to the scan_types dictionary ~ line 9.
If you’d like to do further manipulation/analysis of the results (so you can plug the results into other tools), you can use --dump which will write a file called scan.json of results.
Sample schema
{
"target":
ports {
port: "STATE (OPEN/CLOSED/REJECTED)"
}
}
Alternatively, results are printed to the screen which can be seen below:
Sample output:
-------------------------------------------
| Scan results for: sample.tst.lan |
-------------------------------------------
| Port | State |
-------------------------------------------
| 22 | REJECTED |
| 23 | REJECTED |
| 25 | REJECTED |
| 53 | REJECTED |
| 80 | OPEN |
| 111 | OPEN |
| 135 | REJECTED |
| 139 | OPEN |
| 443 | OPEN |
| 993 | REJECTED |
| 306 | REJECTED |
| 3389 | REJECTED |
| 8080 | REJECTED |
| 8443 | REJECTED |
-------------------------------------------
To conclude
This isn’t designed to re-invent the wheel but demonstrates a way to do a network scan utilizing the tools which you may have available. It provides knowledge around the different types of exceptions within Python sockets and what they mean. If you’re natively using Python sockets in code, you should definitely consider implementing code which catches them!
EOF
