By: Uladzislau Murashka
March 1, 2018
Creating Quick Mass Scanning Tool with Python and ZMap
By: Uladzislau Murashka
March 1, 2018
Creating quick mass scanning tool with Python and ZMap, adding web panel on PHP with MySQL database and hiding with Proxychains.
Our main aim is to quickly execute port scan on the wide range of services, store the results and easily access them with some kind of web interface. Due to fact that scanning activity is illegal we can try to hide our scanner behind proxies or TOR.
Important notice: Scanning without agreement with technical owner of the targeted system is illegal and I recommend not to use this tools for such activities but execute scans of your local network assets.
- Python 2.7
- PHP 5x
- Debian 7 or 8
- ZMap scanner
- Proxychains package
First of all let’s prepare our instance (in our example we going to work with Debian) from which we going to execute scans.
After installation process need to execute following commands:
$ sudo apt-get update –y
$ sudo apt-get upgrade –y
$ sudo apt-get install mysql-server php5 python2 proxychains tor
Than we need to download the python script:
This article and “Spidy” tool was provided by Uladzislau Murashka, Security Engineer.
Thanks for reading.
On next step you will need to create mysql database and user, than provide credentials to the script “spidy.py” on 19-22 lines and in web panel “db.php” file.
After credentials were provided let’s initiate our database with all required stuff:
$ chmod +x spidy.py
…now all required tables were created and database is ready for work.
Next let’s get ZMap from the official web page or possibly can try to do it through apt-get install.
ZMap on github: https://github.com/zmap/zmap
If you will meet any problems during installation of zmap you can try to get some information here: https://github.com/zmap/zmap/issues/327
To start scan anything we need to get list of the targets, of course better work with internal environment but in spidy script there is possibility to grab IP addresses by country codes, as example:
$ ./spidy.py ip_list ca
After command executes you will get Canada pool of IP addresses or for example prepare your own IP list.
Than we can start our scanning:
$ ./spidy.py scan ip_list.txt 21
1. Scan – means begin of the scanning process
2. Ip_list.txt – our file with list of IP addresses
3. 21 – this is the port which we are looking for
While scanning works let’s deploy our navigation web panel:
1. If you don’t have, install apache (apt-get install apache)
2. Move all files from /web_panel/ to the www directory
3. Set up apache configuration file so our panel will be accessible
4. Don’t forget to update /web_panel/db.php file with actual mysql database credentials
The most popular attack vectors for such tools can be:
- Anonymous FTP (port 21)
- Open SMTP relays (port 25)
- Heatbleed vulnerable systems (port 443 usualy)
- Databases without password protection and open to the internet (mysql 3306, mongodb 27017 etc)
In our example we going to check for FTP and SSH.
After the scan is done and database filled with our scanning results, let’s go check what actually not protected properly:
$ ./spidy.py check ftp
This command executes anonymous ftp access check for open 21 port from our scanned results stored in database. Let’s go to our web panel and see what will appear:
On main page you will be able to see the stats of the scanner:
1st columen: How many unique hosts
2nd column: How many unique ports
3rd column: successful checks (access was gained)
4th column: last update date
We also can execute search through our database to see only successful results:
Also spidy can export results by port if need so, just use:
$ ./spidy.py export 21 ftp.txt
This command will tell the script to export results about scanned systems for open FTP port (21) and put them into ftp.txt file.
Currently this script can execute checks for Anonymous FTP, simple SSH passwords and open MongoDB databases without password protection.
This scanning script is very simple and you can add any kind of check on your own without any problem, see line 156 and below in spidy.py file.
If you would like to run this scanning anonymously you can use proxychains:
$ proxychains ./spidy.py scan ip_list 21 (will anonymously scan IP addresses from your list for 21 port, FTP)
Same way you can execute security checks.