Home 0P3N Blog Raw Sockets Python SYN TCP SCAN
Ready to Start Your Career?
Create Free Account
By: r00t_privilege
February 16, 2017

Raw Sockets Python SYN TCP SCAN

By: r00t_privilege
February 16, 2017
By: r00t_privilege
February 16, 2017
captureThis article explains how to create a raw socket and use it to do an SYN or ACK or XMAS scan using python, note that you could also use it to make a Denial of Service attack (syn flooding ...)See code below:
import socket,structfrom struct import *# checksum functions needed for tcp checksum , found it in internetdef checksum(msg):s = 0# loop taking 2 characters at a timefor i in range(0, len(msg), 2):w = (ord(msg[i]) << 8) + (ord(msg[i+1]) )s = s + ws = (s>>16) + (s & 0xffff);#s = s + (s >> 16);#complement and mask to 4 byte shorts = ~s & 0xffffreturn s#create a raw sockettry:s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)except socket.error , msg:print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]sys.exit()# tell kernel not to put in headers, since we are providing its.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)# now start constructing the packetpacket = '';source_ip = '127.0.0.1'dest_ip = '127.0.0.1'# or socket.gethostbyname('www.google.com')# ip header fieldsihl = 5version = 4tos = 0tot_len = 20id = 54321 #Id of this packetfrag_off = 0ttl = 255protocol = socket.IPPROTO_TCPcheck = 10 # python seems to correctly fill the checksumsaddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want todaddr = socket.inet_aton ( dest_ip )ihl_version = (version << 4) + ihl# the ! in the pack format string means network orderip_header = pack('!BBHHHBBH4s4s' , ihl_version, tos, tot_len, id, frag_off, ttl, protocol, check, saddr, daddr)import socket,structfrom struct import *# checksum functions needed for tcp checksum , found it in internetdef checksum(msg):s = 0# loop taking 2 characters at a timefor i in range(0, len(msg), 2):w = (ord(msg[i]) << 8) + (ord(msg[i+1]) )s = s + ws = (s>>16) + (s & 0xffff);#s = s + (s >> 16);#complement and mask to 4 byte shorts = ~s & 0xffffreturn s#create a raw sockettry:s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)except socket.error , msg:print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]sys.exit()# tell kernel not to put in headers, since we are providing its.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)# now start constructing the packetpacket = '';source_ip = '127.0.0.1'dest_ip = '127.0.0.1'# or socket.gethostbyname('www.google.com')# ip header fieldsihl = 5version = 4tos = 0tot_len = 20id = 54321 #Id of this packetfrag_off = 0ttl = 255protocol = socket.IPPROTO_TCPcheck = 10 # python seems to correctly fill the checksumsaddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want todaddr = socket.inet_aton ( dest_ip )ihl_version = (version << 4) + ihl# the ! in the pack format string means network orderip_header = pack('!BBHHHBBH4s4s' , ihl_version, tos, tot_len, id, frag_off, ttl, protocol, check, saddr, daddr)# tcp header fieldssource = 12345 # source portdest = 5555 # destination portseq = 0ack_seq = 0doff = 5   #4 bit field, size of tcp header, 5 * 4 = 20 bytes#tcp flagsfin = 0syn = 1rst = 0psh = 0ack = 0urg = 0window = socket.htons (5840)#maximum allowed window sizecheck = 0urg_ptr = 0offset_res = (doff << 4) + 0tcp_flags = fin + (syn << 1) + (rst << 2) + (psh <<3) + (ack << 4) + (urg << 5)# the ! in the pack format string means network ordertcp_header = pack('!HHLLBBHHH' , source, dest, seq, ack_seq, offset_res, tcp_flags,  window, check, urg_ptr)# pseudo header fields for checksum calcssource_address = socket.inet_aton( source_ip )dest_address = socket.inet_aton(dest_ip)placeholder = 0protocol = socket.IPPROTO_TCPtcp_length = len(tcp_header)psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length);psh = psh + tcp_header;tcp_checksum = checksum(psh)# make the tcp header again and fill the correct checksumtcp_header = pack('!HHLLBBHHH' , source, dest, seq, ack_seq, offset_res, tcp_flags,  window, tcp_checksum , urg_ptr)# final full packet - syn packets dont have any datapacket = ip_header + tcp_header#Send the packet finally - the port specified has no effects.sendto(packet, (dest_ip , 0 ))    # put this in a loop if you want to flood the target# tcp header fieldssource = 12345 # source portdest = 5555 # destination portseq = 0ack_seq = 0doff = 5   #4 bit field, size of tcp header, 5 * 4 = 20 bytes#tcp flagsfin = 0syn = 1rst = 0psh = 0ack = 0urg = 0window = socket.htons (5840)    #   maximum allowed window sizecheck = 0urg_ptr = 0offset_res = (doff << 4) + 0tcp_flags = fin + (syn << 1) + (rst << 2) + (psh <<3) + (ack << 4) + (urg << 5)# the ! in the pack format string means network ordertcp_header = pack('!HHLLBBHHH' , source, dest, seq, ack_seq, offset_res, tcp_flags,  window, check, urg_ptr)# pseudo header fields for checksum calcssource_address = socket.inet_aton( source_ip )dest_address = socket.inet_aton(dest_ip)placeholder = 0protocol = socket.IPPROTO_TCPtcp_length = len(tcp_header)psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length);psh = psh + tcp_header;tcp_checksum = checksum(psh)# make the tcp header again and fill the correct checksumtcp_header = pack('!HHLLBBHHH' , source, dest, seq, ack_seq, offset_res, tcp_flags,  window, tcp_checksum , urg_ptr)# final full packet - syn packets dont have any datapacket = ip_header + tcp_header#Send the packet finally - the port specified has no effects.sendto(packet, (dest_ip , 0 ))# put this in a loop if you want to flood the target
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry