#!/usr/bin/python
"""
Author: Omar Santos @santosomar
version 1.0
This is a quick demonstration on how to use the scapy as a scanner
* Pre-requisite: scapy, prettytable, argparse
"""

import sys
import prettytable
import argparse
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR) #This is supress scapy warnings

from scapy.all import *

#conf.iface='eth0' # network interface to use
conf.verb=0 # enable verbose mode - Is this actually working?
conf.nofilter=1

def tcp_connect_scan(dst_ip,dst_port,dst_timeout):
    src_port = RandShort()
    tcp_connect_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=dst_timeout)
    if(str(type(tcp_connect_scan_resp))=="<type 'NoneType'>"):
        return "Closed"
    elif(tcp_connect_scan_resp.haslayer(TCP)):
        if(tcp_connect_scan_resp.getlayer(TCP).flags == 0x12):
            send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="AR"),timeout=dst_timeout)
            return "Open"
        elif (tcp_connect_scan_resp.getlayer(TCP).flags == 0x14):
            return "Closed"
    else:
        return "CHECK"


def stealth_scan(dst_ip,dst_port,dst_timeout):
    src_port = RandShort()
    stealth_scan_resp = sr1(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="S"),timeout=dst_timeout)
    if(str(type(stealth_scan_resp))=="<type 'NoneType'>"):
        return "Filtered"
    elif(stealth_scan_resp.haslayer(TCP)):
        if(stealth_scan_resp.getlayer(TCP).flags == 0x12):
            send_rst = sr(IP(dst=dst_ip)/TCP(sport=src_port,dport=dst_port,flags="R"),timeout=dst_timeout)
            return "Open"
        elif (stealth_scan_resp.getlayer(TCP).flags == 0x14):
            return "Closed"
    elif(stealth_scan_resp.haslayer(ICMP)):
        if(int(stealth_scan_resp.getlayer(ICMP).type)==3 and int(stealth_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            return "Filtered"
    else:
        return "CHECK"


def xmas_scan(dst_ip,dst_port,dst_timeout):
    xmas_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="FPU"),timeout=dst_timeout)
    if (str(type(xmas_scan_resp))=="<type 'NoneType'>"):
        return "Open|Filtered"
    elif(xmas_scan_resp.haslayer(TCP)):
        if(xmas_scan_resp.getlayer(TCP).flags == 0x14):
            return "Closed"
    elif(xmas_scan_resp.haslayer(ICMP)):
        if(int(xmas_scan_resp.getlayer(ICMP).type)==3 and int(xmas_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            return "Filtered"
    else:
        return "CHECK"


def fin_scan(dst_ip,dst_port,dst_timeout):
    fin_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="F"),timeout=dst_timeout)
    if (str(type(fin_scan_resp))=="<type 'NoneType'>"):
        return "Open|Filtered"
    elif(fin_scan_resp.haslayer(TCP)):
        if(fin_scan_resp.getlayer(TCP).flags == 0x14):
            return "Closed"
    elif(fin_scan_resp.haslayer(ICMP)):
        if(int(fin_scan_resp.getlayer(ICMP).type)==3 and int(fin_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            return "Filtered"
    else:
        return "CHECK"


def null_scan(dst_ip,dst_port,dst_timeout):
    null_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags=""),timeout=dst_timeout)
    if (str(type(null_scan_resp))=="<type 'NoneType'>"):
        return "Open|Filtered"
    elif(null_scan_resp.haslayer(TCP)):
        if(null_scan_resp.getlayer(TCP).flags == 0x14):
            return "Closed"
    elif(null_scan_resp.haslayer(ICMP)):
        if(int(null_scan_resp.getlayer(ICMP).type)==3 and int(null_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            return "Filtered"
    else:
        return "CHECK"


def ack_flag_scan(dst_ip,dst_port,dst_timeout):
    ack_flag_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=dst_timeout)
    if (str(type(ack_flag_scan_resp))=="<type 'NoneType'>"):
        return "Stateful firewall present\n(Filtered)"
    elif(ack_flag_scan_resp.haslayer(TCP)):
        if(ack_flag_scan_resp.getlayer(TCP).flags == 0x4):
            return "No firewall\n(Unfiltered)"
    elif(ack_flag_scan_resp.haslayer(ICMP)):
        if(int(ack_flag_scan_resp.getlayer(ICMP).type)==3 and int(ack_flag_scan_resp.getlayer(ICMP).code) in [1,2,3,9,10,13]):
            return "Stateful firewall present\n(Filtered)"
    else:
        return "CHECK"


def window_scan(dst_ip,dst_port,dst_timeout):
    window_scan_resp = sr1(IP(dst=dst_ip)/TCP(dport=dst_port,flags="A"),timeout=dst_timeout)
    if (str(type(window_scan_resp))=="<type 'NoneType'>"):
        return "No response"
    elif(window_scan_resp.haslayer(TCP)):
        if(window_scan_resp.getlayer(TCP).window == 0):
            return "Closed"
        elif(window_scan_resp.getlayer(TCP).window > 0):
            return "Open"
    else:
        return "CHECK"


def udp_scan(dst_ip,dst_port,dst_timeout):
    udp_scan_resp = sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout)
    if (str(type(udp_scan_resp))=="<type 'NoneType'>"):
        retrans = []
        for count in range(0,3):
            retrans.append(sr1(IP(dst=dst_ip)/UDP(dport=dst_port),timeout=dst_timeout))
        for item in retrans:
            if (str(type(item))!="<type 'NoneType'>"):
                udp_scan(dst_ip,dst_port,dst_timeout)
        return "Open|Filtered"
    elif (udp_scan_resp.haslayer(UDP)):
        return "Open"
    elif(udp_scan_resp.haslayer(ICMP)):
        if(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code)==3):
            return "Closed"
        elif(int(udp_scan_resp.getlayer(ICMP).type)==3 and int(udp_scan_resp.getlayer(ICMP).code) in [1,2,9,10,13]):
            return "Filtered"
    else:
        return "CHECK"

def start(your_target,your_ports,your_timeout):
    x = prettytable.PrettyTable(["Port No.","TCP Connect Scan","Stealth Scan","XMAS Scan","FIN Scan","NULL Scan", "ACK Flag Scan", "Window Scan", "UDP Scan"])
    x.align["Port No."] = "l"

    user_dst_ip = your_target
    port_list = your_ports
    user_dst_timeout = your_timeout

    print "[+] Target : %s\n" % user_dst_ip
    print "[*] Scan started\n"

    for i in port_list:
        tcp_connect_scan_res = tcp_connect_scan(user_dst_ip,int(i),int(user_dst_timeout))
        stealth_scan_res = stealth_scan(user_dst_ip,int(i),int(user_dst_timeout))
        xmas_scan_res = xmas_scan(user_dst_ip,int(i),int(user_dst_timeout))
        fin_scan_res = fin_scan(user_dst_ip,int(i),int(user_dst_timeout))
        null_scan_res = null_scan(user_dst_ip,int(i),int(user_dst_timeout))
        ack_flag_scan_res = ack_flag_scan(user_dst_ip,int(i),int(user_dst_timeout))
        window_scan_res = window_scan(user_dst_ip,int(i),int(user_dst_timeout))
        udp_scan_res = udp_scan(user_dst_ip,int(i),int(user_dst_timeout))
        x.add_row([i,tcp_connect_scan_res,stealth_scan_res,xmas_scan_res,fin_scan_res,null_scan_res,ack_flag_scan_res,window_scan_res,udp_scan_res])
    print x

    print "\n[*] Scan completed\n"


def banner():
    bannerTxt = """
************************************************************
  ####   ####    ##   #####   ####   ####    ##   #    #
 #      #    #  #  #  #    # #      #    #  #  #  ##   #
  ####  #      #    # #    #  ####  #      #    # # #  #
      # #      ###### #####       # #      ###### #  # #
 #    # #    # #    # #      #    # #    # #    # #   ##
  ####   ####  #    # #       ####   ####  #    # #    #

A demonstration by Omar Santos on how to use scapy for scanning purposes. Part of the Cybersecurity classes at: https://h4cker.org

This tool supports TCP Connect Scans, Stealth Scans, XMAS Scans, FIN Scans, NULL Scans, ACK Flag Scans, Window Scans, and UDP Scans.

usage: scapy_stealth_scan.py [-h] [-p] [-pl] [-pr] [-t] target

************************************************************
   	"""
    print bannerTxt


def main():
    parser = argparse.ArgumentParser(description=banner())
    parser.add_argument("target", help="Target address")
    parser.add_argument("-p", metavar="", help="Single port e.g. 80")
    parser.add_argument("-pl", metavar="", help="Port list e.g. 21,22,80")
    parser.add_argument("-pr", metavar="", help="Port range e.g. 20-30")
    parser.add_argument("-t", metavar="", type=int, default=2, help="Timeout value (default 2)")
    args = parser.parse_args()
    target = args.target

    ports = []
    if args.p:
            p = args.p
            ports.append(p)
    if args.pl:
            pl = (args.pl).split(",")
            ports += pl
    if args.pr:
            pr = (args.pr).split("-")
            pr.sort()
            pr_item1 = int(pr[0])
            pr_item2 = int(pr[1])+1
            new_pr = range(pr_item1,pr_item2,1)
            ports += new_pr

    timeout = int( args.t)

    if(not len(ports)>0):
            print "No ports specified.\nUse -h or --help to see the help menu"
            exit(0)

    ports = list(set(ports))
    new_ports=[]
    for item in ports:
            new_ports.append(int(item))
    ports = new_ports
    ports.sort()

    start(target,ports,timeout)

if __name__ == "__main__":
    main()