Network Forensics - python scripting

as a practice and establishing a baseline in our blog posts, it is better to start off with python scripting. regarding the title of this post, numerous articles are on the internet and so many great books have been written in python security. the idea behind such an approach ( python scripting ) is to cover up the deficiencies of some custom or creative tools on security field. whenever you want to think about network forensics, you should consider about sockets, the fundamental building block which allows interacting with other devices. The socket API which most operation systems use today is based on Berkeley sockets. Berkeley sockets were used for the first time with UNIX BSD version in 1993. later, they released a free version that is used in nowadays use across different operation system.
for more information related to Berkeley socket, you can check out Wikipedia page.
for instance, if you have ever tried to write a client/server TCP application, the following flowchart must be observed by the programmer.

some methods or functions which commonly use in Socket programming by many today programming languages are presented in the above illustration.  you can find more information about how these methods and how to build network programs in python or any other languages on network programming books.

if I want to write about socket programming in python, it may more cumbersome for readers to read about it in a single post and I would prefer to write a simple code which does some sneaky information gathering through network access. this program is developed to collect information about open ports on a local or remote machine.  as you know for sure, many well-known ports are used by famous services and programs and that's why we need to specify them in an array. each try may take several seconds or minutes and we set a timeout for connection in socket object. in this code, two functions are responsible for getting the work done. first is to call check_port and second if the result indicates the port is open, then check_port will check what that port is for. this is a sample of running the code.

for more investigation, you can manipulate the code in any way or make it parallel for speeding it up

 
#!/usr/bin/python

# developed by Mansoor (manz@digitz.org)
# insecurebytes.blogspot.com

import socket,sys,time,datetime,argparse,os

line = "+" * 80


ip = socket.gethostbyname("127.0.0.1")


openports = []
common_ports = {

        '21': 'FTP',
        '22': 'SSH',
        '23': 'TELNET',
        '25': 'SMTP',
        '53': 'DNS',
        '69': 'TFTP',
        '80': 'HTTP',
        '109': 'POP2',
        '110': 'POP3',
        '123': 'NTP',
        '137': 'NETBIOS-NS',
        '138': 'NETBIOS-DGM',
        '139': 'NETBIOS-SSN',
        '143': 'IMAP',
        '156': 'SQL-SERVER',
        '389': 'LDAP',
        '443': 'HTTPS',
        '546': 'DHCP-CLIENT',
        '547': 'DHCP-SERVER',
        '995': 'POP3-SSL',
        '993': 'IMAP-SSL',
        '2086': 'WHM/CPANEL',
        '2087': 'WHM/CPANEL',
        '2082': 'CPANEL',
        '2083': 'CPANEL',
        '3306': 'MYSQL',
        '8443': 'PLESK',
        '10000': 'VIRTUALMIN/WEBMIN',
        '135' : 'unknown'
}

starting_time = time.time()
print "+" * 40
print "\tSimple Port Scanner..!!!"
print "+" * 40


print "Scanning started at %s" %(time.strftime("%I:%M:%S %p"))

def check_port(host, port, result = 1):
        try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(0.5)
                r = sock.connect_ex(("127.0.0.1", port))        
                if r == 0:
                        result = r
                sock.close()
        except Exception, e:
                pass

        return result

def get_service(port):
        port = str(port)
        if port in common_ports: 
                return common_ports[port]
        else:
                return 0


try:
        print "Scan in progress.."
        print "Connecting to Port: ",


        for p in sorted(common_ports):
                p = int(p)
                print p,        
                response = check_port("127.0.0.1", p)
                if response == 0:
                        openports.append(p)

        print "\nScanning completed at %s" %(time.strftime("%I:%M:%S %p"))
        ending_time = time.time()
        total_time = ending_time - starting_time
        print "=" * 40
        print "\tScan Report: 127.0.0.1"
        print "=" * 40
        
        total_time = str(round(total_time, 2))
        print "Scan Took %s seconds" %(total_time)

                
        if openports:
                print "Open Ports: "
                for i in sorted(openports):
                        service = get_service(i)
                        if not service:
                                service = "Unknown service"
                        print "\t%s %s: Open" % (i, service)
        else:
                print "Sorry, No open ports found"

except KeyboardInterrupt:            
        sys.exit(1)