1.
@JirkaV, PyCon CZ 2018
Portscan all the things!
(fast, distributed and effective)

2.
@JirkaV, PyCon CZ 2018
About (TL;DR)
“Senior Red Team Analyst” (read: hacker)
13 years of hacking $BIGCORPs*
Python user since Python 2.4
*at their request

3.
@JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”

4.
@JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”
“No, we don’t know what it looks like exactly”

5.
@JirkaV, PyCon CZ 2018
Portscan? Why?
“Our perimeter is secure”
“No, we don’t know what it looks like exactly”
Trust, but verify

6.
@JirkaV, PyCon CZ 2018
“Port” ?
8.8.8.8
8.8.4.4
9.9.9.9
1.1.1.1
http://www.python.org
https://www.python.org

7.
@JirkaV, PyCon CZ 2018
“Port” ?
8.8.8.8:53
8.8.4.4:53
9.9.9.9:53
1.1.1.1:53
http://www.python.org:80
https://www.python.org:443
Ports range from 1 to 65535

8.
@JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program

9.
@JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
Which might be misconfigured or vulnerable

10.
@JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
Which might be misconfigured or vulnerable
It might leak data or provide access to inner
network

11.
@JirkaV, PyCon CZ 2018
Port Facts
Each open port is being serviced by a program
It might be misconfigured or vulnerable
It might leak data or provide access to inner
network
We need to find it and check it

12.
@JirkaV, PyCon CZ 2018
Closed Port

13.
@JirkaV, PyCon CZ 2018
Open Port

14.
@JirkaV, PyCon CZ 2018
Open Port

15.
@JirkaV, PyCon CZ 2018
The “handshake”
Hey!

16.
@JirkaV, PyCon CZ 2018
The “handshake”
Go away!
Hey!

17.
@JirkaV, PyCon CZ 2018
The “handshake”
Hey, you!
You!
Hey!

18.
@JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)

19.
@JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)
Tools / HW appliances for detecting scans

20.
@JirkaV, PyCon CZ 2018
The Bad
A lot of ports to check (16 million for a “small”
perimeter)
Tools / HW appliances for detecting scans
No clear indication if ports are closed or we’re
being blocked

21.
@JirkaV, PyCon CZ 2018
The Good

22.
@JirkaV, PyCon CZ 2018
The Good
>>> import antigravity *
*not realy

23.
@JirkaV, PyCon CZ 2018
The Good
>>> import socket
>>> import multiprocessing
>>> import queue

24.
@JirkaV, PyCon CZ 2018
Distributed Port Scanner
127.0.0.14:8723
127.0.0.61:11319
127.0.0.113:12121
127.0.0.109:4138
...
127.0.0.14:8723-CLOSED
127.0.0.61:11319-CLOSED
127.0.0.113:12121-OPEN
127.0.0.109:4138-CLOSED
...

25.
@JirkaV, PyCon CZ 2018
The Worker
def probe(ip, port):
s = socket.socket()
s.settimeout(3)
try:
s.connect( (ip, port) )
s.close()
return True
except (ConnectionError, OSError, socket.timeout):
pass
return False

26.
@JirkaV, PyCon CZ 2018
The Worker
manager = QueueManager(address=(SERVER_IP, PORT))
manager.connect()
input_q = manager.targets_queue()
results_q = manager.results_queue()
while True:
ip, port = input_q.get()
result = probe(ip, port)
results_q.put( (ip, port, result) )

27.
@JirkaV, PyCon CZ 2018
Real World Scanner
~0.5 million checks per day by a single machine
(30 scanner processes)

28.
@JirkaV, PyCon CZ 2018
Questions?
https://github.com/JirkaV/PyConCZ_2017