- 一、系统监控psutil
- 1.1 cpu监控
- 1.2 内存
- 1.3 磁盘
- 1.4 进程
- 1.4.1 进程查询
- 1.4.2 进程修改
- 二、网络嗅探器scapy
- 2.1 命令行操作
- 2.2 数据报构造简介
- 2.2.1 按层构建数据报
- 2.2.2 发送数据报
- 2.3 ARP扫描网段存活主机
- 三、使用python-nmap
- 3.1 nmap命令
- 3.2 python-nmap
- 安装:pip3 install psutil
- 代码示例
In [1]: import psutil # 获取cpu逻辑个数 In [2]: psutil.cpu_count() Out[2]: 2 # 获取cpu物理个数 In [3]: psutil.cpu_count(logical=False) Out[3]: 2 # cpu使用百分比 In [4]: psutil.cpu_percent() Out[4]: 11.7
- 代码示例
# 获取内存的所有信息 In [1]: psutil.virtual_memory() Out[1]: svmem(total=1927233536, available=1256218624, percent=34.8, used=403361792, free=166739968, active=699125760, inactive=532242432, buffers=2154496, cached=1354977280, shared=75677696, slab=409309184) # 获取交换内存 In [2]: psutil.swap_memory() Out[2]: sswap(total=2147479552, used=532480, free=2146947072, percent=0.0, sin=0, sout=434176) # 获取内存使用率 In [3]: psutil.virtual_memory().percent Out[3]: 34.8
- 代码示例
# 获取磁盘分区及挂载点 In [1]: psutil.disk_partitions() Out[1]: [ sdiskpart( device='/dev/mapper/centos-root', mountpoint='/', fstype='xfs', opts='rw,relatime,attr2,inode64,noquota', maxfile=255, maxpath=4096 ), ... ] # 通过挂载点查看磁盘使用情况:单位字节 In [2]: psutil.disk_usage("/") Out[2]: sdiskusage(total=53660876800, used=4668542976, free=48992333824, percent=8.7) # 通过挂载点查看磁盘使用率 In [3]: psutil.disk_usage("/").percent Out[3]: 8.7
-
查询列表
功能 写法 功能 写法 所有进程的PID列表 psutil.pids() 进程生成器(见下演示) psutil.process_iter() 进程名 p.name() 进程的可执行绝对路径 p.exe() 进程当前的工作目录 p.cwd() 调用此进程的命令行 p.cmdline() 进程PID p.pid 进程的父PID p.ppid() 进程的子进程 p.children() 进程的父进程(对象) p.parent() 进程的父进程(列表) p.parents() 进程的状态 p.status() 拥有该进程的用户 p.username() 进程创建的时间 p.create_time() 进程累计的时间 p.cpu_times() 进程的CPU占用率 p.cpu_percent() 进程的CPU亲和性 p.cpu_affinity() 进程的内存信息 p.memory_info() 进程的内存占用率 p.memory_percent() 进程映射的内存区域 p.memory_maps() 进程的I/O信息 p.io_counters() 进程打开的文件信息 p.open_files() 进程打开的套接字连接 p.connections() 进程使用的线程数 p.num_threads() 进程打开的线程 p.threads() 进程执行的上下文切换数量 p.num_ctx_switches() 进程的优先级(带参可设优先级) p.nice() 进程的I/O优先级(带参可设优先级) p.ionice() 进程的环境变量 p.environ() 进程信息(字典) p.as_dict() 进程是否正在运行 p.is_running() -
效果演示
In [1]: import psutil In [2]: pid_list = psutil.pids() In [3]: print("所有进程的PID列表:",pid_list) 所有进程的PID列表:[1, 2, 3, 5, 6, 7, 8, 9, 10, 11, 12, .....] In [4]: p = psutil.Process(18449) In [5]: print(p) psutil.Process(pid=18449, name='top', status='sleeping', started='09:24:28') In [6]: print("进程名:", p.name()) 进程名: top In [7]: print("进程的可执行绝对路径:", p.exe()) 进程的可执行绝对路径: /usr/bin/top In [8]: print("进程当前的工作目录:", p.cwd()) 进程当前的工作目录: /root In [9]: print("调用此进程的命令行:", p.cmdline()) 调用此进程的命令行: ['top'] In [10]: print("进程PID:", p.pid) 进程PID: 18449 In [11]: print("进程的父PID:", p.ppid()) 进程的父PID: 18272 In [12]: print("进程的子进程:", p.children()) 进程的子进程: [] In [13]: print("进程的父进程(对象):", p.parent()) 进程的父进程(对象): psutil.Process(pid=18272, name='bash', status='sleeping', started='09:24:26') In [14]: print("进程的父进程(列表):", p.parents()) 进程的父进程(列表): [psutil.Process(pid=18272, name='bash', status='sleeping', started='09:24:26'), ...] In [15]: print("进程的状态:", p.status()) 进程的状态: sleeping In [16]: print("拥有该进程的用户:", p.username()) 拥有该进程的用户: root In [17]: print("进程创建的时间:", p.create_time()) 进程创建的时间: 1655342668.64 In [18]: print("进程进驻cpu累计的时间:", p.cpu_times()) 进程进驻cpu累计的时间: pcputimes(user=0.73, system=1.29, children_user=0.0, children_system=0.0, iowait=0.0) In [19]: print("进程的CPU占用率:", p.cpu_percent()) 进程的CPU占用率: 0.0 In [20]: print("进程的CPU亲和性:", p.cpu_affinity()) 进程的CPU亲和性: [0, 1] In [21]: print("进程的内存信息:", p.memory_info()) 进程的内存信息: pmem(rss=3133440, vms=166739968, shared=1622016, text=98304, lib=0, data=1937408, dirty=0) In [22]: print("进程的内存占用率:", p.memory_percent()) 进程的内存占用率: 0.1625874571746763 In [23]: print("进程映射的内存区域:", p.memory_maps()) 进程映射的内存区域: [pmmap_grouped(path='/usr/bin/top', rss=94208, size=110592, pss=94208, shared_clean=0, shared_dirty=0, private_clean=81920, private_dirty=12288, referenced=94208, anonymous=12288, swap=0), ...] In [24]: print("进程的I/O信息:", p.io_counters()) 进程的I/O信息: pio(read_count=54669, write_count=2169, read_bytes=0, write_bytes=0, read_chars=7752773, write_chars=4272652) In [25]: print("进程打开的文件信息:", p.open_files()) 进程打开的文件信息: [popenfile(path='/proc/stat', fd=4, position=1250, mode='r', flags=32768), ...] In [26]: print("进程打开的套接字连接:", p.connections()) 进程打开的套接字连接: [] In [27]: print("进程使用的线程数:", p.num_threads()) 进程使用的线程数: 1 In [28]: print("进程打开的线程:", p.threads()) 进程打开的线程: [pthread(id=18449, user_time=0.74, system_time=1.31)] In [29]: print("进程执行的上下文切换数量:", p.num_ctx_switches()) 进程执行的上下文切换数量: pctxsw(voluntary=706, involuntary=676) In [30]: print("进程的优先级(带参数则可设置优先级):", p.nice()) 进程的优先级(带参数则可设置优先级): 0 In [31]: print("进程的I/O优先级(带参数则可设置优先级):", p.ionice()) 进程的I/O优先级(带参数则可设置优先级): pionice(ioclass= -
迭代查找指定属性进程
# 方法一:指定属性格式 In [35]: for p in psutil.process_iter(attrs=['pid', 'name']): ...: if 'top' in p.info['name']: ...: print(p.info) ...: {'name': 'top', 'pid': 18449} # 方法二:万金流方法 In [36]: for p in psutil.process_iter(): ...: if 'top' == p.name(): ...: print(p.pid) ...: 18449
- 操作
# 暂停挂起进程 p.suspend() # 恢复进程 p.resume() # 结束进程:正常结束并退出进程,包括依次结束子进程等 p.terminate() # 强制结束进程:暴力结束进程,不管子进程 p.kill()
- 概述:使用scary可以发送、嗅探、剖析和伪造网络数据报,直接操作网络二三四层数据报
- 安装:pip3 install scapy
- 显示scapy命令及配置
[root@localhost ~]# scapy # 显示支持的协议 >>> ls() # 显示支持的命令 >>> lsc() # 显示所有配置信息 >>> conf # 显示命令的帮助信息 >>> help(sniff) # 查看协议包含的参数 >>> ls(TCP) sport : ShortEnumField = ('20') dport : ShortEnumField = ('80') seq : IntField = ('0') ack : IntField = ('0') dataofs : BitField (4 bits) = ('None') reserved : BitField (3 bits) = ('0') flags : FlagsField = ('') window : ShortField = ('8192') chksum : XShortField = ('None') urgptr : ShortField = ('0') options : TCPOptionsField = ("b''") - 查询网卡信息
>>> show_interfaces() Source Index Name MAC IPv4 IPv6 sys 1 lo 00:00:00:00:00:00 127.0.0.1 ::1 sys 2 eth0 02:11:31:20:b7:70 192.168.1.110 fe80::3381:a2a6:492f:5757 sys 3 zttftqv4vg 8e:b2:2b:5b:34:4c 10.10.10.10 fe80::8cb2:3bff:fe2b:344c sys 4 br-4913d28cc615 02:42:c2:38:a8:2b 172.19.0.1 sys 5 br-4c5033b4000b 02:42:21:a8:68:1b 172.18.0.1 sys 6 docker0 02:42:22:22:ce:d3 172.17.0.1
- 获取路由表
# scapy内本机路由表(centos通过命令route -n查看) >>> conf.route Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 192.168.1.1 eth0 192.168.1.120 100 127.0.0.0 255.0.0.0 0.0.0.0 lo 127.0.0.1 1 192.168.1.0 255.255.255.0 0.0.0.0 eth0 192.168.1.120 100 # 增加路由(不会修改主机路由表,退出scapy也恢复主机路由表) >>> conf.route.add(net="192.168.2.0/24",gw="192.168.1.2") >>> conf.route Network Netmask Gateway Iface Output IP Metric 0.0.0.0 0.0.0.0 192.168.1.1 eth0 192.168.1.120 100 127.0.0.0 255.0.0.0 0.0.0.0 lo 127.0.0.1 1 192.168.1.0 255.255.255.0 0.0.0.0 eth0 192.168.1.120 100 192.168.2.0 255.255.255.0 192.168.1.2 eth0 192.168.1.120 1 # 删除路由:恢复原状(不会修改主机路由表) >>> conf.route.delt(net="192.168.2.0/24",gw="192.168.1.2")
- 代码示例
# 网络二层:链路层 >>> l2 = Ether() # 网络三层:网络层 IP协议 >>> l3 = IP(dst='192.168.1.1/30') # 网络四层:传输层 TCP协议,半开扫描(SYN)的办法,标识‘S’ >>> l4 = TCP(dport=22, flags = 'S') # 组合数据报:各层从下向上用/组合数据报,未写scapy自动补充 >>> packet = l2/l3/l4 # 显示 层数据报 的报头信息 >>> l2.show() ###[ Ethernet ]### dst = ff:ff:ff:ff:ff:ff src = 02:11:32:20:b7:70 type = LOOP >>> l3.show() ###[ IP ]### version = 4 ihl = None tos = 0x0 len = None id = 1 flags = frag = 0 ttl = 64 proto = hopopt chksum = None src = 192.168.1.120 dst = Net("192.168.1.1/30") options >>> l4.show() ###[ TCP ]### sport = ftp_data dport = ssh seq = 0 ack = 0 dataofs = None reserved = 0 flags = S window = 8192 chksum = None urgptr = 0 options = ''
- send发送(第三层网络层发送,不接收响应)
# 从第三层网络层发送一个数据报:若192.168.1.1/24,则每个ip发一个数据报 # 目标地址本机,发送一个icmp包,不接收响应数据包 # 每个点为一个数据报 >>> send(IP(dst="127.0.0.1")/ICMP()) . Sent 1 packets. --------------------------------------------------------------- # 目标地址本机80端口,发送10个tcp包,不接收响应数据包 >>> send(IP(dst='127.0.0.1')/TCP(dport=80, flags='S'), count=10) .......... Sent 10 packets. --------------------------------------------------------------- # 目标地址本机80端口,循环发送tcp包,不接收响应数据包,知道Ctrl+C退出 >>> send(IP(dst='127.0.0.1')/TCP(dport=80, flags='S'), loop=1) .......................^C Sent 22 packets.
功能:网络攻击用的,只负责发,不关心响应,目的为耗尽靶机网络资源
- sendp发送(第二层链路层发送,不接收响应)
# 用法同send():唯一区别在于从第二层链路层发送数据报 # TTL是IP数据包在计算机网络中可以转发的最大跳数,此处元组代表5,6,7 # iface:网卡名称 # inter:数据报发送间隔0.2秒 >>> sendp(Ether()/IP(dst="8.8.8.8",ttl=(5,7)), iface="eth0", inter=0.2) ... Sent 3 packets.
- sr发送(第三层网络层发送,接收响应)
# 第三层网络层发送数据包并接收响应 # sr函数返回:响应列表ans,未响应列表unans >>> ans,unans = sr(IP(dst="159.75.78.150")/TCP(dport=[21,22,23])) Begin emission: Finished sending 3 packets. .....*............^C Received 54 packets, got 1 answers, remaining 2 packets # 显示数据包简短的摘要 >>> ans.summary() IP / TCP 192.168.1.120:ftp_data > 159.75.78.150:ssh S ==> IP / TCP 159.75.78.150:ssh > 192.168.1.120:ftp_data SA / Padding >>> unans.summary() IP / TCP 192.168.1.120:ftp_data > 159.75.78.150:ftp S IP / TCP 192.168.1.120:ftp_data > 159.75.78.150:telnet S
- sr1发送(第三层网络层发送,接收且仅接收第一个响应)
>>> p=sr1(IP(dst="www.baidu.com")/ICMP()) Begin emission: Finished sending 1 packets. ...* Received 4 packets, got 1 answers, remaining 0 packets >>> p.summary() 'IP / ICMP 183.232.231.174 > 192.168.1.120 echo-reply 0 / Padding'
- srloop发送(循环发送,随发随显)
>>> srloop(IP(dst='192.168.1.102')/ICMP()) RECV 1: IP / ICMP 192.168.1.102 > 192.168.1.120 echo-reply 0 / Padding RECV 1: IP / ICMP 192.168.1.102 > 192.168.1.120 echo-reply 0 / Padding ^C Sent 10 packets, received 10 packets. 100.0% hits. (
- scan_pc.py
#!/usr/bin/python3 # -*- coding=utf-8 -*- # 局域网主机扫描器 使用ARP扫描 from scapy.all import * from scapy.layers.l2 import Ether, ARP def arp_scan(ifname, network): # 构造数据包:Ether()层可以省略构造内容,此为默认值,可写上加快速度 p = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=network) / "text" # srp()用于第二层链路层发送和接收数据包:arp # 数据包发送后:ans有响应主机,unans没有响应主机,五秒后统计结果 ans, unans = srp(p, iface=ifname, timeout=5, verbose=False) print("共扫描{}个主机,{}个主机响应".format(len(unans), len(ans))) result = [] # ans是元组的形式,可以测试ans[0],发现结果是元组的形式 for s, r in ans: # 把目标的IP以及MAC地址加入到新的列表 result.append([r[ARP].psrc, r[ARP].hwsrc]) result.sort() # 对列表进行排序 # 遍历列表,打印ip以及对应的mac地址 for ip, mac in result: print("{}--->{}".format(ip, mac)) if __name__ == '__main__': print(show_interfaces()) print("若报错OSError,请从上面选择相应网段的网卡名回填程序eth_name变量") eth_name = "Realtek PCIe GbE Family Controller" arp_scan(eth_name, '192.168.1.0/24') - 运行:python3 scan_pc.py
测试指定PC是否存活: python3 main.py | grep 192.168.1.134
- 返回
Source Index Name MAC IPv4 libpcap 16 Realtek PCIe GbE Family Controller 1c:2b:0d:3d:48:52 192.168.1.102 若报错OSError,请从上面选择相应网段的网卡名回填程序eth_name变量 共扫描171个主机,85个主机响应 192.168.1.1--->f2:2c:23:bf:02:82 192.168.1.102--->1c:1b:1d:1d:18:12 192.168.1.107--->3c:3d:3b:38:3a:38
- 概述:主要用于扫描,安装yum install nmap,以下在centos下测试
- 扫描1000个常用端口
# SYN扫描,使用最频繁,安全,快 >>> nmap -sS 192.168.1.102 # 扫描指定端口:nmap -sS 192.168.1.102 -p 80,443 Starting Nmap 6.40 ( http://nmap.org ) at 2022-06-17 10:05 CST Nmap scan report for 192.168.1.102 Host is up (0.00032s latency). Not shown: 995 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1026/tcp open LSA-or-nterm 2179/tcp open vmrdp MAC Address: 1C:1B:0D:3D:88:11 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
- ping方式检测局域网主机
# 不进行端口扫描:会发送四种报文确定目标是否存活 >>> nmap -sn 192.168.1.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2022-06-17 10:10 CST Nmap scan report for 192.168.1.1 Host is up (0.00049s latency). MAC Address: F8:8C:21:BF:01:81 (Unknown) Nmap scan report for 192.168.1.6 Host is up (0.00054s latency). MAC Address: F4:B5:20:14:45:1F (Unknown) Nmap scan report for 192.168.1.7 Host is up (0.00081s latency). MAC Address: 48:4D:7E:C1:62:A0 (Unknown) ... Nmap done: 256 IP addresses (93 hosts up) scanned in 7.67 seconds
- 概述:封装nmap命令,安装pip3 install python-nmap(需先安装nmap命令)
- 单语句结果测试
In [1]: import nmap # 构造PortScanner对象 In [2]: nm = nmap.PortScanner() # scan( host , port , args ) 方法:以指定方式扫描指定主机或网段的指定端口 # 返回结果字典汇总信息: # ip写法:192.168.1.1-50 或 192.168.1.1/24,默认127.0.0.1 # 端口写法:22,80,443 或 22-80 或 22-80,443,默认None # arguments:默认-sV,其他同nmap # 其余参数:sudo=False, timeout=0 In [3]: nm.scan('192.168.1.120', '1-1000') Out[3]: {'nmap': {'command_line': 'nmap -oX - -p 1-1000 -sV 192.168.1.120', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-1000'}}, 'scanstats': {'timestr': 'Fri Jun 17 10:20:26 2022', 'elapsed': '89.73', 'uphosts': '1', 'downhosts': '1', 'totalhosts': '2'}}, 'scan': {'192.168.1.120': {'hostnames': [{'name': '', 'type': ''}], 'addresses': {'ipv4': '192.168.1.120'}, 'vendor': {}, 'status': {'state': 'up', 'reason': 'localhost-response'}, 'tcp': {22: {'state': 'open', 'reason': 'syn-ack', 'name': 'ssh', 'product': 'OpenSSH', 'version': '7.4', 'extrainfo': 'protocol 2.0', 'conf': '10', 'cpe': 'cpe:/a:openbsd:openssh:7.4'}, 80: {'state': 'filtered', 'reason': 'no-response', 'name': 'http', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''}, 111: {'state': 'open', 'reason': 'syn-ack', 'name': 'rpcbind', 'product': '', 'version': '2-4', 'extrainfo': 'RPC #100000', 'conf': '10', 'cpe': ''}}}}} # 返回scan语句翻译成nmap命令的写法 In [4]: nm.command_line() Out[4]: 'nmap -oX - -p 1-1000 -sV 192.168.1.120,110' # 返回nmap扫描参数信息:格式为字典类型 In [5]: nm.scaninfo() Out[5]: {'tcp': {'method': 'syn', 'services': '1-1000'}} # 获取存活主机列表 In [6]: nm.all_hosts() Out[6]: ['192.168.1.120'] # 返回被扫描主机状态:判断是否存活 In [7]: nm['192.168.1.120'].state() Out[7]: 'up' # 返回被扫描主机所有打开端口支持的协议列表 In [8]: nm['192.168.1.120'].all_protocols() Out[8]: ['tcp'] # 返回被扫描主机tcp协议字典里的键 In [9]: nm['192.168.1.120']['tcp'].keys() Out[9]: dict_keys([22, 80, 111]) # 返回被扫描主机tcp协议打开的端口80的详细信息 In [10]: nm['192.168.1.120']['tcp'][80] Out[10]: {'state': 'filtered', 'reason': 'no-response', 'name': 'http', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''} # 复杂nmap参数写法:参照nmap命令 In [11]: nm.scan(hosts='192.168.1.0/24', arguments='-n -sP -PE -PA21,23,80,3389') '192.168.1.38': {'hostnames': [{'name': '', 'type': ''}], 'addresses': {'ipv4': '192.168.1.38', 'mac': '08:00:37:FB:76:49'}, 'vendor': {'08:00:37:FB:76:49': 'Fuji-xerox CO.'}, 'status': {'state': 'up', 'reason': 'arp-response'}}, - 扫描局域网存活主机
import nmap nm = nmap.PortScanner() nm.scan(hosts = '192.168.1.0/24', arguments='-n -sP -PE') up_hosts = nm.all_hosts() for i in up_hosts: print(up_hosts) # 打印输出 >>> 192.168.1.80 >>> 192.168.1.81
- 扫描单个主机打开端口
import nmap nm = nmap.PortScanner() nm.scan('127.0.0.1', '22-80,443') # 获取所有tcp协议的端口 ports_tcp = nm['127.0.0.1'].all_tcp() print(ports_tcp ) # 打印输出 >>> [22, 80] # 按协议输出:协议名nm['127.0.0.1'].all_protocols()获取 for i in nm['127.0.0.1']['tcp'].keys(): print(i) # 打印输出 >>> 22 >>> 80其他信息参见本节:单语句结果测试
回到总目录
