曾经写过一个很粗糙的扫描程序（perl coded）

#! /usr/bin/perl
use IO::Socket;
use Socket;
use Net::Ftp;
use Net::POP3;
$version = "   ITS_SCAN v1.0测试版 ";

&menu();

sub menu() {

print " ";
print "-------------------------- ";
print " $version ";
print "-------------------------- ";
print " Thank you for chossing ITS_SCAN ";
print " by ocean2000 of itaq.org ";
print " choose what you want to do: ";
print " 1) Cgi Scan ";
print " 2) Port Scan ";
print " 3) Password Crack ";
print " 4) Webdav Scan ";
print " 5) Help ";
print " 6) Exit ";
print "Command: ";
chop($selection=<>);

if($selection == "1") { &cgiscan() }
if($selection == "2") { &port() }
if($selection == "3") { &password() }
if($selection == "4") { &webdav() }
if($selection == "5") { &helpmessage()}
if($selection == "6") { &exitcgisonar() }

else { &menu() }
}
sub cgiscan(){
&menu2;
sub menu2() {
print " ";
print "-------------------------------------- ";
print "please choose what you want to scan ";
print " 1) single host cgi ";
print " 2) multiply hosts cgi ";
print " 3) exit ";
print "-------------------------------------- ";
print "Command: ";
chop($s=<>);
if($s == "1") { &singlecgi() }
if($s == "2") { &multicgi() }
if($s == "3") { &exitx()}
else {&exitt;}
}

sub exitt(){
&menu;}

sub singlecgi(){
print " Host: ";
chop($host1=<>);
print "port: ";
chop($port1=<>);
print " Saved results to report.txt [yes or no]: ";
chop($store=<>);
&singlecgiscan("$host1","$port1","$store");
&menu2();}

sub singlecgiscan() {
open(F,"cgi.lst") || die "can't open! ";
@cgi=;
close F;
my ($host,$port,$storelogs)=@_;
$number = 0;
print " ------------------------------------- ";
print "Checking $host for known exploits.... ";
open(G,">>report.txt") || die "can't open report.txt ";
print G "$host cgiscan result: ";
close G;
foreach $key (@cgi) {
print "scanning :$key ";
my $connection = IO::Socket::INET->new(Proto =>'tcp',
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host ";
$connection -> autoflush(1);
print $connection "GET $key HTTP/1.0 ";
my @check = <$connection>;
close $connection;
if(@check[0] =~/200 OK/ or @check[0]=~/500/) {
print "Exploit Found!: $key ";
$number++;
if($storelogs eq "yes" or $storelogs eq "y") {
open(GOTCHA, ">>report.txt") or die("Couldn‘t open report.txt for writing. Please make sure the file exists and is writable. ");
print GOTCHA "Exploit Found!: $key ";
close(GOTCHA);}
}
}
if($number == 0) { print "No exploitable holes found on host $host "; }
print "成功生成report.txt！：）~ ";
}

sub multicgi() {
print(" please enter startip ex:192.168.0.1: ");
chop($startip=<>) ;
 if($startip !~ /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/){
 die "Error: the ip is not in format ";}else{
$start=$4;}
print(" please enter endip ex:192.168.0.254:");
chop($endip=<>);
if($endip !~ /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/){
 die "Error: the ip is not in format ";}else{
 $end=$4;}
for ($a=$start;$a<=$end;$a++){
@ip[$a-$start]="$1.$2.$3.$a";
}
print " port: ";
chop($port=<>);
print "请输入要扫描的cgi ex:/*.ida : ";
chop($key=<>);
H:foreach $ip (@ip){
open(F,"ping $ip -n 2 |") || die "can't ping ! ";
$line=;
sleep 1;
if ($line=~/100% loss/){ next;}
else {
$host =$ip;
print " ------------------------------------- ";
print "Checking $host for the exploits of $key.... ";
open(G,">>report.txt") || die "can't open report.txt ";
print G "$host cgiscan result: ";
close G;
my $connection = IO::Socket::INET->new(Proto =>'tcp',
PeerAddr =>$host,
PeerPort =>$port) ||  {&next1} ;
$connection -> autoflush(1);
print $connection "GET $key HTTP/1.0 ";
my @check = <$connection>;
close $connection;
if(@check[0] =~/200 OK/ or @check[0] =~/500/) {
print "Exploit Found!: $key ";
if($storelogs eq "yes" or $storelogs eq "y") {
open(GOTCHA, ">>report.txt") or die("Couldn‘t open report.txt for writing. Please make sure the file exists and is writable. ");
print GOTCHA "Exploit Found!: $key ";
close(GOTCHA);}
         }
     }
}
&menu2;
sub next1(){
next H ;}
}
&menu;
}

sub webdav(){
print "----------------------------------------------- ";
print "SensePost Research ";
print "[email protected] ";
print "debuged by [email protected] ";
print "please enter the host and port ex:127.0.0.1 80 ";
print "----------------------------------------------- ";
$|=1;
@methods = ("PROPFIND","PROPPATCH","MCOL","PUT","DELETE","LOCK","UNLOCK");
print "the host: ";
chop($target=<>);
print "the port: ";
chop($port=<>);
print "Testing WebDAV methods [$target $port] ";
@results=sendraw2("HEAD / HTTP/1.0 ",$target,$port,15);
if ($#results < 1){die "15s timeout to $target on port $port ";}
foreach $line (@results){
 if ($line =~ /Server:/){
  ($left,$right)=split(/:/,$line);
  $right =~ s/ //g;
  print "$target : Server type is $right";
  if ($right !~ /Microsoft-IIS/5.0/i){
   print "$target : Not a Microsoft IIS 5 box ";
   exit(0);
  }
 }
}

foreach $method (@methods){
 
 @results=sendraw2("$method /test/nothere HTTP/1.0 ",$target,$port,15);
 if ($#results < 1){print "15s timeout to $target on port $port ";}

  $okflag=0;
  foreach $line (@results){
 
  if ($line =~ /Method Not Supported/i){
   print "Method $method is not allowed ";
   $okflag=1;
  }
  if (($line =~ /method/i) && ($line =~ /not allowed/i)){
   print "Method $method is not allowed ";
   $okflag=1;
  }
 }
 if ($okflag==0){
  print "Method $method seems to be allowed - WebDAV possibly in use ";
 }
}

sub sendraw2 {
        my ($pstr,$realip,$realport,$timeout)=@_;
        my $target2 = inet_aton($realip);
        my $flagexit=0;
        $SIG{'ALRM'}=&ermm;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) || die("Socket problems");
      sleep 1;
        if (connect(S,pack "SnA4x8",2,$realport,$target2)){
                my @in;
                select(S); $|=1;
                print $pstr;
                sleep 1;
                while(){
                        if ($flagexit == 1){
                                close (S);
                                print STDOUT "Timeout ";
                                return "Timeout";
                        }
                        push @in, $_;
                }
                sleep 1;
                select(STDOUT);
                close(S);
                return @in;
        } else {return "0";}
}
sub ermm{
        $flagexit == 1;
        close (S);
}
&menu;
}

sub port(){
my $sock;
my $host;
my %port=(
"21"=>"FTP Control",
"22"=>"SSH Remote Login Protocol",
"23"=>"Telnet" ,
"25"=>"SMTP Simple Mail Transfer Protocol",
"79"=>"Finger server",
"80"=>"HTTP World Wide Web",
"81"=>"HOSTS2 Name Server",
"110"=>"Pop3 Post Office Protocol" ,
"111"=>"SUN RPC",
"135"=>"Location Service"    ,
"139"=>"NETBIOS Session Service"  ,
"443"=>"HttpS Secure HTTP",
"445"=>"Microsoft-DS" ,
"512"=>"Remote process execution"  ,
"513"=>"login remote login" ,
"514"=>"cmd execx with auto auth",
"514"=>"syslog" ,
"515"=>"Printer spooler"   ,
"1025"=>"network blackjack" ,
"1080"=>"proxy" ,
"1433"=>"Microsoft-SQL-Server" ,
"3306"=>"mysql",
"3389"=>"remote term",
"5000"=>"Windows XP UPNP" ,
"5631"=>"PcAnywhere(data) - Remote Control Software",
"6000"=>"x11 X Window System" ,
"8080"=>"Proxy server") ;

&menuo;

sub menuo() {
print " ";
print "-------------------------------------- ";
print "please choose what you want to scan ";
print " 1) single host ";
print " 2) multiply hosts ";
print " 3) exit ";
print "-------------------------------------- ";
print "Command: ";
chop($s=<>);
if($s == "1") { &single() }
if($s == "2") { &multi() }
if($s == "3") { &exitx()}
else {&exitx;}
}
sub single(){
print "please enter the ip: ";
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt ";
print H1 "portscan result: ";
close H1;
foreach $key(keys %port){
print "正在扫描$host:$key... ";
$sock=IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $key,
Proto=>'tcp');
$sock-> autoflush(1);
if($sock){
print "found:$key $port{$key}! ";
open (H,">>report.txt") || die "can't open the report.txt ";
print H "$host:$key $port{$key} ";
close H;
}
}
print "成功生成report.txt ";
&menuo;}

sub multi(){
my ($startip,$endip,$start,$end,@ip,$a,$ipx,$port);
print "please input the port your want to try: ";
chop($port=<>);
print(" please enter startip ex:192.168.0.1 :");
chop($startip=<>) ;
 if($startip !~ /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/){
 die "Error: the ip is not in format ";}else{
 $start=$4;}
print(" please enter endip ex:192.168.0.254 :");
chop($endip=<>);
if($endip !~ /([0-9]+).([0-9]+).([0-9]+).([0-9]+)/){
 die "Error: the ip is not in format ";}else{
 $end=$4;}
for ($a=$start;$a<=$end;$a++){
@ip[$a-$start]="$1.$2.$3.$a";
}
open(H1,"report.txt") || die "can't open report.txt ";
print H1 "portscan result: ";
close H1;
$|=1;
foreach $ipx (@ip){
print "正在扫描$ipx.... ";
$sock=IO::Socket::INET->new(PeerAddr => $ipx,
PeerPort => $port,
Proto=>'tcp');
if($sock){
print "found:$ipx:$port ! ";
open (H1,">>report.txt") || die "can't open the report.txt ";
print H1 "$ipx:$port ";
close H1;
}
}
print "成功生成report.txt ";
&menuo;
}
sub exitx(){
&menu;
}
}

sub password() {
&menup;

sub menup() {
print " ";
print "please choose what you want to crack: ";
print " 1) Ftp  crack ";
print " 2) Pop3 crack ";
print " 3) Ipc  crack ";
print " 4) Exit ";
print "Command: ";
chop($s=<>);
if($s == "1") { &ftp(); }
if($s == "2") { &pop3(); }
if($s == "3") { &ipc(); }
if($s == "4") { &menux1; }
else {&menux1;}
}
sub ftp() {
print(" please enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt ";
print H1 "ftpcrack result: ";
close H1;
print "正在扫描 $host .. " ;
open(F,"ftpuser.txt") || die "can't open user.txt! ";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt ! ";
@password=

;
close P;
foreach $user (@user){
foreach $password1 (@password)
{print "正在测试$user .... ";
$ftp = Net::FTP->new($host) || die "can't not conn! ";
if ( $ftp ) {
$a=$ftp->login($user,$password1);
$ftp->quit;
if ( $a == 1 )
{
print "found!: $host:$user $password1 " ;
open(O, ">>report.txt");
print O "$host:$user $password1:21 ";

         }
      }
   }
}

close O;
print "成功生成report.txt ";
&menup;
}

sub pop3() {
print(" please enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt ";
print H1 "pop3crack result: ";
close H1;
print "正在扫描 $host .. " ;
open(F,"user.txt") || die "can't open user.txt! ";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt ! ";
@password=

;
close P;
foreach $user (@user){
foreach $password(@password){
print "正在测试$user .... ";
$pop3 = Net::POP3->new($host) || die "can't not conn! ";
if ( $pop3 ) {
$a=$pop3->login($user,$password);
$pop3->quit;
if ( $a == 1 )
{
print "found!: $host:$user,$password :110 " ;
open(O, ">>report.txt");
print O "$host:$user,$password ";

         }
      }
   }
}

close O;
print "成功生成report.txt ";
&menup;
}

sub ipc() {
print(" please enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt ";
print "ipcscan result: ";
close H1;
print "正在扫描 $host .. " ;
open(F,"user.txt") || die "can't open user.txt! ";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt ! ";
@password=

;
close P;
foreach $user(@user){
foreach $password(@password){
print "net use \\$host\ipc$ $password /user:$user";
$a=system("net use \\$host\ipc$ $password /user:$user");
if ( $a == 1 )
{
print "发现目标: $host:$user,$password " ;
open(O, ">>report.txt");
print O "$host:$user,$password :139 ";

         }
      }
   }
close O;
print "成功生成report.txt ";
&menup;
}

sub menux1(){
&menu;
}
}

sub helpmessage() {
print<<"EOF";
-------------------------------------------
this scanner was writed with perl script...
if you have some ploblem or it have bugs,
please come to our forum:www.itaq.org, you
are welcome!:)~you can follow the guide of
it and will get along well with it. maybe it
is rather slow now,but we will try to make
it perfect......
-------------------------------------------
EOF
print " ";
print "Press enter to continue...";
chop($uselessvariable=<>);
}

sub exitcgisonar() { exit 1; }