曾经写过一个很粗糙的扫描程序（perl coded）

#! /usr/bin/perl
use IO::Socket;
use Socket;
use Net::Ftp;
use Net::POP3;
$version = "   ITS_SCAN v1.0测试版 \n";

&menu();

sub menu() {

print "\n\n";
print "--------------------------\n\n";
print " $version\n";
print "--------------------------\n";
print " Thank you for chossing ITS_SCAN\n";
print " by ocean2000 of itaq.org \n";
print " choose what you want to do: \n\n";
print " 1) Cgi Scan\n";
print " 2) Port Scan\n";
print " 3) Password Crack\n";
print " 4) Webdav Scan \n";
print " 5) Help\n";
print " 6) Exit\n";
print "Command: ";
chop($selection=<>);

if($selection == "1") { &cgiscan() }
if($selection == "2") { &port() }
if($selection == "3") { &password() }
if($selection == "4") { &webdav() }
if($selection == "5") { &helpmessage()}
if($selection == "6") { &exitcgisonar() }

else { &menu() }
}
sub cgiscan(){
&menu2;
sub menu2() {
print "\n";
print "--------------------------------------\n";
print "please choose what you want to scan \n";
print " 1) single host cgi \n";
print " 2) multiply hosts cgi\n";
print " 3) exit \n";
print "--------------------------------------\n";
print "Command: ";
chop($s=<>);
if($s == "1") { &singlecgi() }
if($s == "2") { &multicgi() }
if($s == "3") { &exitx()}
else
}

sub exitt(){
&menu;}

sub singlecgi(){
print "\nHost: ";
chop($host1=<>);
print "port: ";
chop($port1=<>);
print "\n Saved results to report.txt [yes or no]: ";
chop($store=<>);
&singlecgiscan("$host1","$port1","$store");
&menu2();}

sub singlecgiscan() {
open(F,"cgi.lst") || die "can't open!\n";
@cgi=;
close F;
my ($host,$port,$storelogs)=@_;
$number = 0;
print "\n-------------------------------------\n";
print "Checking $host for known exploits....\n";
open(G,">>report.txt") || die "can't open report.txt \n";
print G "$host cgiscan result:\n";
close G;
foreach $key (@cgi) {
print "scanning :$key\n";
my $connection = IO::Socket::INET->new(Proto =>'tcp',
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host \n";
$connection -> autoflush(1);
print $connection "GET $key HTTP/1.0\n\n";
my @check = <$connection>;
close $connection;
if(@check[0] =~/200 OK/ or @check[0]=~/500/) {
print "Exploit Found!: $key\n";
$number++;
if($storelogs eq "yes" or $storelogs eq "y") {
open(GOTCHA, ">>report.txt") or die("Couldn‘t open report.txt for writing. Please make sure the file exists and is writable.\n");
print GOTCHA "Exploit Found!: $key\n";
close(GOTCHA);}
}
}
if($number == 0) { print "No exploitable holes found on host $host\n"; }
print "成功生成report.txt！：）~ \n";
}

sub multicgi() {
print("\nplease enter startip ex:192.168.0.1: ");
chop($startip=<>) ;
 if($startip !~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/){
 die "Error: the ip is not in format \n";}else{
$start=;}
print("\nplease enter endip ex:192.168.0.254:");
chop($endip=<>);
if($endip !~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/){
 die "Error: the ip is not in format \n";}else{
 $end=;}
for ($a=$start;$a<=$end;$a++){
@ip[$a-$start]="...$a";
}
print "\nport: ";
chop($port=<>);
print "请输入要扫描的cgi ex:/*.ida : ";
chop($key=<>);
H:foreach $ip (@ip){
open(F,"ping $ip -n 2 |") || die "can't ping !\n";
$line=;
sleep 1;
if ($line=~/100% loss/){ next;}
else {
$host =$ip;
print "\n-------------------------------------\n";
print "Checking $host for the exploits of $key....\n";
open(G,">>report.txt") || die "can't open report.txt \n";
print G "$host cgiscan result:\n";
close G;
my $connection = IO::Socket::INET->new(Proto =>'tcp',
PeerAddr =>$host,
PeerPort =>$port) ||  ;
$connection -> autoflush(1);
print $connection "GET $key HTTP/1.0\n\n";
my @check = <$connection>;
close $connection;
if(@check[0] =~/200 OK/ or @check[0] =~/500/) {
print "Exploit Found!: $key\n";
if($storelogs eq "yes" or $storelogs eq "y") {
open(GOTCHA, ">>report.txt") or die("Couldn‘t open report.txt for writing. Please make sure the file exists and is writable.\n");
print GOTCHA "Exploit Found!: $key\n";
close(GOTCHA);}
         }
     }
}
&menu2;
sub next1(){
next H ;}
}
&menu;
}

sub webdav(){
print "-----------------------------------------------\n";
print "SensePost Research \n";
print "research@sensepost.com \n";
print "debuged by ocean2000@itaq.org \n";
print "please enter the host and port ex:127.0.0.1 80 \n";
print "-----------------------------------------------\n";
$|=1;
@methods = ("PROPFIND","PROPPATCH","MCOL","PUT","DELETE","LOCK","UNLOCK");
print "the host: ";
chop($target=<>);
print "the port: ";
chop($port=<>);
print "Testing WebDAV methods [$target $port]\n";
@results=sendraw2("HEAD / HTTP/1.0\r\n\r\n",$target,$port,15);
if ($#results < 1){die "15s timeout to $target on port $port\n";}
foreach $line (@results){
 if ($line =~ /Server:/){
  ($left,$right)=split(/\:/,$line);
  $right =~ s/ //g;
  print "$target : Server type is $right";
  if ($right !~ /Microsoft-IIS\/5.0/i){
   print "$target : Not a Microsoft IIS 5 box\n";
   exit(0);
  }
 }
}

foreach $method (@methods){
 
 @results=sendraw2("$method /test/nothere HTTP/1.0\r\n\r\n",$target,$port,15);
 if ($#results < 1){print "15s timeout to $target on port $port\n";}

  $okflag=0;
  foreach $line (@results){
 
  if ($line =~ /Method Not Supported/i){
   print "Method $method is not allowed\n";
   $okflag=1;
  }
  if (($line =~ /method/i) && ($line =~ /not allowed/i)){
   print "Method $method is not allowed\n";
   $okflag=1;
  }
 }
 if ($okflag==0){
  print "Method $method seems to be allowed - WebDAV possibly in use\n";
 }
}

sub sendraw2 {
        my ($pstr,$realip,$realport,$timeout)=@_;
        my $target2 = inet_aton($realip);
        my $flagexit=0;
        $SIG=\&ermm;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) || die("Socket problems");
      sleep 1;
        if (connect(S,pack "SnA4x8",2,$realport,$target2)){
                my @in;
                select(S); $|=1;
                print $pstr;
                sleep 1;
                while(){
                        if ($flagexit == 1){
                                close (S);
                                print STDOUT "Timeout\n";
                                return "Timeout";
                        }
                        push @in, $_;
                }
                sleep 1;
                select(STDOUT);
                close(S);
                return @in;
        } else {return "0";}
}
sub ermm{
        $flagexit == 1;
        close (S);
}
&menu;
}

sub port(){
my $sock;
my $host;
my %port=(
"21"=>"FTP Control",
"22"=>"SSH Remote Login Protocol",
"23"=>"Telnet" ,
"25"=>"SMTP Simple Mail Transfer Protocol",
"79"=>"Finger server",
"80"=>"HTTP World Wide Web",
"81"=>"HOSTS2 Name Server",
"110"=>"Pop3 Post Office Protocol" ,
"111"=>"SUN RPC",
"135"=>"Location Service"    ,
"139"=>"NETBIOS Session Service"  ,
"443"=>"HttpS Secure HTTP",
"445"=>"Microsoft-DS" ,
"512"=>"Remote process execution"  ,
"513"=>"login remote login" ,
"514"=>"cmd execx with auto auth",
"514"=>"syslog" ,
"515"=>"Printer spooler"   ,
"1025"=>"network blackjack" ,
"1080"=>"proxy" ,
"1433"=>"Microsoft-SQL-Server" ,
"3306"=>"mysql",
"3389"=>"remote term",
"5000"=>"Windows XP UPNP" ,
"5631"=>"PcAnywhere(data) - Remote Control Software",
"6000"=>"x11 X Window System" ,
"8080"=>"Proxy server") ;

&menuo;

sub menuo() {
print "\n";
print "--------------------------------------\n";
print "please choose what you want to scan \n";
print " 1) single host \n";
print " 2) multiply hosts\n";
print " 3) exit \n";
print "--------------------------------------\n";
print "Command: ";
chop($s=<>);
if($s == "1") { &single() }
if($s == "2") { &multi() }
if($s == "3") { &exitx()}
else
}
sub single(){
print "please enter the ip: ";
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt \n";
print H1 "portscan result:\n";
close H1;
foreach $key(keys %port){
print "正在扫描$host:$key...\n";
$sock=IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $key,
Proto=>'tcp');
$sock-> autoflush(1);
if($sock){
print "found:$key $port!\n";
open (H,">>report.txt") || die "can't open the report.txt\n";
print H "$host:$key $port \n";
close H;
}
}
print "成功生成report.txt \n";
&menuo;}

sub multi(){
my ($startip,$endip,$start,$end,@ip,$a,$ipx,$port);
print "please input the port your want to try: ";
chop($port=<>);
print("\nplease enter startip ex:192.168.0.1 :");
chop($startip=<>) ;
 if($startip !~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/){
 die "Error: the ip is not in format \n";}else{
 $start=;}
print("\nplease enter endip ex:192.168.0.254 :");
chop($endip=<>);
if($endip !~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/){
 die "Error: the ip is not in format \n";}else{
 $end=;}
for ($a=$start;$a<=$end;$a++){
@ip[$a-$start]="...$a";
}
open(H1,"report.txt") || die "can't open report.txt \n";
print H1 "portscan result:\n";
close H1;
$|=1;
foreach $ipx (@ip){
print "正在扫描$ipx....\n";
$sock=IO::Socket::INET->new(PeerAddr => $ipx,
PeerPort => $port,
Proto=>'tcp');
if($sock){
print "found:$ipx:$port !\n";
open (H1,">>report.txt") || die "can't open the report.txt\n";
print H1 "$ipx:$port \n";
close H1;
}
}
print "成功生成report.txt \n";
&menuo;
}
sub exitx(){
&menu;
}
}

sub password() {
&menup;

sub menup() {
print "\n\n";
print "please choose what you want to crack: \n";
print " 1) Ftp  crack \n";
print " 2) Pop3 crack\n";
print " 3) Ipc  crack \n";
print " 4) Exit \n";
print "Command: ";
chop($s=<>);
if($s == "1") { &ftp(); }
if($s == "2") { &pop3(); }
if($s == "3") { &ipc(); }
if($s == "4") { &menux1; }
else
}
sub ftp() {
print("\nplease enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt \n";
print H1 "ftpcrack result:\n";
close H1;
print "正在扫描 $host .. \n" ;
open(F,"ftpuser.txt") || die "can't open user.txt! \n";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt !\n";
@password=

;
close P;
foreach $user (@user){
foreach $password1 (@password)
{print "正在测试$user ....\n";
$ftp = Net::FTP->new($host) || die "can't not conn! \n";
if ( $ftp ) {
$a=$ftp->login($user,$password1);
$ftp->quit;
if ( $a == 1 )
{
print "found!: $host:$user $password1 \n" ;
open(O, ">>report.txt");
print O "$host:$user $password1:21 \n";

         }
      }
   }
}

close O;
print "成功生成report.txt \n";
&menup;
}

sub pop3() {
print("\nplease enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt \n";
print H1 "pop3crack result:\n";
close H1;
print "正在扫描 $host .. \n" ;
open(F,"user.txt") || die "can't open user.txt! \n";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt !\n";
@password=

;
close P;
foreach $user (@user){
foreach $password(@password){
print "正在测试$user ....\n";
$pop3 = Net::POP3->new($host) || die "can't not conn! \n";
if ( $pop3 ) {
$a=$pop3->login($user,$password);
$pop3->quit;
if ( $a == 1 )
{
print "found!: $host:$user,$password :110 \n" ;
open(O, ">>report.txt");
print O "$host:$user,$password \n";

         }
      }
   }
}

close O;
print "成功生成report.txt \n";
&menup;
}

sub ipc() {
print("\nplease enter the ip : ");
chop($host=<>);
open(H1,"report.txt") || die "can't open report.txt \n";
print "ipcscan result:\n";
close H1;
print "正在扫描 $host .. \n" ;
open(F,"user.txt") || die "can't open user.txt! \n";
@user=;
close F;
open(P,"password.txt") || die "can't open password.txt !\n";
@password=

;
close P;
foreach $user(@user){
foreach $password(@password){
print "net use \\$host\ipc$ $password /user:$user";
$a=system("net use \\$host\ipc$ $password /user:$user");
if ( $a == 1 )
{
print "发现目标: $host:$user,$password \n" ;
open(O, ">>report.txt");
print O "$host:$user,$password :139\n";

         }
      }
   }
close O;
print "成功生成report.txt \n";
&menup;
}

sub menux1(){
&menu;
}
}

sub helpmessage() {
print<<"EOF";
-------------------------------------------
this scanner was writed with perl script...
if you have some ploblem or it have bugs,
please come to our forum:www.itaq.org, you
are welcome!:)~you can follow the guide of
it and will get along well with it. maybe it
is rather slow now,but we will try to make
it perfect......
-------------------------------------------
EOF
print "\n";
print "Press enter to continue...";
chop($uselessvariable=<>);
}

sub exitcgisonar() { exit 1; }