Master Port Scanning, Subdomain Enumeration, and CMS Fingerprinting with Python
This article explains the principles of port scanning, lists common service ports and their states, demonstrates nmap usage, and provides both single‑threaded and multithreaded Python scripts for port scanning, followed by three Python‑based subdomain collection methods and two approaches for CMS fingerprinting, complete with code examples.
Port Scanning Basics
Port scanning means probing a range of ports or specific ports on a target host to discover which services are running. Open ports reveal services that can be examined for known vulnerabilities, while closed or filtered ports indicate no response or firewall protection.
Common Service Ports
HTTP: 80, 8080, 3128, 8081, 9080
SOCKS: 1080
FTP: 21
Telnet: 23
HTTPS: 443
SSH: 22
SMTP: 25
MySQL: 3306
Oracle DB: 1521
MS SQL: 1433/1434
Port States
OPEN – the port is reachable and a service is listening.
CLOSED – no response is returned, possibly blocked by a firewall.
FILTERED – the port is reachable but no service is listening.
nmap Example
C:\Users\Administrator>nmap -sV localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-03 17:10
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00053s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
135/tcp open msrpc Microsoft Windows RPC
443/tcp open ssl/https VMware Workstation SOAP API 14.1.1
... (additional ports omitted for brevity)Python Port Scanning Scripts
Single‑threaded version using the socket module:
#-*- coding: UTF-8 -*-
import socket
def Get_ip(domain):
try:
return socket.gethostbyname(domain)
except socket.error as e:
print('%s: %s' % (domain, e))
return 0
def PortScan(ip):
result_list = []
for port in range(1, 65535):
try:
s = socket.socket()
s.settimeout(0.1)
s.connect((ip, port))
print(' PORT:%d OPEN ' % port)
result_list.append(port)
s.close()
except:
pass
print(result_list)
def main():
domain = raw_input('PLEASE INPUT YOUR TARGET:')
ip = Get_ip(domain)
print('IP:' + ip)
PortScan(ip)
if __name__ == '__main__':
main()Multithreaded version for faster scanning:
#-*- coding: UTF-8 -*-
import socket, threading
lock = threading.Lock()
threads = []
def Get_ip(domain):
try:
return socket.gethostbyname(domain)
except socket.error as e:
print('[-]%s: %s' % (domain, e))
return 0
def PortScan(ip, port):
try:
s = socket.socket()
s.settimeout(0.1)
s.connect((ip, port))
lock.acquire()
print('[-] PORT:%d OPEN ' % port)
lock.release()
s.close()
except:
pass
def main():
banner = '''
_ _ __ ___ _ __| |_ ___ ___ __ _ _ __
| '_ \ / _ \| '__| __/ __|/ __/ _` | '_ \
| |_) | (_) | | | |_\__ \ (_| (_| | | | |
|_ .__/ \___/|_| \__|___/\___\__,_|_| |_|
'''
print(banner)
domain = raw_input('PLEASE INPUT YOUR TARGET:')
ip = Get_ip(domain)
print('[-] IP:' + ip)
for n in range(1, 76):
for p in range((n-1)*880, n*880):
t = threading.Thread(target=PortScan, args=(ip, p))
threads.append(t)
t.start()
for t in threads:
t.join()
print('This scan completed!')
if __name__ == '__main__':
main()Subdomain Enumeration Scripts
Three methods are presented: dictionary brute‑force, search‑engine scraping, and third‑party API querying. Example of a dictionary‑based script:
#-*- coding: UTF-8 -*-
import requests, re, sys
def writtarget(target):
print(target)
with open('result.txt', 'a') as f:
f.write(target + '
')
def targetopen(http, https):
headers = {...} # omitted for brevity
try:
r = requests.get(http, timeout=3, headers=headers)
if r.status_code == 200:
writtarget(re.findall('//.*', http)[0][2:])
else:
r = requests.get(https, timeout=3, headers=headers)
if r.status_code == 200:
writtarget(re.findall('//.*', https)[0][2:])
except:
pass
def domainscan(target):
with open('domain.txt') as f:
for line in f:
http = 'http://' + line.strip() + '.' + target
https = 'https://' + line.strip() + '.' + target
targetopen(http, https)
if __name__ == '__main__':
target = raw_input('PLEASE INPUT YOUR DOMAIN(Eg:ichunqiu.com):')
domainscan(target)Search‑engine method (Baidu) and API method (whatweb.bugscaner.com) are also shown with their respective code snippets.
CMS Fingerprinting Scripts
Two approaches: using an online API and matching keywords against a custom dictionary.
API‑based example:
#-*- coding: UTF-8 -*-
import requests, json
def what_cms(url):
headers = {...}
post = {'hash':'0eca8914342fc63f5a2ef5246b7a3b14_7289fd8cf7f420f594ac165e475f1479','url':url}
r = requests.post('http://whatweb.bugscaner.com/what/', data=post, headers=headers)
dic = json.loads(r.text)
if dic['cms']:
print('CMS:' + dic['cms'])
else:
print('Sorry, Unidentified...')
if __name__ == '__main__':
url = raw_input('PLEASE INPUT YOUR TARGET:')
what_cms(url)Keyword‑matching example uses a dictionary of "path||||keyword||||CMS name" entries and multithreaded requests to identify the CMS.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.