信息搜集之主动信息搜集

1、基于ICMP的主机发现

python实现主机探测

from scapy.all import *
from scapy.layers.inet import IP, ICMP
from random import randint
from argparse import ArgumentParser

# 主函数
def main():
    # 输出帮助信息
    usage = 'python %(prog)s -i <target host>'
    parser = ArgumentParser(usage=usage)
    # 获取IP地址参数
    parser.add_argument('-i', '--ip', dest='targetIP', type=str, required=True)

    # 对输入参数进行解析
    options = parser.parse_args()

    print("Scan report for: " + options.targetIP + "\n")

    # 判断是单台主机还是多台主机
    # IP中存在-,说明是要扫描多台主机
    if '-' in options.targetIP:
        # 代码举例:192.168.1.1-120
        # 通过'-'进行分隔,把192.168.1.1和120分开
        # 把192.168.1.1通过‘.' 进行分隔,去最后一个数作为range函数的start,然后把120 + 1作为range函数的stop
        # 循环遍历出需要扫描的IP地址
        for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
            Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
            time.sleep(0.2)
    else:
        Scan(options.targetIP)

    print("\nScan fininshed!...\n")

# 扫描主机
def Scan(ip):
    ip_id = randint(1, 65535)
    icmp_id = randint(1, 65535)
    icmp_seq = randint(1, 65535)
    packet = IP(dst=ip, ttl=64, id=ip_id)/ICMP(id=icmp_id, seq=icmp_seq)/b'rootkit'

    result = sr1(packet, timeout=1, verbose=False)

    if result:
        for rcv in result:
            scan_ip = rcv[IP].src
            print(scan_ip + '--->' 'Host is up')
    else:
            print(ip + '--->' 'Host is down')

if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print("interrupte by user, killing all threads...")

通过nmap实现主机探测

import nmap
import argparse

def main():
    usage = 'python %(prog)s -i <target host>'
    parser = argparse.ArgumentParser(usage=usage)

    parser.add_argument('-i', '--ip', dest='targetIP', required=True)
    options = parser.parse_args()

    if '-' in options.targetIP:
        for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
            NmapScan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
    else:
        NmapScan(options.targetIP)

def NmapScan(targetIP):
    # 实例化portScanner对象
    nm = nmap.PortScanner()
    try:
        # hosts为目标IP地址,argusments为Nmap的扫描参数
        # -sn:使用ping进行扫描
        # -PE:使用ICMP的echo请求包(-PP:使用timestamp请求包 -PM:netmask请求包)
        result = nm.scan(hosts=targetIP, arguments='-sn -PE')

        # 对结果进行切片,提取主机状态信息
        state = result['scan'][targetIP]['status']['state']
        print("[{}] is [{}]".format(targetIP, state))
    except Exception as e:
        pass


if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print('interrupte by user, killing all threads...')

2、基于TCP的主机发现

python通过ACK包探测主机

import argparse
from random import randint
from scapy.layers.inet import IP, TCP
from scapy.all import *

def main():
    usage = 'usage: python %(prog)s -i <target host>'
    parser = argparse.ArgumentParser(usage=usage)

    parser.add_argument('-i', '--ip', dest='targetIP', required=True)

    options = parser.parse_args()

    if '-' in options.targetIP:
        for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
            Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
    else:
        Scan(options.targetIP)

def Scan(targetIP):
    try:
        dport = randint(1, 65535)
        packet = IP(dst=targetIP)/TCP(flags='A', dport=dport)
        response = sr1(packet, timeout=1.0, verbose=False)

        if response:
            if int(response[TCP].flags) == 4:
                time.sleep(0.5)
                print(targetIP + ' ' + 'is up')
            else:
                print(targetIP + ' ' + 'is down')
        else:
            print(targetIP + ' ' + 'is down')
    except:
        pass

if __name__ == '__main__':
    try:
        main()
    except Exception as e:
        print('interrupter by user, killing all threads...')

 python通过nmap模块实现TCP主机探测

# 作者:wang
# 时间:2023/12/8 13:50
import nmap
import argparse

def main():
    usage = 'usage:python %(prog)s -i <target IP>'
    parser = argparse.ArgumentParser(usage=usage)
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)

    options = parser.parse_args()

    if '_' in options.targetIP:
        for i in range(int(options.taregetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
            NmapScan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
    else:
        NmapScan(options.targetIP)

def NmapScan(ip):
    nm = nmap.PortScanner()

    try:
        result = nm.scan(hosts=ip, arguments='-sT')
        state = result['scan'][ip]['status']['state']
        print("[{}] is [{}]".format(ip, state))
    except Exception as e:
        pass

if __name__ == '__main__':
    main()

3、基于UDP的主机发现

python实现UDP主机探测

import argparse
from  random import randint
from scapy.all import *
from scapy.layers.inet import IP, UDP

def main():
    parser = argparse.ArgumentParser(usage='usage:python %(prog)s -i <target host>')
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)
    options = parser.parse_args()

    if '-' in options.targetIP:
        for i in range(int(options.targetIP.split('-')[0].split('.')[3]), int(options.targetIP.split('-')[1]) + 1):
            Scan(options.targetIP.split('.')[0] + '.' + options.targetIP.split('.')[1] + '.' + options.targetIP.split('.')[2] + '.' + str(i))
    else:
        Scan(options.targetIP)

def Scan(ip):
    try:
        dport = randint(1, 65535)
        packet = IP(dst=ip)/UDP(dport=dport)
        response = sr1(packet, timeout=1, verbose=0)

        if response:
            if int(response[IP].proto) == 1:
                time.sleep(0.5)
                print(ip + ' ' + 'is up')
            else:
                print(ip + ' ' + 'is down')
        else:
            print(ip + ' ' + 'is down')
    except:
        pass


if __name__ == '__main__':
    try:
        main()
    except Exception as e:
        print('interrupter by user, killing all threads...')

python通过nmap模块实现UDP主机探测

result = nm.scan(hosts=targetIP, arguments='-PU')

4、基于ARP的主机发现

python实现ARP主机探测

import os
import re
import argparse
from scapy.all import *
from scapy.layers.inet import IP
from scapy.layers.l2 import Ether, ARP

# 获取本机IP地址和MAC地址
def HostAddress(iface):
    # os.popen执行后返回执行结果
    ipData = os.popen('ifconfig' + iface)
    # 对ipData进行类型转换,在用正则进行匹配
    dataLine = ipData.readlines()
    # re.search利用正则匹配返回第一个成功匹配的结果,存在结果则为true
    # 取MAC地址
    if re.search('\w\w:\w\w:\w\w:\w\w:\w\w:\w\w', str(dataLine)):
        # 取出匹配的结果
        MAC = re.search('\w\w:\w\w:\w\w:\w\w:\w\w:\w\w', str(dataLine)).group(0)
        # 取IP地址
    if re.search(r'((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)', str(dataLine)):
        IP = re.search(r'((2[0-4]\d|25[0-5]|[01]?\d\d?)\.){3}(2[0-4]\d|25[0-5]|[01]?\d\d?)', str(dataLine))
    addressInfo = (IP, MAC)

    return addressInfo

# ARP扫描函数
def ArpScan(iface='eth0'):
    # 通过HostAddress返回的元组取出MAC地址
    mac = HostAddress(iface)[1]
    # 取出本机IP地址
    ip = HostAddress(iface)[0]
    # 对本机IP地址进行分隔并作为依据元素,用于生成需要扫描的IP地址
    ipSplit = ip.split('.')
    # 需要扫描的IP地址列表
    ipList = []
    # 根据本机IP生成IP扫描范围
    for i in range(1, 255):
        ipItem = ipSplit[0] + '.' + ipSplit[1] + '.' + ipSplit[2] + '.' + str(i)
        ipList.append(ipItem)

    '''
        发送ARP包
        因为要用到OSI的二层和三层,所以要写成Ether/ARP.
        因为最底层用到了二层,所以要用srp()发包
    '''
    packet = Ether(src=mac, dst='FF:FF:FF:FF:FF:FF')/ARP(op=1, hwsrc=mac, hwdst='00:00:00:00:00:00', pdst=ipList, iface=iface, timeout=2, verbose=False)
    result = srp(packet)

    # 读取result中的应答包和应答包内容
    resultAns = result[0].res

    # 存活主机列表
    liveHost = []

    # number为接收到的应答总数
    number = len(resultAns)
    print("==============================")
    print('ARP 探测结果 ')
    print("本机IP地址: " + ip)
    print("本机MAC地址:" + mac)
    print("==============================")
    for x in range(number):
        IP = resultAns[x][1][1].fields['psrc']
        MAC = resultAns[x][1][1].fields['hwsrc']
        liveHost.append([IP, MAC])
        print("IP:" + IP + "\n\n" + "MAC" + MAC)
        print("===========================")
    # 把存活主机IP写入文件
    resultFile = open("result", "w")
    for i in range(len(liveHost)):
        resultFile.write(liveHost[i][0] + '\n')

    resultFile.close()

def main():
    parser = argparse.ArgumentParser(usage='usage:python %(prog)s -i interface \n'
                                           'Example: python %(prog)s -i eth0\n')

    # 添加网卡参数 -i
    parser.add_argument('-i', '--iface', dest='iface', required=True, help='interface name')
    options = parser.parse_args()

    ArpScan(options.iface)

if __name__ == '__main__':
    try:
        main()
    except Exception as e:
        print('Error...')

python通过nmap模块实现ARP扫描

result = nm.scan(hosts=targetIP, arguments='-PR')

5、端口探测

python实现端口探测

import sys
import socket
import argparse
import threading
import  queue

# 端口扫描类,集成threading.Thread
class PortScaner(threading.Thread):
    # 需要传入端口队列、目标IP,探测超时时间
    def __init__(self, portqueue, ip, timeout=3):
        threading.Thread.__init__(self)
        self._portqueue = portqueue
        self._ip = ip
        self._timeout = timeout

    def run(self):
        while True:
            # 判断端口队列是否为空
            if self._portqueue.empty():
                # 端口队列为空,说明已经扫描完毕,跳出循环
                break

            # 从端口队列取出端口,超时时间为1s
            port = self._portqueue.get(timeout=0.5)
            try:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.settimeout(self._timeout)
                result_code = s.connect_ex((self._ip, port))
                # sys.stdout.write("[%d]Scan\n" % port)
                # 若端口开放,则会返回0
                if result_code == 0:
                    sys.stdout.write("[%d] OPEN\n" % port)
            except Exception as e:
                print(e)
            finally:
                s.close()


def StartScan(targetip, port, threadNum):
    # 端口列表
    portList = []
    portNumb = port
    # 判断是单个端口还是范围端口
    if '-' in port:
        for i in range(int(port.split('-')[0]), int(port.split('-')[1]) + 1):
            portList.append(i)
    else:
        portList.append(int(port))
    # 目标IP地址
    ip = targetip
    # 线程列表
    threads = []
    # 线程数量
    threadNumber = threadNum
    # 端口队列
    portQueue = queue.Queue()
    # 生成端口,加入端口队列
    for port in portList:
        portQueue.put(port)
    for t in range(threadNumber):
        threads.append(PortScaner(portQueue, ip, timeout=3))
    # 启动线程
    for thread in threads:
        thread.start()
    # 阻塞线程
    for thread in threads:
        thread.join()

if __name__ == '__main__':
    try:
        parser = argparse.ArgumentParser()
        # 目标IP参数-i
        parser.add_argument('-i', '--ip', dest='targetIP', help='target IP', required=True)
        # 添加端口参数-p
        parser.add_argument('-p', '--port', dest='port', help='Scann port', required=True)
        # 线程数量参数-t
        parser.add_argument('-t', '--thread', dest='threadNum', default=100, help='scann thread number')
        options = parser.parse_args()
        StartScan(options.targetIP, options.port, options.threadNum)
    except:
        pass

python通过nmap模块实现端口探测

import nmap
import argparse

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)
    parser.add_argument('-p', '--port', dest='PORT', default='80')

    options = parser.parse_args()
    for i in range(0, len(options.PORT.split(','))):
        NmapScan(options.targetIP, options.PORT.split(',')[i])

def NmapScan(ip, port):
    nm = nmap.PortScanner()
    try:
        result = nm.scan(hosts=ip, arguments='-p' + str(port))
        # 对结果进行切片,提取端口信息
        # 这里需要注意的是,提取信息时需要把端口转化为int型
        port_infor = result['scan'][ip]['tcp'][int(port)]
        print("[{}] :[{}]".format(port, port_infor['state']))
    except:
        pass

if __name__ == '__main__':
    try:
        main()
    except:
        pass

6、服务识别

python实现服务识别

import argparse
import socket
import re
import time

SIGNS = (
    # 协议 | 版本 | 关键字
    b'FTP|FTP|^220.*FTP',
    b'MySQL|MySQL|mysql_native_password',
    b'oracle-https|^220- ora',
    b'Telnet|Telnet|Telnet',
    b'Telnet|Telnet|^\r\n%connection closed by remote host!\x00$',
    b'VNC|VNC|^RFB',
    b'IMAP|IMAP|^\* OK.*?IMAP',
    b'POP|POP|^\+Ok.*?',
    b'SMTP|SMTP|^220.*?SMTP',
    b'Kangle|Kangle|HTTP.*kangle',
    b'SMTP|SMTP|^554 SMTP',
    b'SSH|SSH|^SSH-',
    b'HTTPS|HTTPS|Location: https',
    b'HTTP|HTTP|HTTP/1.1',
    b'HTTP|HTTP|HTTP/1.0'
)

def main():
    parser = argparse.ArgumentParser()
    # 获取IP地址参数
    parser.add_argument('-i', '--ip', dest='IP', type=str, help='specity target host',required=True)
    # 获取端口参数
    parser.add_argument('-p', '--port', dest='PORT', type=str, help='specity target port',required=True)
    options = parser.parse_args()
    ip = options.IP
    port = options.PORT
    print("Scan report for" + ip + "\n")
    for line in port.split(','):
        request(ip, line)
        time.sleep(0.2)
    print("\nScan finished!...\n")

def request(ip, port):
    response = ''
    PROBE = 'GET / HTTP/1.0\r\n\r\n'
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(10)
    result = sock.connect((ip, int(port)))
    if result == 0:
        try:
            sock.sendall(PROBE.encode())
            response = sock.recv(256)
            if response:
                regex(response, port)
        except(ConnectionResetError, socket.timeout):
            pass
    else:
        pass
    sock.close()

def regex(response, port):
    text = ""
    if re.search(b'<title>502 Bad Gateway', response):
        proto = {"Service failed to access!!"}
    for pattern in SIGNS:
        pattern = pattern.split(b'|')
        if re.search(pattern[-1], response, re.IGNORECASE):
            proto = "[" + port + "]" + " open " + pattern[1].decode()
            break
        else:
            proto = "[" + port + "]" + " open " + "Unrecognized"

    print(proto)

if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print('interrupted by user, killing all threads...')

python通过nmap模块实现服务识别

import nmap
import argparse

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)
    parser.add_argument('-p', '--port', dest='PORT', default='80')

    options = parser.parse_args()
    for i in range(0, len(options.PORT.split(','))):
        NmapScan(options.targetIP, options.PORT.split(',')[i])

def NmapScan(ip, port):
    nm = nmap.PortScanner()
    try:
        # hosts为目标IP地址,argusments为Nmap的扫描参数
        # -p:对指定端口进行扫描
        # -sV:对端口进行服务程序探测
        result = nm.scan(hosts=ip, arguments='-sV -p' + str(port))
        # 对结果进行切片,提取端口信息
        # 这里需要注意的是,提取信息时需要把端口转化为int型
        port_infor = result['scan'][ip]['tcp'][int(port)]
        # 分别显示  端口号:端口状态 端口服务:端口服务程序
        print("[{}:{}] : [{}:{}]".format(port, port_infor['state'], port_infor['name'], port_infor['product']))
    except Exception as e:
        print(e)

if __name__ == '__main__':
    try:
        main()
    except:
        pass

7、系统识别

主动探测:向目标主机发送一段特定的数据包,根据目标主机对数据包做出的回应进行分析,判断目标主机中可能得操作系统。与被动探测相比,结果更加精确,但也容易触发目标安全系统的警报。

被动探测:通过工具嗅探、记录、分析数据包流。根据数据包信息来分析目标主机的操作系统。与主动探测相比不够精确,但不容易被目标主机安全系统察觉。

python通过ttl返回值判断主机操作系统

import os
import re
import argparse

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)
    options = parser.parse_args()
    ip = options.targetIP
    ttl_scan(ip)

def ttl_scan(ip):
    ttlstrmatch = re.compile(r'ttl=\d+')
    ttlnummatch = re.compile(r'\d+')
    result = os.popen("ping -c 1 " + ip)
    res = result.read()
    for line in res.splitlines():
        result = ttlstrmatch.findall(line)
        if result:
            ttl = ttlnummatch.findall(result[0])
            if int(ttl[0]) <= 64:
                print("%s is Linux/UNIX" %ip)
            else:
                print("%s is Windows" %ip)
        else:
            pass

if __name__ == '__main__':
    main()

python通过nmap模块识别主机操作系统

import nmap
import argparse

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', dest='targetIP', required=True)

    options = parser.parse_args()

    NmapScan(options.targetIP)

def NmapScan(ip):
    nm = nmap.PortScanner()
    try:
        result = nm.scan(hosts=ip, arguments='-O')
        os = result["scan"][ip]['osmatch'][0]['name']
        print("=" * 20)
        print("ip:{} \nos:{}".format(ip, os))
        print("=" * 20)
    except:
        pass

8、敏感目录探测

python实现基于字典的敏感目录探测

import requests

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
}

url = input("url: ")
# 输入字典
txt = input('php.txt')

url_list = []
if txt == "":
    txt = "php.txt"
try:
    with open(txt, 'r') as f:
            for a in f:
                a = a.replace('\n', '')
                url_list.append(a)
except:
    print("error! ")

for li in url_list:
    conn = "http://" + url + "/" + li

    try:
        response = requests.get(conn, headers=headers)
        print("%s----------%s" % (conn, response))
    except Exception as e:
        print('%s----------%s' % (conn, response))

  • 5
    点赞
  • 9
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值