主动信息收集1(二层发现)
>主动信息收集
1.特点:直接与目标系统交互通信,但无法避免留下痕迹
2.解决方法
- 使用受控的第三方电脑进行探测,如使用代理或已被控制的主机
- 使用噪声迷惑目标,淹没真实的探测流量
- 做好被封杀的准备
3.扫描:发送不同的探测,根据返回结果判断目标状态
4.发现
- 识别存活主机(潜在的被攻击对象)
- 输出结果(IP地址列表)
- 根据OSI的分层,在2/3/4层实现主机发现
>二层主机发现
- 原理:使用ARP协议,在网段内进行广播,看是否有回包(或直接抓包查看),若有回包,则证明主机存活
- 优点:扫描速度快、可靠
- 缺点:只能发现同一网段内的主机,且不可路由
>arping
- 扫描单个IP地址
arping
arping 192.168.10.148
arping 192.168.10.148 -c 2
arping 192.168.10.148 -w 5
arping -c 1 192.168.10.148 | grep 'reply from' | cut -d ' ' -f 4
root@xuer:~# arping #aring用法
Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don't go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use
-s source : source ip address
destination : ask for what ip address
root@xuer:~# arping 192.168.10.148 #一直持续不断地进行ping命令,可手动停止
ARPING 192.168.10.148 from 192.168.10.128 eth0
Unicast reply from 192.168.10.148 [00:0C:29:45:55:D4] 1.004ms
Unicast reply from 192.168.10.148 [00:0C:29:45:55:D4] 1.207ms
Unicast reply from 192.168.10.148 [00:0C:29:45:55:D4] 1.056ms
Unicast reply from 192.168.10.148 [00:0C:29:45:55:D4] 1.151ms
Unicast reply from 192.168.10.148 [00:0C:29:45:55:D4] 1.236ms
^CSent 5 prob