主动信息收集3
>端口扫描概述
-
端口对应网络服务及应用端程序
-
服务端程序的漏洞通过端口攻入
-
发现开放的端口,放大攻击面
>UDP端口扫描
- 原理:通过看目标端口发送的回包中是否有ICMP-unreachable回包
- 基于端口的扫描,都是针对存活的主机而言。使用UDP端口扫描,如果目标主机不存活或者目标主机存活且端口开放,则目标系统不会有响应;如果端口关闭,则目标系统会响应端口不可达
- 完整的UDP应用层请求准确性差
-
scapy()
- 端口关闭:ICMP port-unreachable
- 端口开放:没有回包
root@xuer:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> response=sr1(IP(dst='192.168.10.152')/UDP(dport=53),timeout=1,verbose=1)
Begin emission:
Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0xc0
len= 56
id= 47452
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0x2a40
src= 192.168.10.152
dst= 192.168.10.128
\options\
###[ ICMP ]###
type= dest-unreach
code= host-prohibited
chksum= 0x9378
reserved= 0
length= 0
nexthopmtu= 0
###[ IP in ICMP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1
flags=
frag= 0L
ttl= 64
proto= udp
chksum= 0xe467
src= 192.168.10.128
dst= 192.168.10.152
\options\
###[ UDP in ICMP ]###
sport= domain
dport= domain
len= 8
chksum= 0x690b
-
nmap
root@xuer:~# nmap -sU 192.168.10.20 #默认1000个参数(ICMP host-unreachable)
root@xuer:~# nmap -sU 192.168.10.20 -p 53 #指定端口
root@xuer:~# nmap -iL iplist.txt -sU -p 1-120 #指定列表
>TCP端口扫描
- 基于连接的协议,三次握手
- 隐蔽扫描——SYN扫描(应用日志不记录)
- 发现僵尸主机: