主动信息收集
一、主动信息收集简介
1.主动信息收集
指通过一定的方式(系统自带命令或者其他工具),直接与目标系统或者主机进行交互通信,以达到收集信息的目的。
2.主动信息收集须知
使用受控的第三方电脑进行探测
使用代理或者已经被控制的主机
做好被封杀的准备
使用噪声迷惑目标,掩藏真实的的探测流量扫描
发送不同的探测,根据返回结果判断目标状态
3.主动信息收集的发现过程
1.识别存活的目标系统或者主机(潜在的攻击目标)。
2.根据osi的分层,主要在2(数据链路层)/3(网络层)/4(传输层)层进行主机发现。
3.输出发现结果。
二、主动信息收集的方式
在这里我使用的系统环境是基于kali-linux-2018-W25-amd64的虚拟环境.
1.二层发现
原理:使用ARP协议,在网段内进行广播,看是否有回包,或者直接抓包查看
优点:扫描速度快
缺点:只能扫描同一网段
①arping
通过arping可以简单地得到目标主机是否存活以及目标的MAC地址。
帮助:arping --help
root@yanxiao:~# arping --help
arping: 不适用的选项 -- -
Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don't go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use
-s source : source ip address
destination : ask for what ip address
扫描:
命令:arping 目标IP -c 次数
root@yanxiao:~# arping 192.168.181.128 -c 1
ARPING 192.168.181.128 from 192.168.181.129 eth0
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 1.175ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
命令:arping 目标IP -w 等待时间
root@yanxiao:~# arping 192.168.181.128 -w 5
ARPING 192.168.181.128 from 192.168.181.129 eth0
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 0.795ms
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 0.848ms
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 0.829ms
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 1.092ms
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 2.141ms
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 0.782ms
Sent 6 probes (1 broadcast(s))
Received 6 response(s)
也可以对arping结果进行分析匹配得到目标主机的MAC地址,方便在脚本中使用:
命令:arping 目标IP -c 次数 | grep '筛选的关键词' | cut -d'以...切割' -f切割后的次序
有时候一次切割有可能匹配不出来,所以可以进行多次切割:
root@yanxiao:~# arping 192.168.181.128 -c 1
ARPING 192.168.181.128 from 192.168.181.129 eth0
Unicast reply from 192.168.181.128 [00:0C:29:A9:7F:90] 1.175ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
root@yanxiao:~# arping 192.168.181.128 -c 1 | grep 'reply from' | cut -d'[' -f2 | cut -d']' -f1
00:0C:29:A9:7F:90
②nmap
帮助命令:nmap --help
root@yanxiao:~# nmap --help
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
扫描网段:
命令:nmap 目标网段 -sn
root@yanxiao:~# nmap 192.168.181.1-254 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-27 15:44 CST
Nmap scan report for bogon (192.168.181.1)
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.181.2)
Host is up (0.00027s latency).
MAC Address: 00:50:56:E7:8F:2A (VMware)
Nmap scan report for bogon (192.168.181.128)
Host is up (0.00015s latency).
MAC Address: 00:0C:29:A9:7F:90 (VMware)
Nmap scan report for bogon (192.168.181.254)
Host is up (0.00036s latency).
MAC Address: 00:50:56:F1:23:41 (VMware)
Nmap scan report for bogon (192.168.181.129)
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 2.09 seconds
扫描指定文档中IP:
命令:nmap -iL 文档路径 -sn
root@yanxiao:~# cat iplist.txt
192.168.181.128
192.168.181.129
root@yanxiao:~# nmap -iL iplist.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-27 15:48 CST
Nmap scan report for bogon (192.168.181.128)
Host is up (0.00043s latency).
MAC Address: 00:0C:29:A9:7F:90 (VMware)
Nmap scan report for bogon (192.168.181.129)
Host is up.
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.03 seconds
③netdiscover
会自动刷新
专用于二层发现
用于无线和交换网路环境中,分为主动和被动探测(主动arp容易触发报警)。
主动扫描网段:
命令:netdiscover -i 网卡 -r 目标网段
root@yanxiao:~# netdiscover -i eth0 -r 192.168.181.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.181.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.181.2 00:50:56:e7:8f:2a 1 60 VMware, Inc.
192.168.181.128 00:0c:29:a9:7f:90 1 60 VMware, Inc.
192.168.181.254 00:50:56:f1:23:41 1 60 VMware, Inc.
主动扫描文档中IP:
命令:netdiscover -l 文档路径
root@yanxiao:~# netdiscover -l iplist.txt
Currently scanning: Finished! | Screen View: Unique Hosts
8 Captured ARP Req/Rep packets, from 4 hosts. Total size: 480
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.181.1 00:50:56:c0:00:08 2 120 VMware, Inc.
192.168.181.2 00:50:56:e7:8f:2a 2 120 VMware, Inc.
192.168.181.128 00:0c:29:a9:7f:90 2 120 VMware, Inc.
192.168.181.254 00:50:56:f1:23:41 2 120 VMware, Inc.
被动扫描:
命令:netdiscover -p
root@yanxiao:~# netdiscover -p
Currently scanning: (passive) | Screen View: Unique Hosts
1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.181.128 00:0c:29:a9:7f:90 1 60 VMware, Inc.
被动扫描是进入侦听状态,发现与自己进行交互的系统或者主机,所以在实验时,需要用另一台实验机与本机交互才能看到结果(指虚拟机环境)。
④scapy --arp
作为python库进行调用
也可单独作为工具使用
抓包、修改、创建、注入网络的流量包
在这里使用的是scapy工具中的arp流量包。
建议同时打开wireshark进行抓包分析。
首先进入scapy工具:
命令:scapy
root@yanxiao:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.0
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | Craft me if you can.
scccccp///pSP///p p//Y | -- IPv6 layer
sY/////////y caa S//P |
cayCyayP//Ya pY/Ya
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
using IPython 5.5.0
>>>
查看ARP包内容:
命令:ARP().display()
>>> ARP().display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:2e:e3:bd
psrc= 192.168.181.129
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
因为在python环境,所以可以将ARP()赋值给变量,简化后续的操作。
>>> a=ARP()
>>> a.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:2e:e3:bd
psrc= 192.168.181.129
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
修改包内容:
>>> a.pdst='192.168.181.128'
>>> a.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:2e:e3:bd
psrc= 192.168.181.129
hwdst= 00:00:00:00:00:00
pdst= 192.168.181.128
发送包文件,同时使用wireshark抓包:
>>> sr1(a)
Begin emission:
*Finished sending 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:a9:7f:90 psrc=192.168.181.128 hwdst=00:0c:29:2e:e3:bd pdst=192.168.181.129 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
其中的\x00是为了满足arp包文件的最小发送大小。
从Received 1 packets, got 1 answers, remaining 0 packets这一句可以看到目标主机存活。
wireshark抓包:
2.三层发现
原理:使用ip/icmp协议
优点:相对于二层可以路由
缺点:速度慢(相对于二层),经常被过滤掉
①ping
命令帮助:ping --help
root@yanxiao:~# ping --help
ping: 不适用的选项 -- -
Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
[-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
[-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
[-w deadline] [-W timeout] [hop1 ...] destination
Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
[-l preload] [-m mark] [-M pmtudisc_option]
[-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
[-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
[-W timeout] destination
常用发现命令:
命令:ping 目标主机 -c 次数
root@yanxiao:~# ping 192.168.181.128 -c 4
PING 192.168.181.128 (192.168.181.128) 56(84) bytes of data.
64 bytes from 192.168.181.128: icmp_seq=1 ttl=64 time=0.616 ms
64 bytes from 192.168.181.128: icmp_seq=2 ttl=64 time=0.497 ms
64 bytes from 192.168.181.128: icmp_seq=3 ttl=64 time=0.433 ms
64 bytes from 192.168.181.128: icmp_seq=4 ttl=64 time=0.568 ms
--- 192.168.181.128 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3055ms
rtt min/avg/max/mdev = 0.433/0.528/0.616/0.073 ms
②traceroute
用于显示数据包在IP网络中经过的路由器的IP地址。
命令帮助:traceroute --help
常用命令:traceroute 目标域名
root@yanxiao:~# traceroute www.baidu.com
traceroute to www.baidu.com (61.135.169.121), 30 hops max, 60 byte packets
1 bogon (192.168.181.2) 14.915 ms 14.882 ms 14.844 ms
2 * * *
3 * * *
4 * * *
5 * * *
*** 代表等待超时。
③OSI多层堆叠生成ICMP包—IP()/ICMP()
使用scapy工具:
root@yanxiao:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.0
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | Craft packets before they craft
scccccp///pSP///p p//Y | you.
sY/////////y caa S//P | -- Socrate
cayCyayP//Ya pY/Ya |
sY/PsY////YCc aC//Yp
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
using IPython 5.5.0
>>>
分别查看IP包和ICMP包文件:
>>> IP().display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
>>> ICMP().display()
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
>>> ip=IP()
>>> icmp=ICMP()
设置包文件内容:
>>> ip.dst='192.168.181.130'
>>> ip.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 192.168.181.129
dst= 192.168.181.130
\options\
>>> (ip/icmp).display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 192.168.181.129
dst= 192.168.181.130
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
发包:
>>> ping=sr1(ip/icmp)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> ping.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0x0
len= 28
id= 54941
flags=
frag= 0
ttl= 64
proto= icmp
chksum= 0xb7ee
src= 192.168.181.130
dst= 192.168.181.129
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
在wireshark抓包查看:
发送至不存在的地址:
>>> ip.dst='192.168.181.131'
>>> ip.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 192.168.181.129
dst= 192.168.181.131
\options\
>>> ping=sr1(ip/icmp)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
.Finished sending 1 packets.
..........
抓包分析:
发现只有请求包,没有应答包。
④fping
fping一台主机:
命令:fping 主机ip
root@yanxiao:~# fping 192.168.181.130
192.168.181.130 is alive #表示目标主机存活
fping 192.168.181.131
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.131
192.168.181.131 is unreachable #表示目标主机不可达
fping一个网段:
命令:fping 要发现的网段
root@yanxiao:~# fping -g 192.168.181.0/24
192.168.181.2 is alive
192.168.181.129 is alive
192.168.181.130 is alive
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.5
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.5
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.4
192.168.181.1 is unreachable
192.168.181.3 is unreachable
192.168.181.4 is unreachable
192.168.181.5 is unreachable
192.168.181.6 is unreachable
192.168.181.7 is unreachable
......
fping指定文件中ip:
命令:fping -f 文件名
root@yanxiao:~# fping -f iplist.txt
192.168.181.129 is alive
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.128
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.128
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.128
ICMP Host Unreachable from 192.168.181.129 for ICMP Echo sent to 192.168.181.128
192.168.181.128 is unreachable
root@yanxiao:~# cat iplist.txt
192.168.181.128
192.168.181.129
⑤Hping3
Hping能够发送几乎任意的TCP/IP包;
功能强大但是每次只能扫描一个目标。
Hping3发送ICMP包:
命令:hping3 ip地址 --icmp -c 2,--icmp指的是发送的包类型,-c指次数
root@yanxiao:~# hping3 192.168.181.130 --icmp -c 2
HPING 192.168.181.130 (eth0 192.168.181.130): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.181.130 ttl=64 id=20907 icmp_seq=0 rtt=7.8 ms
len=46 ip=192.168.181.130 ttl=64 id=20989 icmp_seq=1 rtt=6.8 ms
--- 192.168.181.130 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6.8/7.3/7.8 ms
抓包分析:
发包:
收包:
3.四层发现
原理:使用TCP/UDP协议
优点:
可路由并且可靠
不太可能被防火墙过滤掉
缺点:
基于状态过滤的防火墙可能过滤扫描
全端口扫描速度慢
①scapy模块发送TCP/UDP包
TCP包文件:
1.发ACK包,收RST包
###同样先进入scapy模块
>>> ip=IP()
>>> tcp=TCP()
###查看包内容
>>> ip.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
>>> tcp.display()
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= []
###设置包内容
>>> ip.dst='192.168.181.130'
>>> tcp.flags='A'
###发包
>>> response=sr1(ip/tcp)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
###收包内容
>>> response.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0x0
len= 40
id= 31468
flags= DF
frag= 0
ttl= 64
proto= tcp
chksum= 0xd38e
src= 192.168.181.130
dst= 192.168.181.129
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 0
dataofs= 5
reserved= 0
flags= R
window= 0
chksum= 0xc327
urgptr= 0
options= []
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
抓包分析:
发包:
收包:
ACK—RST
经过wireshark抓包可以看出,TCP(ACK类型)包文件由源地址192.168.181.129的20端口发送至目的地址192.168.181.130的80端口,目的地址主机收到之后向源地址主机回了一个TCP(RST类型)的包文件。
2.发SYN包,收RST/ACK包
###发包
>>> response1=sr1(IP(dst='192.168.181.130')/TCP(flags='S'))
Begin emission:
Finished sending 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
###收包
>>> response1.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0x0
len= 40
id= 14452
flags= DF
frag= 0
ttl= 64
proto= tcp
chksum= 0x1607
src= 192.168.181.130
dst= 192.168.181.129
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 1
dataofs= 5
reserved= 0
flags= RA
window= 0
chksum= 0xc316
urgptr= 0
options= []
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
抓包分析:
发包:
收包:
SYN—RST/ACK
经过wireshark抓包分析,可以看出TCP(SYN类型)包文件由源地址192.168.181.129的20端口发往目的地址192.168.181.130的80端口,目的地址主机收到源地址主机发送的SYN请求,向源地址主机的20端口回复了一个TCP(RST/ACK)包文件。
UDP包文件:
发送至目标主机不存在的端口:
###依然先进入scapy模块
>>> UDP().display()
###[ UDP ]###
sport= domain
dport= domain
len= None
chksum= None
>>> IP().display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
>>> ip=IP()
>>> udp=UDP()
###设置包文件内容
>>> ip.dst='192.168.181.130'
>>> udp.dport=3333
>>> r=(ip/udp)
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 192.168.181.129
dst= 192.168.181.130
\options\
###[ UDP ]###
sport= domain
dport= 3333
len= None
chksum= None
###发包
>>> response=sr1(r,timeout=1,verbose=1)
Begin emission:
Finished sending 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
###收包
>>> response.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0xc0
len= 56
id= 14090
flags=
frag= 0
ttl= 64
proto= icmp
chksum= 0x56a6
src= 192.168.181.130
dst= 192.168.181.129
\options\
###[ ICMP ]###
type= dest-unreach
code= port-unreachable
chksum= 0xe96b
reserved= 0
length= 0
nexthopmtu= 0
###[ IP in ICMP ]###
version= 4
ihl= 5
tos= 0x0
len= 28
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= 0x8e7b
src= 192.168.181.129
dst= 192.168.181.130
\options\
###[ UDP in ICMP ]###
sport= domain
dport= 3333
len= 8
chksum= 0x64f
抓包分析:
发送UDP包至不存在的端口会有一个ICMP回包。
发送至存在的端口:
主机192.168.181.130:
###使用nc命令开启udp端口监听
root@yanxiao:~# nc -ulp 25500
此时udp:25500端口处于监听状态。
###设置udp包文件内容
>>> r1=(IP(dst='192.168.181.130')/UDP(dport=25500))
>>> r1.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 192.168.181.129
dst= 192.168.181.130
\options\
###[ UDP ]###
sport= domain
dport= 25500
len= None
chksum= None
###发包
>>> response=sr1(r1,timeout=1,verbose=1)
Begin emission:
Finished sending 1 packets.
Received 1 packets, got 0 answers, remaining 1 packets
抓包分析:
可以看到只存在一个向目主机192.168.181.130的25500端口的udp发包,并没有收到回包。
②Hping3发送TCP/UDP包
Hping3发送udp包:
命令:hing3 ip地址 --udp -c 2
root@yanxiao:~# hping3 192.168.181.130 --udp -c 2
HPING 192.168.181.130 (eth0 192.168.181.130): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.181.130 name=UNKNOWN
status=0 port=1289 seq=0
ICMP Port Unreachable from ip=192.168.181.130 name=UNKNOWN
status=0 port=1290 seq=1
--- 192.168.181.130 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 5.3/35.8/66.3 ms
抓包分析:
Hping3默认发送TCP包:
命令:hping3 ip地址 -c 2
root@yanxiao:~# hping3 192.168.181.130 -c 2
HPING 192.168.181.130 (eth0 192.168.181.130): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.181.130 ttl=64 DF id=61290 sport=0 flags=RA seq=0 win=0 rtt=7.9 ms
len=46 ip=192.168.181.130 ttl=64 DF id=61324 sport=0 flags=RA seq=1 win=0 rtt=7.8 ms
--- 192.168.181.130 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.8/7.8/7.9 ms
抓包分析:
发包:
回包:
③Nmap
| 命令 | 功能 |
|---|---|
| -sP | Ping扫描 |
| -P0 | 无Ping扫描 |
| -PS | TCP SYN Ping扫描 |
| -PA | TCP ACK Ping扫描 |
| -PU | UDP ping扫描 |
| -PE/PM/PP | ICMP Ping Types扫描 |
| -PR | ARP Ping扫描 |
| -n | 禁止DNS反向解析 |
| -R | 反向解析域名 |
| –system-dns | 使用系统域名解析器 |
| -sL | 列表扫描 |
| -6 | 扫描IPv6地址 |
| –traceroute | 路由跟踪 |
| -PY | SCTP INIT Ping扫描 |
UDP ping扫描:
命令:nmap ip或者ip段 -PU端口号 -sn
root@yanxiao:~# nmap 192.168.181.1-254 -PU53 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 10:38 CST
Nmap scan report for 192.168.181.1
Host is up (0.000089s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.181.2
Host is up (0.00021s latency).
MAC Address: 00:50:56:E7:8F:2A (VMware)
Nmap scan report for 192.168.181.130
Host is up (0.00023s latency).
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap scan report for 192.168.181.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:F9:D6:F4 (VMware)
Nmap scan report for 192.168.181.137
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 1.81 seconds
TCP ACK ping扫描:
命令:nmap ip或ip段 -PA端口号 -sn
root@yanxiao:~# nmap 192.168.181.1-254 -PA80 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 10:42 CST
Nmap scan report for 192.168.181.1
Host is up (0.00032s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.181.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:E7:8F:2A (VMware)
Nmap scan report for 192.168.181.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap scan report for 192.168.181.254
Host is up (0.00021s latency).
MAC Address: 00:50:56:F9:D6:F4 (VMware)
Nmap scan report for 192.168.181.137
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 2.11 seconds
对指定ip进行TCP ACK ping扫描:
命令:nmap -iL 文件名 -PA80 -sn
root@yanxiao:~# nmap -iL iplist.txt -PA80 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 10:58 CST
Nmap scan report for 192.168.181.130
Host is up (0.00036s latency).
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 3 IP addresses (1 host up) scanned in 0.29 seconds
root@yanxiao:~# cat iplist.txt
192.168.181.128
192.168.181.129
192.168.181.130
4.端口扫描
端口对应网络服务及应用端程序
服务端程序的漏洞通过端口攻入
发现开放的端口 放大攻击面
同样的在端口扫描里也可以用scapy模块进行发包,配合wireshark监听判断目标端口是否开放。
①UDP端口扫描
原理:通过看目标端口的回包
Nmap:
命令:nmap -sU ip地址
###扫描udp端口,默认扫描1000个端口,扫描较慢
root@yanxiao:~# nmap -sU 192.168.181.130
Nmap scan report for 192.168.181.130
Host is up (0.00051s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1099.75 seconds
命令:nmap ip地址 -sU -p 端口号
###扫描指定udp端口
root@yanxiao:~# nmap 192.168.181.130 -sU -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:08 CST
Nmap scan report for 192.168.181.130
Host is up (0.00062s latency).
PORT STATE SERVICE
53/udp closed domain
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
命令:nmap -iL 指定文件 -sU -p 端口号或者端口段
###对指定文件中的ip进行端口扫描
root@yanxiao:~# cat iplist.txt
192.168.181.128
192.168.181.129
192.168.181.130
root@yanxiao:~# nmap -iL iplist.txt -sU -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:10 CST
Nmap scan report for 192.168.181.130
Host is up (0.00027s latency).
PORT STATE SERVICE
53/udp open|filtered domain
MAC Address: 00:0C:29:1A:BC:20 (VMware)
root@yanxiao:~# nmap -iL iplist.txt -sU -p 1-120
Nmap scan report for 192.168.181.130
Host is up (0.00046s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
2/udp open|filtered compressnet
11/udp open|filtered systat
14/udp open|filtered unknown
21/udp open|filtered ftp
23/udp open|filtered telnet
27/udp open|filtered nsw-fe
34/udp open|filtered unknown
39/udp open|filtered rlp
47/udp open|filtered ni-ftp
55/udp open|filtered isi-gl
68/udp open|filtered dhcpc
70/udp open|filtered gopher
75/udp open|filtered priv-dial
76/udp open|filtered deos
77/udp open|filtered priv-rje
82/udp open|filtered xfer
92/udp open|filtered npp
96/udp open|filtered dixie
97/udp open|filtered swift-rvf
101/udp open|filtered hostname
102/udp open|filtered iso-tsap
112/udp open|filtered mcidas
114/udp open|filtered audionews
116/udp open|filtered ansanotify
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 3 IP addresses (1 host up) scanned in 382.61 seconds
②TCP端口扫描
基于连接的协议
三次握手
隐蔽扫描—SYN扫描(应用日志不记录)
僵尸扫描
所有的TCP扫描方式都是基于三次握手的变化来判断目标端口的状态
Nmap:
命令:nmap -sS ip地址 -p 端口号
###对指定ip指定端口进行扫描
root@yanxiao:~# nmap -sS 192.168.181.130 -p 21,23,25,80
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:21 CST
Nmap scan report for 192.168.181.130
Host is up (0.00039s latency).
PORT STATE SERVICE
21/tcp closed ftp
23/tcp closed telnet
25/tcp closed smtp
80/tcp closed http
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
###对指定ip指定端口范围进行扫描
root@yanxiao:~# nmap -sS 192.168.181.130 -p 50-100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:25 CST
Nmap scan report for 192.168.181.130
Host is up (0.00012s latency).
All 51 scanned ports on 192.168.181.130 are closed
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
###对指定文件中的ip的指定端口进行扫描:
root@yanxiao:~# nmap -sS -iL iplist.txt -p 1-30
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:30 CST
Nmap scan report for 192.168.181.130
Host is up (0.00014s latency).
All 30 scanned ports on 192.168.181.130 are closed
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 3 IP addresses (1 host up) scanned in 0.40 seconds
Banner:
在nmap下使用脚本获取:
软件开发商
软件名称
服务类型
版本号 --直接发现已知的漏洞和弱点
连接建立后直接获取banner
命令:nmap -sT ip地址 -p 端口号 --script=banner
root@yanxiao:~# nmap -sT 192.168.181.130 -p 21 --script=banner
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:35 CST
Nmap scan report for 192.168.181.130
Host is up (0.00047s latency).
PORT STATE SERVICE
21/tcp closed ftp
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
root@yanxiao:~# nmap -sT 192.168.181.130 -p 21
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:37 CST
Nmap scan report for 192.168.181.130
Host is up (0.00031s latency).
PORT STATE SERVICE
21/tcp closed ftp
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
这里发现加–script=banner和不加它对结果并没有影响,这里后续我需要在学习一下,留个标记
命令:nmap ip地址 -O
###主机系统服务识别
root@yanxiao:~# nmap 192.168.181.130 -O
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-18 14:43 CST
Nmap scan report for 192.168.181.130
Host is up (0.00055s latency).
All 1000 scanned ports on 192.168.181.130 are closed
MAC Address: 00:0C:29:1A:BC:20 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds
dmitry:
命令:dmitry -p ip地址
###对指定ip进行端口扫描
root@yanxiao:~# dmitry -p 192.168.181.130
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 192.168.181.130
Continuing with limited modules
HostIP:192.168.181.130
HostName:
Gathered TCP Port information for 192.168.181.130
---------------------------------
Port State
Portscan Finished: Scanned 150 ports, 149 ports were in state closed
All scans completed, exiting
###将扫描结果输出为文档
root@yanxiao:~# dmitry -p 192.168.181.130 -o port
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Writing output to 'port.txt'
ERROR: Unable to locate Host Name for 192.168.181.130
Continuing with limited modules
HostIP:192.168.181.130
HostName:
Gathered TCP Port information for 192.168.181.130
---------------------------------
Port State
Portscan Finished: Scanned 150 ports, 149 ports were in state closed
root@yanxiao:~# cat port.txt
ERROR: Unable to locate Host Name for 192.168.181.130
Continuing with limited modules
HostIP:192.168.181.130
HostName:
Gathered TCP Port information for 192.168.181.130
---------------------------------
Port State
Portscan Finished: Scanned 150 ports, 149 ports were in state closed
扫一扫
109
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
