Kali Linux 渗透测试之主动信息收集（一）——二层发现（arping/shell脚本、nmap、netdiscover、scapy）

主动信息收集

1、主动信息收集的特点

• 直接与目标系统交互通信；
• 无法避免留下访问的轨迹；

2、解决方法

• 用受控的第三方电脑进行测试，例如使用代理机或已经被控制的主机；
• 做好被封杀的准备；
• 使用噪音迷惑对方，淹没正式的探测流量；

3、发现（IP层面）

• 识别活着的主机，即潜在的被攻击目标（存活的主机，会有一些开放的端口，端口对应服务，可以针对服务寻找存在漏洞等——扩大目标系统的攻击面）；
• 将结果输出到一个IP地址列表；
• 以下发现针对的是2、3、4层发现；

一、发现——二层发现

**原理：**使用ARP协议，在网段中进行广播，查看是否有回包，如果有，则证明该主机存活；
**优点：**扫描速度快，可靠；
**缺点：**不可路由，只能发现同一网段内的主机

1、arping

1.1> arping 单个的IP地址；

root@kali:~# ping 192.168.85.138

root@kali:~# arping 192.168.85.138                                  ##会一直ping下去，只有Ctrl+C组合键才暂停
ARPING 192.168.85.138
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=0 time=763.926 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=1 time=253.493 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=2 time=276.045 usec
^C
--- 192.168.85.138 statistics ---
3 packets transmitted, 3 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.253/0.431/0.764/0.235 ms

kali:~# arping 192.168.85.138 -c 2
#指定发包数量

kali:~# arping 192.168.85.138 -c 2                #指定发包数量
ARPING 192.168.85.138
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=0 time=259.486 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=1 time=252.379 usec

--- 192.168.85.138 statistics ---
2 packets transmitted, 2 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.252/0.256/0.259/0.004 ms

root@kali:~# arping 192.168.85.142 -c 1 | grep “bytes from” | cut -d ’ ’ -f 5 | cut -d’(’ -f 2 | cut -d ‘)’ -f 1

root@kali:~# arping 192.168.85.142 -c 1 | grep "bytes from" | cut -d ' ' -f 5 | cut -d'(' -f 2 | cut -d ')' -f 1
192.168.85.142
#只过滤出IP地址

1.2> arping命令无法一次行实现多个IP的扫描，但可以配合shell脚本实现整个局域网的扫描；

脚本1：arping.sh #扫描整个网段

#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机

ETH=$(ifconfig | head -1 | awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' | awk '{print $2}' | cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
	arping -c 1 $PREFIX.$addr | grep "bytes from" | cut -d' ' -f 5 | cut -d'(' -f 2 |cut -d ')' -f 1
done

结果如下：并使用Wireshark抓包查看；

root@kali:~# sh arping.sh
192.168.85.1
192.168.85.2
192.168.85.142
192.168.85.254

通过Wireshark抓包查看；

脚本2：arping2.sh #针对文件中的IP列表，进行扫描；

oot@kali:~# cat arping2.sh
#!/bin/bash
#该脚本主要使用户实现扫描文件中的IP地址列表；

FILE=$1
for addr in $(cat $FILE)
do
	arping -c 1 $addr | grep "bytes from" | cut -d' ' -f 5 | cut -d'(' -f 2 | cut -d')' -f 1
done

结果如下：并使用Wireshark抓包查看结果；

oot@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# chmod 755 arping2.sh
root@kali:~# sh arping2.sh IP.txt
192.168.85.1
192.168.85.2
192.168.85.142
192.168.85.254

抓包结果如下：

2、Nmap（很强大）

nmap相比arping，可以扫描整个网段，而且扫描速度很快，内容多；

• nmap -sn 192.168.37.130
  # -sn：Ping Scan - disable port scan——>只进行逐级发现，不进行端口扫描；

• nmap -sn 192.168.37.0/24
  #可以扫描整个网段；

root@kali:~# nmap -sn 192.168.85.142
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:06 CST
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00057s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@kali:~# nmap -sn 192.168.85.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:07 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 7.84% done; ETC: 19:08 (0:00:12 remaining)
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.00024s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00060s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00041s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.140 (192.168.85.140)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.94 seconds

• nmap -iL IP.txt -sn
  # 扫描指定的IP列表

root@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:12 CST
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.000067s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00024s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00011s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.140 (192.168.85.140)
Host is up.
Nmap done: 10 IP addresses (5 hosts up) scanned in 0.27 seconds

3、Netdiscover

• 专用于二层发现；
• 可用于无线和交换网络环境；
• 主动和被动探测；

3.1> 主动发现

• netdiscover -i eth0 -r 192.168.85.0/24
  # netdiscover -i 指定网卡 -r 网段

• netdiscover -l IP.txt
  # netdiscover -l 指定IP列表

root@kali:~# netdiscover -i eth0 -r 192.168.85.0/24


Currently scanning: Finished!   |   Screen View: Unique Hosts                                       
                                                                                                     
 6 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 360                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.85.1    00:50:56:c0:00:08      1      60  VMware, Inc.                                      
 192.168.85.2    00:50:56:e5:bb:c8      1      60  VMware, Inc.                                      
 192.168.85.142  00:0c:29:ca:67:09      3     180  VMware, Inc.                                      
 192.168.85.254  00:50:56:ef:df:11      1      60  VMware, Inc.   

root@kali:~# netdiscover -l IP.txt


Currently scanning: 192.168.85.0/24   |   Screen View: Unique Hosts                                 
                                                                                                     
 40 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 2400                                   
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.85.1    00:50:56:c0:00:08     10     600  VMware, Inc.                                      
 192.168.85.2    00:50:56:e5:bb:c8     10     600  VMware, Inc.                                      
 192.168.85.142  00:0c:29:ca:67:09     10     600  VMware, Inc.                                      
 192.168.85.254  00:50:56:ef:df:11     10     600  VMware, Inc.         

3.2> 被动发现

主动ARP容易触发报警，所以也可以采用被动发现的方式发现网络中存活的主机；

• netdiscover -p

root@kali:~# netdiscover -p

Currently scanning: (passive)   |   Screen View: Unique Hosts                                       
                                                                                                     
 6 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 360                                     
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.85.142  00:0c:29:ca:67:09      5     300  VMware, Inc.                                      
 192.168.85.254  00:50:56:ef:df:11      1      60  VMware, Inc.    

4、scapy

• 作为python库进行调用；
• 也可以单独的工具使用；
• Scapy是一款强大的网络数据包构建工具；
• 抓包、分析、创建、注入网络流量；

root@kali:~# scapy
INFO: Can't import matplotlib. Won't be able to plot.
WARNING: No route found for IPv6 destination :: (no default route?)
WARNING: IPython not available. Using standard Python shell instead.
... ...
>>> ARP().display()                     #显示ARP包的信息
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:72:2e:9d
  psrc= 192.168.85.140
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0

>>> arp=ARP()
>>> arp.display
<bound method ARP.display of <ARP  |>>
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:72:2e:9d
  psrc= 192.168.85.140
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0

>>> arp.pdst="192.168.85.142"          #制造一个目的IP地址为：192.168.85.142的包
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:72:2e:9d
  psrc= 192.168.85.140
  hwdst= 00:00:00:00:00:00
  pdst= 192.168.85.142

>>> sr1(arp)                         #发送这个制造的包，发送的数据包是横向的，谁获得了消息不知道，看起来很不舒服
Begin emission:
*Finished sending 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:ca:67:09 psrc=192.168.85.142 hwdst=00:0c:29:72:2e:9d pdst=192.168.85.140 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>

>>> answer=sr1(arp)        #也是发送一个包，只不过将发送包的结果赋值给answer这个变量
Begin emission:
*Finished sending 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display()          #将answer这个变量呈现出来，看的更清楚
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= is-at
  hwsrc= 00:0c:29:ca:67:09
  psrc= 192.168.85.142
  hwdst= 00:0c:29:72:2e:9d
  pdst= 192.168.85.140
###[ Padding ]###        #padding为最小发包数的大小小于最小包的包长时，就会采用16 进制0补位
     load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'