主动信息收集
1、主动信息收集的特点
- 直接与目标系统交互通信;
- 无法避免留下访问的轨迹;
2、解决方法
- 用受控的第三方电脑进行测试,例如使用代理机或已经被控制的主机;
- 做好被封杀的准备;
- 使用噪音迷惑对方,淹没正式的探测流量;
3、发现(IP层面)
- 识别活着的主机,即潜在的被攻击目标(存活的主机,会有一些开放的端口,端口对应服务,可以针对服务寻找存在漏洞等——扩大目标系统的攻击面);
- 将结果输出到一个IP地址列表;
- 以下发现针对的是2、3、4层发现;
一、发现——二层发现
**原理:**使用ARP协议,在网段中进行广播,查看是否有回包,如果有,则证明该主机存活;
**优点:**扫描速度快,可靠;
**缺点:**不可路由,只能发现同一网段内的主机
1、arping
1.1> arping 单个的IP地址;
root@kali:~# ping 192.168.85.138
root@kali:~# arping 192.168.85.138 ##会一直ping下去,只有Ctrl+C组合键才暂停
ARPING 192.168.85.138
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=0 time=763.926 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=1 time=253.493 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=2 time=276.045 usec
^C
--- 192.168.85.138 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.253/0.431/0.764/0.235 ms
kali:~# arping 192.168.85.138 -c 2
#指定发包数量
kali:~# arping 192.168.85.138 -c 2 #指定发包数量
ARPING 192.168.85.138
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=0 time=259.486 usec
60 bytes from 00:0c:29:ca:67:09 (192.168.85.138): index=1 time=252.379 usec
--- 192.168.85.138 statistics ---
2 packets transmitted, 2 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.252/0.256/0.259/0.004 ms
root@kali:~# arping 192.168.85.142 -c 1 | grep “bytes from” | cut -d ’ ’ -f 5 | cut -d’(’ -f 2 | cut -d ‘)’ -f 1
root@kali:~# arping 192.168.85.142 -c 1 | grep "bytes from" | cut -d ' ' -f 5 | cut -d'(' -f 2 | cut -d ')' -f 1
192.168.85.142
#只过滤出IP地址
1.2> arping命令无法一次行实现多个IP的扫描,但可以配合shell脚本实现整个局域网的扫描;
脚本1:arping.sh #扫描整个网段
#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机
ETH=$(ifconfig | head -1 | awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' | awk '{print $2}' | cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
arping -c 1 $PREFIX.$addr | grep "bytes from" | cut -d' ' -f 5 | cut -d'(' -f 2 |cut -d ')' -f 1
done
结果如下:并使用Wireshark抓包查看;
root@kali:~# sh arping.sh
192.168.85.1
192.168.85.2
192.168.85.142
192.168.85.254
通过Wireshark抓包查看;
脚本2:arping2.sh #针对文件中的IP列表,进行扫描;
oot@kali:~# cat arping2.sh
#!/bin/bash
#该脚本主要使用户实现扫描文件中的IP地址列表;
FILE=$1
for addr in $(cat $FILE)
do
arping -c 1 $addr | grep "bytes from" | cut -d' ' -f 5 | cut -d'(' -f 2 | cut -d')' -f 1
done
结果如下:并使用Wireshark抓包查看结果;
oot@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# chmod 755 arping2.sh
root@kali:~# sh arping2.sh IP.txt
192.168.85.1
192.168.85.2
192.168.85.142
192.168.85.254
抓包结果如下:
2、Nmap(很强大)
nmap相比arping,可以扫描整个网段,而且扫描速度很快,内容多;
-
nmap -sn 192.168.37.130
# -sn:Ping Scan - disable port scan——>只进行逐级发现,不进行端口扫描; -
nmap -sn 192.168.37.0/24
#可以扫描整个网段;
root@kali:~# nmap -sn 192.168.85.142
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:06 CST
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00057s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@kali:~# nmap -sn 192.168.85.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:07 CST
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 7.84% done; ETC: 19:08 (0:00:12 remaining)
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.00024s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00060s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00041s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.140 (192.168.85.140)
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.94 seconds
- nmap -iL IP.txt -sn
# 扫描指定的IP列表
root@kali:~# cat IP.txt
192.168.85.1
192.168.85.2
192.168.85.3
192.168.85.4
192.168.85.140
192.168.85.141
192.168.85.142
192.168.85.224
192.168.85.253
192.168.85.254
root@kali:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-14 19:12 CST
Nmap scan report for 192.168.85.1 (192.168.85.1)
Host is up (0.000067s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.85.2 (192.168.85.2)
Host is up (0.00015s latency).
MAC Address: 00:50:56:E5:BB:C8 (VMware)
Nmap scan report for 192.168.85.142 (192.168.85.142)
Host is up (0.00024s latency).
MAC Address: 00:0C:29:CA:67:09 (VMware)
Nmap scan report for 192.168.85.254 (192.168.85.254)
Host is up (0.00011s latency).
MAC Address: 00:50:56:EF:DF:11 (VMware)
Nmap scan report for 192.168.85.140 (192.168.85.140)
Host is up.
Nmap done: 10 IP addresses (5 hosts up) scanned in 0.27 seconds
3、Netdiscover
- 专用于二层发现;
- 可用于无线和交换网络环境;
- 主动和被动探测;
3.1> 主动发现
-
netdiscover -i eth0 -r 192.168.85.0/24
# netdiscover -i 指定网卡 -r 网段 -
netdiscover -l IP.txt
# netdiscover -l 指定IP列表
root@kali:~# netdiscover -i eth0 -r 192.168.85.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 4 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.85.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.85.2 00:50:56:e5:bb:c8 1 60 VMware, Inc.
192.168.85.142 00:0c:29:ca:67:09 3 180 VMware, Inc.
192.168.85.254 00:50:56:ef:df:11 1 60 VMware, Inc.
root@kali:~# netdiscover -l IP.txt
Currently scanning: 192.168.85.0/24 | Screen View: Unique Hosts
40 Captured ARP Req/Rep packets, from 4 hosts. Total size: 2400
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.85.1 00:50:56:c0:00:08 10 600 VMware, Inc.
192.168.85.2 00:50:56:e5:bb:c8 10 600 VMware, Inc.
192.168.85.142 00:0c:29:ca:67:09 10 600 VMware, Inc.
192.168.85.254 00:50:56:ef:df:11 10 600 VMware, Inc.
3.2> 被动发现
主动ARP容易触发报警,所以也可以采用被动发现的方式发现网络中存活的主机;
- netdiscover -p
root@kali:~# netdiscover -p
Currently scanning: (passive) | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 2 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.85.142 00:0c:29:ca:67:09 5 300 VMware, Inc.
192.168.85.254 00:50:56:ef:df:11 1 60 VMware, Inc.
4、scapy
- 作为python库进行调用;
- 也可以单独的工具使用;
- Scapy是一款强大的网络数据包构建工具;
- 抓包、分析、创建、注入网络流量;
root@kali:~# scapy
INFO: Can't import matplotlib. Won't be able to plot.
WARNING: No route found for IPv6 destination :: (no default route?)
WARNING: IPython not available. Using standard Python shell instead.
... ...
>>> ARP().display() #显示ARP包的信息
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:72:2e:9d
psrc= 192.168.85.140
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp=ARP()
>>> arp.display
<bound method ARP.display of <ARP |>>
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:72:2e:9d
psrc= 192.168.85.140
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp.pdst="192.168.85.142" #制造一个目的IP地址为:192.168.85.142的包
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:72:2e:9d
psrc= 192.168.85.140
hwdst= 00:00:00:00:00:00
pdst= 192.168.85.142
>>> sr1(arp) #发送这个制造的包,发送的数据包是横向的,谁获得了消息不知道,看起来很不舒服
Begin emission:
*Finished sending 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:ca:67:09 psrc=192.168.85.142 hwdst=00:0c:29:72:2e:9d pdst=192.168.85.140 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp) #也是发送一个包,只不过将发送包的结果赋值给answer这个变量
Begin emission:
*Finished sending 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display() #将answer这个变量呈现出来,看的更清楚
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:ca:67:09
psrc= 192.168.85.142
hwdst= 00:0c:29:72:2e:9d
pdst= 192.168.85.140
###[ Padding ]### #padding为最小发包数的大小小于最小包的包长时,就会采用16 进制0补位
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'