主动信息收集之主机发现
一、主动信息收集
直接与目标系统交互通信
无法避免留下访问的痕迹
使用受控的第三方电脑进行探测
- 使用代理或已经被控制的主机
- 做好被封杀的准本
- 使用噪声迷惑目标,淹没真实的探测流量
扫描
- 发送不同的探测,根据返回结果判断目标状态
二、主机发现
识别活着的主机
- 潜在的被攻击目标
输出一个IP地址列表
2、3、4层发现
三、二层(链路层)发现(通常是做内网探测)
优点
- 扫描快,可靠
缺点
- 不可路由,即仅能探测本网段
1、arping
命令参数(help):
┌──(root💀kali)-[/home/kali] └─# arping --help ARPing 2.21, by Thomas Habets <thomas@habets.se> usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ] [ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ] [ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ] [ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B> Options: -0 Use this option to ping with source IP address 0.0.0.0. Use this when you haven't configured your interface yet. Note that this may get the MAC-ping unanswered. This is an alias for -S 0.0.0.0. -a Audiable ping. -A Only count addresses matching requested address (This *WILL* break most things you do. Only useful if you are arpinging many hosts at once. See arping-scan-net.sh for an example). -b Like -0 but source broadcast source address (255.255.255.255). Note that this may get the arping unanswered since it's not nor- mal behavior for a host. -B Use instead of host if you want to address 255.255.255.255. -c count Only send count requests. -C count Only wait for this many replies, regardless of -c and -w. -d Find duplicate replies. Exit with 1 if there are answers from two different MAC addresses. -D Display answers as exclamation points and missing packets as dots. -e Like -a but beep when there is no reply. -F Don't try to be smart about the interface name. (even if this switch is not given, -i overrides smartness) -g group setgid() to this group instead of the nobody group. -h Displays a help message and exits. -i interface Use the specified interface. -m type Type of timestamp to use for incoming packets. Use -vv when pinging to list available ones. -q Does not display messages, except error messages. -Q pri 802.1p priority to set. Should be used with 802.1Q (-V). Defaults to 0. -r Raw output: only the MAC/IP address is displayed for each reply. -R Raw output: Like -r but shows "the other one", can be combined with -r. -s MAC Set source MAC address. You may need to use -p with this. -S IP Like -b and -0 but with set source address. Note that this may get the arping unanswered if the target does not have routing to the IP. If you don't own the IP you are using, you may need to turn on promiscious mode on the interface (with -p). With this switch you can find out what IP-address a host has without tak- ing an IP-address yourself. -t MAC Set target MAC address to use when pinging IP address. -T IP Use -T as target address when pinging MACs that won't respond to a broadcast ping but perhaps to a directed broadcast. Example: To check the address of MAC-A, use knowledge of MAC-B and IP-B. $ arping -S <IP-B> -s <MAC-B> -p <MAC-A> -p Turn on promiscious mode on interface, use this if you don't "own" the MAC address you are using. -P Send ARP replies instead of requests. Useful with -U. -u Show index=received/sent instead of just index=received when pinging MACs. -U Send unsolicited ARP. -v Verbose output. Use twice for more messages. -V num 802.1Q tag to add. Defaults to no VLAN tag. -w sec Specify a timeout before ping exits regardless of how many packets have been sent or received. -W sec Time to wait between pings. Report bugs to: thomas@habets.se Arping home page: <http://www.habets.pp.se/synscan/> Development repo: http://github.com/ThomasHabets/arping
注意:
- 参数 "-d" 发现重复响应(不同MAC对应同一IP), 即ARP欺骗
- arping 不支持对网段的探测,不过可通过脚本间接实现
例 1 对10.10.10.1发送4个探测包:
┌──(root💀kali)-[/home/kali] └─# arping 10.10.10.1 -c 4 ARPING 10.10.10.1 60 bytes from 00:50:56:c0:00:08 (10.10.10.1): index=0 time=271.585 usec 60 bytes from 00:50:56:c0:00:08 (10.10.10.1): index=1 time=214.186 usec 60 bytes from 00:50:56:c0:00:08 (10.10.10.1): index=2 time=232.599 usec 60 bytes from 00:50:56:c0:00:08 (10.10.10.1): index=3 time=302.205 usec --- 10.10.10.1 statistics --- 4 packets transmitted, 4 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 0.214/0.255/0.302/0.034 ms
例 2 提取响应主机IP:
┌──(root💀kali)-[/home/kali] └─# arping 192.168.1.101 -c 1 ARPING 192.168.1.101 42 bytes from 48:2c:a0:7b:90:cb (192.168.1.101): index=0 time=112.099 msec --- 192.168.1.101 statistics --- 1 packets transmitted, 1 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 112.099/112.099/112.099/0.000 ms ┌──(root💀kali)-[/home/kali] └─# arping 192.168.1.101 -c 1 | grep "bytes from" #输出有响应的主机,目标未响应则不会输出任何信息 42 bytes from 48:2c:a0:7b:90:cb (192.168.1.101): index=0 time=63.069 msec ┌──(root💀kali)-[/home/kali] └─# arping 192.168.1.101 -c 1 | grep "bytes from" | cut -d" " -f 5 #以空格作为分隔符输出第 5 列 (192.168.1.101): ┌──(root💀kali)-[/home/kali] └─# arping 192.168.1.101 -c 1 | grep "bytes from" | cut -d" " -f 5 | cut -d"(" -f 2 #以"("为分隔符…… 192.168.1.101): ┌──(root💀kali)-[/home/kali] └─# arping 192.168.1.1 -c 1 | grep "bytes from" | cut -d" " -f 5 | cut -d"(" -f 2 |cut -d")" -f 1 192.168.1.1
2、nmap
略(单独介绍)……
3、netdiscover
- 专用于二层发现
- 可用于无线和交换网络
- 主动和被动探测
帮助信息(help):
┌──(root💀kali)-[/home/kali] └─# netdiscover -h Netdiscover 0.8 [Active/passive ARP reconnaissance tool] Written by: Jaime Penalba <jpenalbae@gmail.com> Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS] -i device: your network device -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8 -l file: scan the list of ranges contained into the given file -p passive mode: do not send anything, only sniff -m file: scan a list of known MACs and host names -F filter: customize pcap filter expression (default: "arp") -s time: time to sleep between each ARP request (milliseconds) -c count: number of times to send each ARP request (for nets with packet loss) -n node: last source IP octet used for scanning (from 2 to 253) -d ignore home config files for autoscan and fast mode -f enable fastmode scan, saves a lot of time, recommended for auto -P print results in a format suitable for parsing by another program and stop after active scan -L similar to -P but continue listening after the active scan is completed -N Do not print header. Only valid when -P or -L is enabled. -S enable sleep time suppression between each request (hardcore mode) If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.
主动探测
例 1 探测10.10.10.0网段:
命令
┌──(root💀kali)-[/home/kali] └─# netdiscover -i eth0 -r 10.10.10.0/24
探测结果
Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc. 10.10.10.2 00:50:56:f0:f4:b1 1 60 VMware, Inc. 10.10.10.254 00:50:56:f4:cc:5e 1 60 VMware, Inc.
例 2 探测指定IP:
list.txt
命令
┌──(root💀kali)-[/home/kali]
└─# netdiscover -l /home/kali/Desktop/list.txt
结果同例 1
被动探测
例 3:
启动监听
┌──(root💀kali)-[/home/kali]
└─# netdiscover -p
监测结果
Currently scanning: (passive) | Screen View: Unique Hosts 9 Captured ARP Req/Rep packets, from 1 hosts. Total size: 540 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 9 540 VMware, Inc.
4、scapy
- 作为python库进行调用
- 也可作为单独的工具使用
- 抓包,分析,创建,修改,注入网络流量
使用举例
┌──(root💀kali)-[/home/kali] └─# scapy INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). aSPY//YASa apyyyyCY//////////YCa | sY//////YSpcs scpCY//Pp | Welcome to Scapy ayp ayyyyyyySCP//Pp syY//C | Version 2.4.4 AYAsAYYYYYYYY///Ps cY//S | pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy SPPPP///a pP///AC//Y | A//A cyP////C | Have fun! p///Ac sC///a | P////YCpc A//A | Wanna support scapy? Rate it on scccccp///pSP///p p//Y | sectools! sY/////////y caa S//P | http://sectools.org/tool/scapy/ cayCyayP//Ya pY/Ya | -- Satoshi Nakamoto sY/PsY////YCc aC//Yp | sc sccaCY//PCypaapyCP//YSs spCPY//////YPSps ccaacs using IPython 7.22.0 >>> ARP().display() ###注意,函数名称ARP必须大写,display表示查看调用函数的内容 ###[ ARP ]### hwtype= 0x1 ptype= IPv4 hwlen= None plen= None op= who-has hwsrc= 00:0c:29:e1:66:77 psrc= 10.10.10.135 hwdst= 00:00:00:00:00:00 pdst= 0.0.0.0 >>> ARP.pdst="10.10.10.2" #赋值
>>> sr1(ARP()) #发包探测10.10.10.2 Begin emission: Finished sending 1 packets. * Received 1 packets, got 1 answers, remaining 0 packets <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:50:56:f0:f4:b1 psrc=10.10.10.2 hwdst=00:0c:29:e1:66:77 pdst=10.10.10.135 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>> >>> sr1(ARP(pdst="10.10.10.9"),timeout=1,verbose=1) #timeout 超时 1s,verbose=1 表示若有报错则显示出来,=0,不显示 Begin emission: Finished sending 1 packets. Received 0 packets, got 0 answers, remaining 1 packets >>> sr1(ARP(pdst="10.10.10.9"),timeout=1,verbose=0) <ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:50:56:f0:f4:b1 psrc=10.10.10.2 hwdst=00:0c:29:e1:66:77 pdst=10.10.10.135 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>> >>> sr1(ARP(pdst="10.10.10.9"),timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 0 packets, got 0 answers, remaining 1 packets >>> arp=ARP() #也可以通过定义变量实现函数的调用,个人理解,该操作相当于类的实例化(对象) >>> arp.display() ###[ ARP ]### hwtype= 0x1 ptype= IPv4 hwlen= None plen= None op= who-has hwsrc= 00:0c:29:e1:66:77 psrc= 10.10.10.135 hwdst= 00:00:00:00:00:00 pdst= 0.0.0.0 >>> arp.pdst="10.10.10.2" >>> arp.display() ###[ ARP ]### hwtype= 0x1 ptype= IPv4 hwlen= None plen= None op= who-has hwsrc= 00:0c:29:e1:66:77 psrc= 10.10.10.135 hwdst= 00:00:00:00:00:00 pdst= 10.10.10.2 >>> answer=sr1(arp) Begin emission: Finished sending 1 packets. * Received 1 packets, got 1 answers, remaining 0 packets >>> answer.display() ###[ ARP ]### hwtype= 0x1 ptype= IPv4 hwlen= 6 plen= 4 op= is-at hwsrc= 00:50:56:f0:f4:b1 psrc= 10.10.10.2 hwdst= 00:0c:29:e1:66:77 pdst= 10.10.10.135 ###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #有效数据包大小小于链路上可转发的数据包大小,故填充了0 >>>
备注:也可用python脚本实现指定IP列表的探测
四、三层(IP,ICMP协议)发现
优点:
- 可路由
- 速度快
缺点:
- 经常被边界防火墙过滤
- 速度没而层快
1、ping命令
命令参数(help):
┌──(kali㉿kali)-[~] └─$ ping -h Usage ping [options] <destination> Options: <destination> dns name or ip address -a use audible ping -A use adaptive ping -B sticky source address -c <count> stop after <count> replies -D print timestamps -d use SO_DEBUG socket option -f flood ping -h print help and exit -I <interface> either interface name or address -i <interval> seconds between sending each packet -L suppress loopback of multicast packets -l <preload> send <preload> number of packages while waiting replies -m <mark> tag the packets going out -M <pmtud opt> define mtu discovery, can be one of <do|dont|want> -n no dns name resolution -O report outstanding replies -p <pattern> contents of padding byte -q quiet output -Q <tclass> use quality of service <tclass> bits -s <size> use <size> as number of data bytes to be sent -S <size> use <size> as SO_SNDBUF socket option value -t <ttl> define time to live -U print user-to-user latency -v verbose output -V print version and exit -w <deadline> reply wait <deadline> in seconds -W <timeout> time to wait for response IPv4 options: -4 use IPv4 -b allow pinging broadcast -R record route -T <timestamp> define timestamp, can be one of <tsonly|tsandaddr|tsprespec> IPv6 options: -6 use IPv6 -F <flowlabel> define flow label, default is random -N <nodeinfo opt> use icmp6 node info query, try <help> as argument For more details see ping(8).
示例:
┌──(root💀kali)-[/home/kali] └─# ping 10.10.10.2 -c 5 PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data. 64 bytes from 10.10.10.2: icmp_seq=1 ttl=128 time=0.667 ms 64 bytes from 10.10.10.2: icmp_seq=2 ttl=128 time=0.347 ms 64 bytes from 10.10.10.2: icmp_seq=3 ttl=128 time=0.415 ms 64 bytes from 10.10.10.2: icmp_seq=4 ttl=128 time=0.413 ms 64 bytes from 10.10.10.2: icmp_seq=5 ttl=128 time=0.439 ms --- 10.10.10.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4096ms rtt min/avg/max/mdev = 0.347/0.456/0.667/0.109 ms
路由追踪(两种方法):
- ping -R ip
- traceroute ip
区别如下图
┌──(root💀kali)-[/home/kali] └─# traceroute -i wlan0 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * 172.19.1.45 (172.19.1.45) 162.168 ms 4 * * * 5 221.228.20.145 (221.228.20.145) 167.425 ms 167.416 ms 167.351 ms 6 221.228.58.85 (221.228.58.85) 166.842 ms 221.228.58.81 (221.228.58.81) 132.664 ms 221.228.58.65 (221.228.58.65) 127.768 ms 7 202.97.54.189 (202.97.54.189) 130.602 ms 202.97.29.125 (202.97.29.125) 130.448 ms 202.97.29.109 (202.97.29.109) 130.585 ms 8 * * 202.97.83.133 (202.97.83.133) 132.683 ms 9 202.97.12.206 (202.97.12.206) 127.106 ms 202.97.85.22 (202.97.85.22) 127.128 ms * 10 202.97.6.6 (202.97.6.6) 253.357 ms 248.049 ms * 11 202.97.122.70 (202.97.122.70) 168.936 ms 171.358 ms 167.659 ms 12 108.170.241.65 (108.170.241.65) 170.794 ms 108.170.241.33 (108.170.241.33) 194.441 ms 108.170.241.97 (108.170.241.97) 164.078 ms 13 216.239.42.89 (216.239.42.89) 156.988 ms 142.251.60.59 (142.251.60.59) 162.383 ms * 14 dns.google (8.8.8.8) 165.997 ms 171.891 ms 177.068 ms ┌──(root💀kali)-[/home/kali] └─# traceroute -i wlan0 116.62.230.66 traceroute to 116.62.230.66 (116.62.230.66), 30 hops max, 60 byte packets 1 192.168.43.1 (192.168.43.1) 12.700 ms 29.716 ms 55.384 ms 2 * * * 3 172.19.1.45 (172.19.1.45) 76.937 ms 78.600 ms 88.430 ms 4 * * * 5 * * * 6 221.228.58.69 (221.228.58.69) 74.605 ms 221.228.58.85 (221.228.58.85) 27.696 ms 221.228.58.89 (221.228.58.89) 30.702 ms 7 202.97.33.182 (202.97.33.182) 66.783 ms 202.97.33.130 (202.97.33.130) 40.810 ms 202.97.33.162 (202.97.33.162) 44.124 ms 8 220.191.199.42 (220.191.199.42) 59.205 ms * 220.191.200.154 (220.191.200.154) 43.821 ms 9 115.236.101.213 (115.236.101.213) 53.452 ms 115.236.101.221 (115.236.101.221) 53.043 ms 115.236.101.217 (115.236.101.217) 72.418 ms 10 42.120.247.109 (42.120.247.109) 81.178 ms * * 11 * 117.49.54.33 (117.49.54.33) 52.973 ms * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * ┌──(root💀kali)-[/home/kali] └─# ping 116.62.230.66 -R -I wlan0 PING 116.62.230.66 (116.62.230.66) from 192.168.43.132 wlan0: 56(124) bytes of data. 64 bytes from 116.62.230.66: icmp_seq=1 ttl=88 time=276 ms NOP RR: 192.168.43.132 10.197.46.1 172.19.1.13 221.228.20.138 221.228.58.66 202.97.100.157 220.191.200.203 115.236.101.214 42.120.247.58 64 bytes from 116.62.230.66: icmp_seq=2 ttl=88 time=161 ms NOP (same route) 64 bytes from 116.62.230.66: icmp_seq=3 ttl=88 time=239 ms NOP (same route) ………………
2、scapy
示例:
┌──(root💀kali)-[/home/kali] └─# scapy INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). aSPY//YASa apyyyyCY//////////YCa | sY//////YSpcs scpCY//Pp | Welcome to Scapy ayp ayyyyyyySCP//Pp syY//C | Version 2.4.4 AYAsAYYYYYYYY///Ps cY//S | pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy SPPPP///a pP///AC//Y | A//A cyP////C | Have fun! p///Ac sC///a | P////YCpc A//A | Craft packets before they craft scccccp///pSP///p p//Y | you. sY/////////y caa S//P | -- Socrate cayCyayP//Ya pY/Ya | sY/PsY////YCc aC//Yp sc sccaCY//PCypaapyCP//YSs spCPY//////YPSps ccaacs using IPython 7.22.0 >>> i=IP() >>> p=ICMP() >>> ping=(i/p) #组合成ping的数据包 >>> ping.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= icmp chksum= None src= 127.0.0.1 dst= 127.0.0.1 \options\ ###[ ICMP ]### type= echo-request #默认是request包,若不是可通过" ping[ICMP].type=8" 设定为request code= 0 chksum= None id= 0x0 seq= 0x0 >>> ping[IP].dst="10.10.10.2" #目标IP,注意src会自动识别添加 >>> ping.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= icmp chksum= None src= 10.10.10.135 dst= 10.10.10.2 \options\ ###[ ICMP ]### type= echo-request code= 0 chksum= None id= 0x0 seq= 0x0 >>> a=sr1(ping) #发包 Begin emission: Finished sending 1 packets. .* Received 2 packets, got 1 answers, remaining 0 packets >>> a.display() #探测结果 ###[ IP ]### version= 4 ihl= 5 tos= 0x0 len= 28 id= 65492 flags= frag= 0 ttl= 128 proto= icmp chksum= 0x1270 src= 10.10.10.2 dst= 10.10.10.135 \options\ ###[ ICMP ]### type= echo-reply code= 0 chksum= 0xffff id= 0x0 seq= 0x0 ###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' >>> ping[IP].dst="10.10.10.88" #探测不存在的IP
>>> a1=sr1(ping) Begin emission: WARNING: Mac address to reach destination not found. Using broadcast. Finished sending 1 packets. .......^C Received 7 packets, got 0 answers, remaining 1 packets >>> a1=sr1(ping,timeout=1,verbose=1) #可通添加timeout避免一直探测同一IP Begin emission: WARNING: Mac address to reach destination not found. Using broadcast. Finished sending 1 packets. Received 1 packets, got 0 answers, remaining 1 packets
简写:
>>> A=sr1(IP(dst="10.10.10.2")/ICMP(),timeout=1) Begin emission: Finished sending 1 packets. .* Received 2 packets, got 1 answers, remaining 0 packets >>> A.display() ###[ IP ]### version= 4 ihl= 5 tos= 0x0 len= 28 id= 65496 flags= frag= 0 ttl= 128 proto= icmp chksum= 0x126c src= 10.10.10.2 dst= 10.10.10.135 \options\ ###[ ICMP ]### type= echo-reply code= 0 chksum= 0xffff id= 0x0 seq= 0x0 ###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
3、nmap
注意,nmap探测和SRC同网段和不同网段发的数据包时不一样的!
同网段发ARP数据包:
┌──(root💀kali)-[/home/kali] └─# nmap 10.10.10.1-100 -sn Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 09:00 EST Nmap scan report for 10.10.10.2 Host is up (0.00020s latency). MAC Address: 00:50:56:F0:F4:B1 (VMware) Nmap done: 100 IP addresses (1 host up) scanned in 13.02 seconds
不同网段发ICMP+TCP数据包:
┌──(root💀kali)-[/home/kali] └─# nmap 192.168.1.1-100 -sn Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 08:58 EST Nmap scan report for 192.168.1.1 Host is up (0.0021s latency). Nmap scan report for 192.168.1.2 Host is up (0.00099s latency). Nmap scan report for 192.168.1.3 Host is up (0.00098s latency). Nmap scan report for 192.168.1.4 …………
4、fping
基本用法:
┌──(root💀kali)-[/home/kali] └─# fping 10.10.10.2 -c 3 10.10.10.2 : [0], 64 bytes, 0.820 ms (0.820 avg, 0% loss) 10.10.10.2 : [1], 64 bytes, 0.457 ms (0.639 avg, 0% loss) 10.10.10.2 : [2], 64 bytes, 0.267 ms (0.515 avg, 0% loss) 10.10.10.2 : xmt/rcv/%loss = 3/3/0%, min/avg/max = 0.267/0.515/0.820
fping支持对地址段的扫描:
┌──(root💀kali)-[/home/kali] └─# fping -g 10.10.10.2 10.10.10.6 -c 1 10.10.10.2 : [0], 64 bytes, 0.292 ms (0.292 avg, 0% loss) 10.10.10.3 : [0], timed out (NaN avg, 100% loss) 10.10.10.4 : [0], timed out (NaN avg, 100% loss) 10.10.10.5 : [0], timed out (NaN avg, 100% loss) 10.10.10.6 : [0], timed out (NaN avg, 100% loss) 10.10.10.2 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.292/0.292/0.292 10.10.10.3 : xmt/rcv/%loss = 1/0/100% 10.10.10.4 : xmt/rcv/%loss = 1/0/100% 10.10.10.5 : xmt/rcv/%loss = 1/0/100% 10.10.10.6 : xmt/rcv/%loss = 1/0/100% ┌──(root💀kali)-[/home/kali] └─# fping -g 10.10.10.0/24 1 ⨯ 10.10.10.2 is alive ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.1 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.1 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.1 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.1 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.4 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.4 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.4 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.4 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.3 ……………… 10.10.10.1 is unreachable 10.10.10.3 is unreachable 10.10.10.4 is unreachable 10.10.10.5 is unreachable 10.10.10.6 is unreachable 10.10.10.7 is unreachable ………………
支持文件调用:
┌──(root💀kali)-[/home/kali] └─# fping -f /home/kali/Desktop/list.txt -c 1 1 ⨯ 10.10.10.2 : [0], 64 bytes, 0.169 ms (0.169 avg, 0% loss) 10.10.10.1 : [0], timed out (NaN avg, 100% loss) 10.10.10.254 : [0], timed out (NaN avg, 100% loss) 10.10.10.89 : [0], timed out (NaN avg, 100% loss) 10.10.10.1 : xmt/rcv/%loss = 1/0/100% 10.10.10.254 : xmt/rcv/%loss = 1/0/100% 10.10.10.2 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.169/0.169/0.169 10.10.10.89 : xmt/rcv/%loss = 1/0/100%
┌──(root💀kali)-[/home/kali] └─# fping -g 10.10.10.0/24 -c 1 >>result.txt ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.1 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.5 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.4 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.3 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.7 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.6 ICMP Host Unreachable from 10.10.10.135 for ICMP Echo sent to 10.10.10.10 ┌──(root💀kali)-[/home/kali] └─# ls Desktop Documents Downloads Music Pictures Public result.txt Templates Videos ┌──(root💀kali)-[/home/kali] └─# cat result.txt 10.10.10.2 : [0], 64 bytes, 0.403 ms (0.403 avg, 0% loss) 10.10.10.1 : [0], timed out (NaN avg, 100% loss) 10.10.10.3 : [0], timed out (NaN avg, 100% loss) 10.10.10.4 : [0], timed out (NaN avg, 100% loss) 10.10.10.5 : [0], timed out (NaN avg, 100% loss) 10.10.10.6 : [0], timed out (NaN avg, 100% loss) 10.10.10.7 : [0], timed out (NaN avg, 100% loss) 10.10.10.8 : [0], timed out (NaN avg, 100% loss) 10.10.10.9 : [0], timed out (NaN avg, 100% loss) 10.10.10.10 : [0], timed out (NaN avg, 100% loss) 10.10.10.11 : [0], timed out (NaN avg, 100% loss)
5、Hping命令
- 能发送几乎任意的TCP/IP包(可指定对应字段)
- 每次只能扫描一个目标
- 可用于压力测试
基本用法:
┌──(root💀kali)-[/home/kali] └─# hping3 10.10.10.2 --icmp -c 2 #对存在的IP探测 HPING 10.10.10.2 (eth0 10.10.10.2): icmp mode set, 28 headers + 0 data bytes len=46 ip=10.10.10.2 ttl=128 id=1675 icmp_seq=0 rtt=5.6 ms len=46 ip=10.10.10.2 ttl=128 id=1676 icmp_seq=1 rtt=2.5 ms --- 10.10.10.2 hping statistic --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 2.5/4.1/5.6 ms ┌──(root💀kali)-[/home/kali] └─# hping3 10.10.10.3 --icmp -c 2 #对不存在的IP探测情况 HPING 10.10.10.3 (eth0 10.10.10.3): icmp mode set, 28 headers + 0 data bytes --- 10.10.10.3 hping statistic --- 2 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
对某一地址段探测:
┌──(root💀kali)-[/home/kali] └─# for addr in $(seq 1 100) ; do hping3 10.10.10.$addr --icmp -c 1 >>handle.txt & done [2] 3007 [3] 3008 [4] 3009 ……………… --- 10.10.10.1 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms --- 10.10.10.2 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 9.0/9.0/9.0 ms --- 10.10.10.3 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms --- 10.10.10.4 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms ……………… ┌──(root💀kali)-[/home/kali] └─# cat handle.txt | grep ^len #过滤出以len开头活着的主机 len=46 ip=10.10.10.2 ttl=128 id=1677 icmp_seq=0 rtt=9.0 ms
五、四层发现
优点:
- 可路由且结果可靠(借助对端口探测的结果评判IP是否存在)
- 防火墙过滤可能小
- 甚至可以发现所有端口都被过滤的主机
缺点:
- 全端口(1-65535)的扫描速度慢
- 基于状态过滤的防火墙依旧可过滤扫描
TCP
- 不建立连接直接发ACK探测,如果目标返回reset包(注意,并不是所有的主机都会返回,主机如果做了过滤,则不会返回reset包),即可证明 IP 存在。
- 正常进行TCP三次握手操作,src发完SYN后,目标IP存在:
- 对应端口开放则会收到SYN+ACK数据包;
- 端口关闭则收到RST数据包。
UDP
- UDP只管发送,不管确认。
- 即便IP存在且对应端口开放,但由于发的是四层数据包,没有应用层数据信息,该数据包是不完整的,目标IP是不回去处理的。
- 不过我们依旧可以依靠udp协议对访问端口关闭处理的信息推测主机存在否,即当目标IP存在,但探测端口是关闭的,则会向源IP返回ICMP不可达的信息判断出该IP存在!
1、scapy
TCP探测,采用ACK——RST模式,示例如下:
┌──(root💀kali)-[/home/kali] └─# scapy INFO: Can't import PyX. Won't be able to use psdump() or pdfdump(). aSPY//YASa apyyyyCY//////////YCa | sY//////YSpcs scpCY//Pp | Welcome to Scapy ayp ayyyyyyySCP//Pp syY//C | Version 2.4.4 AYAsAYYYYYYYY///Ps cY//S | pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy SPPPP///a pP///AC//Y | A//A cyP////C | Have fun! p///Ac sC///a | P////YCpc A//A | To craft a packet, you have to be a scccccp///pSP///p p//Y | packet, and learn how to swim in sY/////////y caa S//P | the wires and in the waves. cayCyayP//Ya pY/Ya | -- Jean-Claude Van Damme sY/PsY////YCc aC//Yp | sc sccaCY//PCypaapyCP//YSs spCPY//////YPSps ccaacs using IPython 7.22.0 >>> i=IP() >>> t=TCP() >>> it=(i/t) >>> it.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 127.0.0.1 dst= 127.0.0.1 \options\ ###[ TCP ]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= [] >>> it[IP].dst="192.168.1.1" #个人路由器 >>> it[TCP].flags='A' #指定直接发ACK数据包 >>> it.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.109 #会自动识别填充 dst= 192.168.1.1 \options\ ###[ TCP ]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= A window= 8192 chksum= None urgptr= 0 options= [] >>> a=sr1(it,timeout=1,verbose=1) #发包探测 Begin emission: Finished sending 1 packets. Received 2 packets, got 0 answers, remaining 1 packets #未收到reset包这是由于个人路由器做了过滤,一般主机都是会返回一个reset包,如10.10.10.2这个。 >>> it[IP].dst="10.10.10.2" >>> it.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 10.10.10.135 dst= 10.10.10.2 \options\ ###[ TCP ]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= A window= 8192 chksum= None urgptr= 0 options= [] >>> a=sr1(it,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 2 packets, got 1 answers, remaining 0 packets >>> a.display() #查看回包内容 ###[ IP ]### version= 4 ihl= 5 tos= 0x0 len= 40 id= 65248 flags= frag= 0 ttl= 128 proto= tcp chksum= 0x1353 src= 10.10.10.2 dst= 10.10.10.135 \options\ ###[ TCP ]### sport= http dport= ftp_data seq= 0 ack= 0 dataofs= 5 reserved= 0 flags= R #可见返回了个reset数据包,有时候是数字4(reset二进制转为十进制做的),可抓包理解 window= 32767 chksum= 0x6e1 urgptr= 0 options= [] ###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00'>>> it[TCP].dport=445>>> a=sr1(it,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 1 packets, got 1 answers, remaining 0 packets
UDP探测(ICMP端口不可达即可判断IP存在)示例:
>>> u=UDP() >>> iu=(i/u) >>> iu.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= udp chksum= None src= 127.0.0.1 dst= 127.0.0.1 \options\ ###[ UDP ]### sport= domain dport= domain len= None chksum= None >>> iu[IP].dst="10.10.10.2" >>> iu[UDP].dport=33333 >>> a1=sr1(iu,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 1 packets, got 0 answers, remaining 1 packets>>> iu[UDP].dport=53 >>> a1=sr1(iu,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 0 packets, got 0 answers, remaining 1 packets>>> iu[UDP].dport=19291 >>> a1=sr1(iu,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 1 packets, got 0 answers, remaining 1 packets >>> iu[IP].dst="192.168.1.1" >>> a1=sr1(iu,timeout=1,verbose=1) Begin emission: Finished sending 1 packets. Received 2 packets, got 0 answers, remaining 1 packets >>>
备注:UDP不可靠,如上面测试的实例中居然没回一个ICMP端口不可达。。。
2、nmap
命令参数(help):
┌──(root💀kali)-[/home/kali] └─# nmap -h Nmap 7.91 ( https://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports <port ranges>: Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help=<Lua scripts>: Show help about scripts. <Lua scripts> is a comma-separated list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies --data <hex string>: Append a custom payload to sent packets --data-string <string>: Append a custom ASCII string to sent packets --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
示例:
┌──(root💀kali)-[/home/kali] └─# nmap 192.168.1.1-254 -PU53 -sn #UDP53端口扫描 Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 21:39 EST Nmap scan report for 192.168.1.1 Host is up (0.0069s latency). MAC Address: 0C:4B:54:33:72:9F (Tp-link Technologies) Nmap scan report for 192.168.1.108 Host is up (0.11s latency). MAC Address: 34:E1:2D:13:9D:EA (Intel Corporate) Nmap scan report for 192.168.1.109 Host is up. Nmap done: 254 IP addresses (3 hosts up) scanned in 10.59 seconds ┌──(root💀kali)-[/home/kali] └─# nmap 192.168.1.1-254 -PA80 -sn #直接用ACK数据包探测目标80端口 Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 21:47 EST Nmap scan report for 192.168.1.1 Host is up (0.017s latency). MAC Address: 0C:4B:54:33:72:9F (Tp-link Technologies) Nmap scan report for 192.168.1.103 Host is up (0.044s latency). MAC Address: 48:2C:A0:7B:90:CB (Xiaomi Communications) Nmap scan report for 192.168.1.108 Host is up (0.088s latency). MAC Address: 34:E1:2D:13:9D:EA (Intel Corporate) Nmap scan report for 192.168.1.109 Host is up. Nmap done: 254 IP addresses (4 hosts up) scanned in 20.93 seconds ┌──(root💀kali)-[/home/kali] └─# nmap -iL /home/kali/Desktop/list.txt -PA80 -sn #支持文件调用 Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-20 22:05 EST Nmap scan report for 10.10.10.1 Host is up (0.00034s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00019s latency). MAC Address: 00:50:56:FC:55:15 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00024s latency). MAC Address: 00:50:56:F0:F4:B1 (VMware) Nmap done: 4 IP addresses (3 hosts up) scanned in 4.43 seconds
3、hping3
注意,基于UDP的判断均为ICMP端口不可达,另外默认情况是发TCP数据包探测
示例:
┌──(root💀kali)-[/home/kali] └─# hping3 10.10.10.2 --udp -c 1 #注意udp是小写 HPING 10.10.10.2 (eth0 10.10.10.2): udp mode set, 28 headers + 0 data bytes --- 10.10.10.2 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms ┌──(root💀kali)-[/home/kali] └─# hping3 10.10.10.3 --udp -c 1 HPING 10.10.10.3 (eth0 10.10.10.3): udp mode set, 28 headers + 0 data bytes --- 10.10.10.3 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms ┌──(root💀kali)-[/home/kali] └─# hping3 114.114.114.114 --udp -c 1 #指定udp HPING 114.114.114.114 (eth0 114.114.114.114): udp mode set, 28 headers + 0 data bytes --- 114.114.114.114 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms ┌──(root💀kali)-[/home/kali] └─# hping3 114.114.114.114 -c 2 #默认情况 HPING 114.114.114.114 (eth0 114.114.114.114): NO FLAGS are set, 40 headers + 0 data bytes --- 114.114.114.114 hping statistic --- 2 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
加载中……
参考自:苑房弘老师的Kali Linux渗透测试
不忘初心,方得始终。
分类:
kali 渗透测试学习笔记
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?