Kali Linux渗透测试之端口扫描（二）——僵尸扫描（scapy/python脚本、nmap）

僵尸扫描：

• 条件较为苛刻，首先要能够进行地址欺骗；
• 其次僵尸机没有什么网络流量产生；
• 最后僵尸机的ipid必须是递增的(win xp及以前windows机型)闲置系统；

1. 僵尸扫描的过程

Port   is  Open

Port   is  Closed

僵尸扫描的过程：

1. 扫描者向僵尸机发送SYN/ACK数据包，僵尸机会返回一个RST数据包，记录下ipid为x；

2. 扫描者向目标主机发送SYN数据包(将原地址伪造成僵尸机)；

3. 若目标主机端口开放，则目标主机向僵尸机发送SYN/ACK数据包；

       3.1 僵尸机收到SYN/ACK数据包，则向目标主机发送RST数据包，此时僵尸机ipid为x+1；

       3.2 扫描者向僵尸机再次发送SYN/ACK数据包，僵尸机返回一个RST数据包，此时ipid为x+2；

4. 若目标主机端口关闭，则目标主机向僵尸机发送RST数据包，此时僵尸机不会产生任何数据包；

       4.1 扫描者向僵尸机再次发送SYN/ACK数据包时，僵尸机返回一个RST数据包，此时ipid为x+1；

5. 通过扫描者从僵尸机接收到的两个RST数据包的ipid可以判断目标主机的目标端口是否开放；

 2. 僵尸扫描——scapy

（1）scapy

实验环境：

  kali(攻击者)： 192.168.37.131

  Windows 2008(目标主机) ：192.168.37.128

  win xp (僵尸机) ：192.168.37.130

root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> t=TCP()
>>> rz=(i/t)
>>> rt=(i/t)
>>> rz[IP].dst="192.168.37.130"
>>> rz[TCP].dport=445
>>> rz[TCP].flags="SA"
>>> rt[IP].src="192.168.37.130"
>>> rt[IP].dst="192.168.37.128"
>>> rt[TCP].dport=25
>>> rt[TCP].flags="S"
>>> az1=sr1(rz)          #判断是否为好的僵尸机，先发送第一个SA包
Begin emission:
.*Finished to send 1 packets.

Received 2 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1) #伪造源IP，向目标主机发包S
Begin emission:
..Finished to send 1 packets.
..*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz)         #向僵尸机发送SA包，判断两次的IPID值是否相差2
Begin emission:
.Finished to send 1 packets.
...*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az1
<IP  version=4L ihl=5L tos=0x0 len=40 id=2249 flags= frag=0L ttl=128 proto=tcp chksum=0x65b1 src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP  version=4L ihl=5L tos=0x0 len=40 id=2251 flags= frag=0L ttl=128 proto=tcp chksum=0x65af src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> rt[TCP].dport=33445      #验证端口不开放的情况
>>> az1=sr1(rz)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1)
Begin emission:
..Finished to send 1 packets.
*
Received 3 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz)
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
>>> az1               #IPID相差为1
<IP  version=4L ihl=5L tos=0x0 len=40 id=2252 flags= frag=0L ttl=128 proto=tcp chksum=0x65ae src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP  version=4L ihl=5L tos=0x0 len=40 id=2253 flags= frag=0L ttl=128 proto=tcp chksum=0x65ad src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>

 （2）使用python脚本实现

实验环境：

  kali(攻击者)： 192.168.37.131

  Windows 2008(目标主机) ：192.168.37.128

  win xp (僵尸机) ：192.168.37.130

脚本：zombie.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author：橘子女侠
# Time：2019/04/14
# 该脚本用于识别僵尸机，并使用僵尸机对目标主机进行端口扫描

from scapy.all import *
import time
import sys

def IsZombie(zombie_ip):  #判断僵尸机是否是一个合格的僵尸机
	a1 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)
	time.sleep(2)   #给僵尸机充足的时间，以判断僵尸机网络是否繁忙
	a2 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)
	if (a1[IP].id + 1) == a2[IP].id: #比较两次ipid值
		print ("this is a good zombie!")
		action = raw_input("do you want to use this zombie?(y/n)")
		if action == "y":
			target_ip = raw_input("please input the target's ip:") #目标主机ip
			scan(zombie_ip,target_ip)
        	else:
			sys.exit()
	else:
        	print ("this is not a good zombie!")

def scan(zombie_ip,target_ip):
	print("\nScanning target:"+target_ip+" with zombie:"+zombie_ip)
	print("\n------------------Open Ports on Target---------------\n")
	for port in range(1,1000):
		try:
			start_val=sr1(IP(dst=zombie_ip)/TCP(flags="SA",dport=port),timeout=2,verbose=0) #给僵尸机发送第一个SYN/ACK数据包
			send(IP(dst=target_ip,src=zombie_ip)/TCP(flags="S",dport=port),verbose=0) #给目标主机发送一个伪造原地址的SYN数据包
			end_val = sr1(IP(dst=zombie_ip)/TCP(flags="SA"),timeout=2,verbose=0) #给僵尸机发送第二个SYN/ACK数据包
			if (start_val[IP].id+2) == end_val[IP].id:   #比较ipid值，从而判断端口是否开放
				print(port)
		except:
			pass

print("------------------Zombie Scan Suite-------------------\n")
ip = raw_input("the zombie's ip:")
IsZombie(ip)

 结果如下：

root@root:~# python zombie.py 
------------------Zombie Scan Suite-------------------

the zombie's ip:192.168.37.130
this is a good zombie!
do you want to use this zombie?(y/n)y
please input the target's ip:192.168.37.128

Scanning target:192.168.37.128 with zombie:192.168.37.130

------------------Open Ports on Target---------------

25
53
80
88
110
135
139
143
389
445
464
465
593
636
995

 3. 僵尸扫描——Nmap

root@root:~# nmap -p445 192.168.37.130 --script=ipidseq.nse  #脚本判断是否是好的僵尸
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:35 CST
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00060s latency).

PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)

Host script results:
|_ipidseq: Incremental!            #IPID递增

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

root@root:~# nmap 192.168.37.128 -sI 192.168.37.130 -Pn -p 1-150 #扫描1——150端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:41 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:80); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.050s latency).
Not shown: 142 closed|filtered ports
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
110/tcp open  pop3
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
MAC Address: 00:0C:29:3B:24:57 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds
root@root:~# nmap 192.168.37.128 -p 1-150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00071s latency).
Not shown: 142 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
110/tcp open  pop3
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
MAC Address: 00:0C:29:3B:24:57 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
root@root:~# nmap 192.168.37.128 -sI 192.168.37.130  #扫描1000个常用端口
WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP.  On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:443); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.051s latency).
Not shown: 973 closed|filtered ports
PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
465/tcp   open  smtps
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
993/tcp   open  imaps
995/tcp   open  pop3s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3306/tcp  open  mysql
6000/tcp  open  X11
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
49167/tcp open  unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds