Kali Linux 渗透测试之主动信息收集（一）——二层发现（arping/shell脚本、nmap、netdiscover、scapy）

1. 主动信息收集

（1）主动信息收集的特点

•   直接与目标系统交互通信；
•   无法避免留下访问的痕迹；

（2）解决方法

•   用受控的第三方电脑进行探测，例如使用代理或已经被控制的主机；
•   做好被封杀的准备；
•   使用噪声迷惑目标，淹没真实的探测流量；

（3）发现（IP层面）

•  识别活着的主机，即潜在的被攻击目标（存活的主机，会有一些开放的端口，端口对应服务，可以针对服务寻找存在漏洞等——扩大目标系统的攻击面）；
•  将结果输出一个IP地址列表；
•  以下发现主要针对的是2、 3 、4层发现；

2. 发现——二层发现

原理：使用ARP协议，在网段内进行广播，查看是否有回包，如果有，证明该主机存活；

优点：扫描速度快、可靠；

缺点：不可路由，只能发现同一网段内的主机；

（1）arping

1.1> arping 单个的IP地址

root@root:~# arping 192.168.37.130        #会一直ping下去，Ctrl+C暂停
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  2.265ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.578ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.645ms
^CSent 3 probes (1 broadcast(s))
Received 3 response(s)

root@root:~# arping 192.168.37.130 -c 2   #指定发包的数量
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.534ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.376ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)

root@root:~# arping 192.168.37.130 -c 1 |grep "reply from" |awk '{print $4}'
192.168.37.130

#只过滤出IP地址

1.2> arping命令无法一次性实现多个ip的扫描，但可以配合shell脚本实现整个局域网的扫描

脚本1：arping.sh     #扫描整个网段

#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机  

ETH=$(ifconfig | head -1 |awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' |awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
	arping -c 1 $PREFIX.$addr | grep "reply from"|cut -d" " -f 4
done

结果如下：并使用Wireshark抓包查看

扫描二维码关注公众号，回复： 6124001 查看本文章

root@root:~# sh arping.sh 
192.168.37.1
192.168.37.2
192.168.37.130
192.168.37.254

脚本2：arping2.sh      #针对文件中的IP列表，进行扫描

#!/bin/bash
#该脚本主要用户实现扫描文件中的IP地址列表
FILE=$1
for addr in $(cat  $FILE)
do
	arping -c 1 $addr | grep  "reply from" | cut -d" " -f 4
done

结果如下：并使用Wireshark抓包查看

root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# sh arping2.sh IP.txt 
192.168.37.2
192.168.37.130

（2）Nmap（很强大）

nmap相比arping，可以扫描整个网段，而且扫描速度快，内容多；

• nmap -sn 192.168.37.130         # -sn: Ping Scan  - disable port scan，只进行主机发现，不进行端口扫描
• nmap -sn 192.168.37.0/24        #可以扫描整个网段；

root@root:~# nmap -sn 192.168.37.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.130
Host is up (0.00045s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
root@root:~# nmap -sn 192.168.37.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.37.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00037s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap scan report for 192.168.37.254
Host is up (0.00030s latency).
MAC Address: 00:50:56:E2:44:F8 (VMware)
Nmap scan report for 192.168.37.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds

•  nmap -iL IP.txt -sn           #扫描指定的IP列表

root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 20:06 CST
Nmap scan report for 192.168.37.2
Host is up (0.000064s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 6 IP addresses (2 hosts up) scanned in 0.31 seconds

 （3）Netdiscover

• 专用于二层发现；
• 可用于无线和交换网络环境；
• 主动和被动探测；

3.1> 主动发现

• netdiscover -i eth0 -r 192.168.37.0/24       #netdiscover  -i  指定网卡  -r   网段
• netdiscover -l IP.txt                                    #netdiscover -l 指定IP列表

root@root:~# netdiscover -i eth0 -r 192.168.37.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.37.1    00:50:56:c0:00:08      1      60  VMware, Inc.                
 192.168.37.2    00:50:56:e8:e0:56      1      60  VMware, Inc.                
 192.168.37.130  00:0c:29:b6:06:cc      1      60  VMware, Inc.                
 192.168.37.254  00:50:56:e2:44:f8      1      60  VMware, Inc.  

root@root:~# netdiscover -l IP.txt 

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 24 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1440             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.37.1    00:50:56:c0:00:08      6     360  VMware, Inc.                
 192.168.37.2    00:50:56:e8:e0:56      6     360  VMware, Inc.                
 192.168.37.130  00:0c:29:b6:06:cc      6     360  VMware, Inc.                
 192.168.37.254  00:50:56:e2:44:f8      6     360  VMware, Inc.  

3.2> 被动发现

主动ARP容易触发报警，所以也可以采用被动发现的方式发现网络中存活的主机；

• netdiscover -p

root@root:~# netdiscover -p 

 Currently scanning: (passive)   |   Screen View: Unique Hosts           
                                                                         
 3 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 180         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.37.1    00:50:56:c0:00:08      1      60  VMware, Inc.          
 192.168.37.130  00:0c:29:b6:06:cc      2     120  VMware, Inc.  

（4）scapy

• 作为python库进行调用；
• 也可作为单独的工具使用；
• 抓包，分析，创建，修改，注入网络流量；

root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> ARP().display()           #显示ARP包中的信息
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:3e:df:60
  psrc= 192.168.37.131
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0

>>> arp=ARP()
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:3e:df:60
  psrc= 192.168.37.131
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0

>>> arp.pdst="192.168.37.130"        
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:3e:df:60
  psrc= 192.168.37.131
  hwdst= 00:00:00:00:00:00
  pdst= 192.168.37.130

>>> sr1(arp)           #发包
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:b6:06:cc psrc=192.168.37.130 hwdst=00:0c:29:3e:df:60 pdst=192.168.37.131 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display()   #接收包，其中padding为部位，当包的大小小于最小包长时，就会采用16进制0补位
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= is-at
  hwsrc= 00:0c:29:b6:06:cc
  psrc= 192.168.37.130
  hwdst= 00:0c:29:3e:df:60
  pdst= 192.168.37.131
###[ Padding ]### 
     load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'