kali渗透测试之主动信息收集1——二层发现(arping、nmap、Netdiscover、scapy)

一、主动信息搜集

被动信息收集可能不准确，可以用主动信息收集验证

特点：

• 直接与目标系统交互通信 
• 无法避免留下访问的痕迹

解决方法：

• 使用代理或已经被控制的第三方电脑进行探测（做好被封杀的准备）
• 使用噪声迷惑目标，淹没真实的探测流量

扫描：发送不同的探测，根据返回结果判断目标状态

1.主机发现

• 二层主机发现
• 三层主机发现（kali渗透测试之主动信息收集2——三层发现(ping、traceroute、scapy、fping、Hping)）
• 四层主机发现（Kali渗透测试之主动信息收集3——四层发现(TCP、UDP、nmap、hping3)）

2.端口扫描

• TCP端口扫描
• UDP端口扫描
• 僵尸扫描

3.服务识别

• python socket
• dmitry -pb
• nmap
• amap -B

4.识别操作系统

• nmap
• TTL

三、二层发现

数据链路层，使用ARP协议

使用场景：已经取得一台主机，进入内网，对内网进行渗透

优点：扫描速度快，可靠

缺点：不可路由，只能扫描同网段

1、arping

root@kali:~# arping 192.168.247.129 -w 2     // -w 等待答复的时间(s)
ARPING 192.168.247.129 from 192.168.247.157 eth0
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.836ms
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  1.538ms
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  1.325ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

root@kali:~# arping -c 1 192.168.247.129                        // -c 指定发包数量
ARPING 192.168.247.129 from 192.168.247.157 eth0
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.877ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
root@kali:~# arping -c 1 192.168.247.129 | grep 'reply from'   //通过grep筛选
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.869ms
root@kali:~# arping -c 1 192.168.247.129 | grep 'reply from' | cut -d' ' -f4    //截取IP地址
192.168.247.129

2、nmap

速度快而准，内容相对丰富，可以做IP段扫描，不用写脚本。能扫描出自己（本机：192.168.247.157）

• nmap 192.168.247.0/24 -sn     //-sn 只主机发现，不进行端口扫描
• nmap -iL arp.txt -sn                 //-iL  指定文件扫描

root@kali:~# nmap 192.168.247.0/24 -sn        //-sn 只主机发现，不进行端口扫描。不仅仅发arp包，还会做ptr记录解析（反向域名解析）
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:48 CST
Nmap scan report for bogon (192.168.247.1)
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.247.2)
Host is up (0.00012s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap scan report for 192.168.247.129
Host is up (0.00076s latency).
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap scan report for bogon (192.168.247.254)
Host is up (0.00030s latency).
MAC Address: 00:50:56:F3:49:7E (VMware)
Nmap scan report for bogon (192.168.247.157)  //本机
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.74 seconds

root@kali:~# cat arp.txt
192.168.247.1
192.168.247.2
192.168.247.3
192.168.247.4
192.168.247.5
192.168.247.6
192.168.247.7
192.168.247.8
192.168.247.9
192.168.247.10

root@kali:~# nmap -iL arp.txt -sn     //-iL  指定文件扫描
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:57 CST
Nmap scan report for 192.168.247.1
Host is up (0.000093s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.247.2)
Host is up (0.00014s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap done: 10 IP addresses (2 hosts up) scanned in 2.23 seconds

3、Netdiscover

专门用于二层发现的arp侦查工具，既可做主动扫描，也可以做被动式扫描。既可用于无线，也可做有线扫描。扫描不出自己（本机：192.168.247.157）

主动扫描

• netdiscover -i eth0 -r 1.1.1.0/24            #-i指定网卡
• netdiscover -l iplist.txt   #指定文件

root@kali:~# netdiscover -i eth0 -r 192.168.247.0/24  //-i  指定网卡

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 25 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1500             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     22    1320  VMware, Inc.                
 192.168.247.2   00:50:56:e6:d3:4d      1      60  VMware, Inc.                
 192.168.247.129 00:0c:29:8f:74:74      1      60  VMware, Inc.                
 192.168.247.254 00:50:56:f3:49:7e      1      60  VMware, Inc. 

root@kali:~# netdiscover -l arp.txt      //-l  指定扫描文件

 Currently scanning: 192.168.247.0/24   |   Screen View: Unique Hosts          
                                                                               
 39 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 2340             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     11     660  VMware, Inc.                
 192.168.247.2   00:50:56:e6:d3:4d     10     600  VMware, Inc.                
 192.168.247.129 00:0c:29:8f:74:74      9     540  VMware, Inc.                
 192.168.247.254 00:50:56:f3:49:7e      9     540  VMware, Inc.                

ERROR: Network range must be 0.0.0.0/8 , /16 or /24

已终止

被动扫描

        避免被发现，不主动发arp包，原理：使用混杂模式，收取非本网卡IP/MAC的数据包，基于广播，默默等待并记录。准确程度与主动无差，响应速度慢些（但网络中，主机发arp包的次数比较常见，时间不会太久）

• netdiscover -p      #使用被动模式

root@kali:~# netdiscover -p    //使用被动模式
 
Currently scanning: (passive)   |   Screen View: Unique Hosts                 
                                                                               
 20 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 1200             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     20    1200  VMware, Inc.  

4、Scapy（极为强大）

        Scapy 是一个强大的操纵报文的交互程序。它可以伪造或者解析多种协议的报文，还具有发送、捕获、匹配请求和响应这些报文以及更多的功能。Scapy 可以轻松地做到像扫描(scanning)、路由跟踪(tracerouting)、探测(probing)、单元测试(unit tests)、攻击(attacks)和发现网络(network discorvery)这样的传统任务。它可以代替hping、arpspoof、arp-sk、arping、p0f 甚至是部分的Namp、tcpdump和tshark 的功能。 

  

root@kali:~# scapy       //scapy后如果有warning，输入该命令 —— apt-get install python-gnuplot
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> ARP().display()     //函数名称必须大写，display（）显示函数内容
###[ ARP ]### 
  hwtype= 0x1           //硬件类型
  ptype= 0x800          //协议类型
  hwlen= 6              //硬件地址长度
  plen= 4               //协议长度
  op= who-has           //操作码
  hwsrc= 00:0c:29:78:33:fb      //源mac地址
  psrc= 192.168.247.157         //源IP地址
  hwdst= 00:00:00:00:00:00      //目标mac地址
  pdst= 0.0.0.0                 //目标IP

>>> arp=ARP()         
>>> arp.pdst='192.168.247.129'  //指定目标IP
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:78:33:fb
  psrc= 192.168.247.157         //自动检测本地网卡
  hwdst= 00:00:00:00:00:00
  pdst= 192.168.247.129

>>> sr1(arp)                    //发包，并收到应答包
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:8f:74:74 psrc=192.168.247.129 hwdst=00:0c:29:78:33:fb pdst=192.168.247.157 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display()           //显示应答包的内容
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= is-at
  hwsrc= 00:0c:29:8f:74:74
  psrc= 192.168.247.129
  hwdst= 00:0c:29:78:33:fb
  pdst= 192.168.247.157
###[ Padding ]### 
     #数据包不足位，补码
     load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'