whatweb
Simple and rude, uncomfortable.
arping
1. The arping command is a tool for sending arp requests to an adjacent host. Arping uses arp packets to
check the hardware address on the device through the ping command. Can test whether an IP address has been used on the network and can obtain more
device information. The function is similar to ping.
2. Due to the use of firewalls, some hosts will fail to ping. Arping is tested by sending an Arp request
(directly connected to the network) to determine that a specific ip is online.
3. Arping to a host, send arp or ICMP packet, and print the reply message. The host can appear in the form of hostname, ip
address, mac address, etc. A request packet is sent every second. Why do you say that there are arp and icmp in the packet sent
, because when the host is ip or hostname, the arp request packet is sent. When the host is a mac address,
the echo broadcast packet of icmp is sent
Scan test
About protocol analysis: arp protocol analysis
- Normal scan
Single target normal scan
-c ping times
Local arp cache table
fping
1. The Fping procedure is similar to ping. The difference between Fping and ping is that fping can specify the range of the number of hosts to be pinged on the command line, or it can also specify a list file containing the hosts to be pinged.
Second, unlike ping, which waits for a host to timeout or send back feedback information, fping sends a data packet to the next host immediately after sending a data packet, so that multiple hosts can ping at the same time. If a host pings, the host will be marked and removed from the waiting list. If there is no ping, it means that the host cannot be reached, and the host remains on the waiting list, waiting for subsequent operations.
PS: (ping is to reply to the request through the ICMP (Internet Control Message Protocol) protocol to detect the presence of the host)
Third, UNIX and Windows environments have many tools that can be used to perform ICMPping scanning. fping is one of the proven ping scanning tools in the UNIX environment. Most early ping scanning tools need to wait for the previous detected host to return some kind of response message before continuing to detect whether the next host exists, but fping can issue a large number of ping requests in parallel in a round-robin manner. As a result, using the fping tool to scan multiple IP addresses is much faster than ping.
Scan test
About icmp protocol analysis: icmp protocol analysis
The scan of the entire LAN-
g parameter means that we perform a survival scan of the entire network segment
You can also include the scan results in a .txt file to speed up the audit
The difference between -ag and -g is the result of echoing -ag only echoes the surviving IP address -g means echoing the survival of all IPs in the entire network segment
The -s parameter is a statistic on the final result -n displays the target as a host name or domain name
genlist
1. The host discovers that it is an indispensable step in the penetration process. Through it, we can quickly detect the active state of the host and facilitate the subsequent
use.
2. The difference with fping is that multiple hosts in genlist are found to be more concise, and display active host information. The speed is basically the same as fping, so it is recommended to use the two together.
Test scan
genlist scan speed is relatively fast
nbstcan
nbtscan is a program for scanning NetBIOS name information on Windows network. The program sends NetBIOS status queries for each address within the given range, and lists the received information in an easy-to-read table. For each responding host, NBTScan lists its IP address, NetBIOS computer name, and logged-in user Name and MAC address. But it can only be used in LAN. NBTSCAN can get the real IP address and MAC address of the PC. If there is an "ARP attack" doing strange, you can find the IP / MAC address of the PC equipped with ARP attack. But it can only be used in LAN. NBTSCAN can get the real IP address and MAC address of the PC. If there is an "ARP attack" doing strange, you can find the IP / MAC address of the PC equipped with ARP attack. NBTSCAN can get the real IP address and MAC address of the PC. If there is an "ARP attack" doing strange things, you can find the IP / MAC address of the PC equipped with the ARP attack. In short, NBTSCAN can get the real IP address and MAC address of the PC.
working principle
Host A first sent a broadcast packet NBNS, asking which host's ip is 1.1.1.1 in the LAN. Host B responded to this NBNS packet and sent an ARP broadcast packet, asking host A's MAC address After that, host A responds to an ARP packet, and host B learns the MAC address of host A after receiving the ARP packet from host A, so it returns a NBNS response and tells host A through the NBNS protocol that the ip is 1.1. The host name of 1.1 is TEST-0EAD2165FF. (Network Basic Input / Output System (NetBIOS) Name Server (NBNS) protocol is part of the NetBIOS (NetBT) protocol family on TCP / IP, which is provided on a network based on NetBIOS name access The host name and address mapping method NetBIOS is the abbreviation of Network Basic Input / Output System, generally refers to a set of APIs used for LAN communication)
Here is the detailed command of
nbtscan nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | ()
-v detailed output. Print all the names received
from each host
-d dump packet. Print the entire packet content.
-e Output format in / etc / hosts format.
-l Output format in lmhosts format.
Cannot be used with -v, -s, or -h options.
-t timeout wait for timeout in milliseconds for response.
The default is 1000.
-b Bandwidth output throttling. Slows the output
so it does not use more bandwidth bps.
Useful for slow links, so there is nowhere to check and
do n’t drop.
-r Use local port 137 for scanning.
-q prohibits banner and error messages, and
-s delimiter script friendly output. Do not print columns and record titles, use delimiters to separate fields.
-h prints a readable name for the service and can only be used with the -v option.
-m forward retransmission times. The default is 0.
-f filename scans the IP address from the filename.
What to scan can be a single IP
like 192.168.1.1 or
one of two forms of address range:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
It turns out that 172.15.20.136 is alive
Scan test
-r parameter to scan the entire LAN
onesixtyone
The Simple Network Management Protocol (SNMP) consists of a set of network management standards, including an application layer
protocol, database schema, and a set of resource objects. The protocol can support a network management system to
monitor whether the devices connected to the network have any management concerns. This protocol is
part of the internet protocol suite defined by the Internet Engineering Task Force (IETF ). The goal of SNMP is to manage
the software and hardware platforms produced by many manufacturers on the Internet. Therefore, SNMP is also greatly affected by the Internet standard network management framework. SNMP
has been released to the third version of the protocol, and its functions have been greatly enhanced and improved compared with the previous ones.
Through the SNMP service, penetration testers can obtain a large amount of equipment and system information. Among these information, system information is the most critical,
such as operating system version, kernel version, etc. Kali Linux provides a simple SNMP scanner onesixtyone. The tool can
obtain the system information of the target in batches . At the same time, the tool also supports SNMP community name enumeration function. Security personnel can easily obtain
system information from multiple hosts and complete basic information collection.
About snmp protocol analysis: snmp protocol analysis
Scan test
Bt5 comes with snmp scan script and dictionary
Through the results, you can find the meaning of the onesixtyone command
-c the file name of the dictionary
-i the address of the host
-o save the scan results to a file
-d debug mode, please use it twice for more information
-wn wait n milliseconds (1/1000 seconds) between sending packets (default is 10)
-q don't print log to standard output, use -l
example:
onesixtyone -c dict.txt 192.168.4.1 public
onesixtyone -c dict .txt -i hosts -o my.log -w 100
2. Because there is only one command for onesixtyone, we use this command to scan the target machine for snmp weak passwords
The meaning of the command is -c is the dictionary name because the default dictionary given by this tool is dic.txt. We will use this
default dictionary. The result can be seen that the operating system is the windows version information. You can see that the
windows version information is snmp The password is exploded and then execute the command through snmp to view the version
information of the host
Because it is the default character, it quickly burst out.
p0f
1.p0f is a passive detection tool that can identify the operating system on the host by capturing and analyzing the data packets sent by the target host, even if the system is equipped with a firewall with good performance. The latest version is currently 3.09b. At the same time, p0f is powerful in network analysis. You can use it to analyze NAT, load balancing, and application proxies. p0f is a universal passive operating system fingerprint tool. p0f is very useful for network attacks. It uses the SYN packet to realize the passive detection technology of the operating system, which can correctly identify the type of the target system. Unlike other scanning software, it does not send any data to the target system, but only passively accepts the target system. Analysis of the data. Therefore, a big advantage is that it can hardly be detected, and p0f is a special system identification tool, its fingerprint database is very detailed, and the update is relatively fast, especially suitable for installation in the gateway.
2. Working principle: When passively intercepting the data in the original TCP data packet, such as the network segment through which the data packet can be accessed, or the data packet is sent to, or the data packet comes from the system you control; a lot of useful information can be collected Information: TCP SYN and SYN / ACK packets can reflect TCP link parameters, and different TCP protocol stacks behave differently when negotiating these parameters.
3. P0f does not add any direct or indirect network load, no name search, no secret detection, no ARIN query, nothing. Some masters can also use P0f to detect whether there is a firewall, NAT, load balancer, etc. on the host!
4.P0f is another passive discrimination tool for remote operating systems after Nmap and Xprobe2. It supports: reverse connection SYN mode, positive connection SYN + ACK mode, empty connection RST + mode and fragmented ACK mode.
5. P0f is more distinctive in that it can also detect: whether it is running behind a firewall, whether it is running in NAT mode, whether it is running in load balancing mode, the remote system has been up and the DSL and ISP information of the remote system, etc.
Test scan
[Parameter description]
Network interface options:
-i iface-Specify the network interface to monitor
-r file-Read the network packet file captured by the packet capture tool
-p-Set the network card specified by the -i parameter to promiscuous mode
-L- List all available interface
operation modes and output settings:
-f file-Specify the path of the fingerprint database (p0f.fp). If not specified, the default database is used. (Default:
/etc/p0f/p0f.fp)
-o file-write information to the specified log file. Only log files of the same network card can be attached and
merged into this monitoring.
-s name-answer the query API of unix socket
-u user-run the program as the specified user, the working directory will be switched to the current user root directory;
-d-run p0f as a background process (requires -o or -s)
Performance-related options:
-S limit-set the number of API concurrency, the default is 20, the upper limit is 100;
-tc, h-set the connection timeout (30s, 120m)
-mc, h-set the maximum number of network connections (connect) and Number of hosts tracked simultaneously (default: c =
1,000, h = 10,000)
test analysis
xprobe2
xprobe is a remote host operating system exploration tool. The developers are based on the same techniques as Nmap (same techniques) and have added their own innovations. Xprobe uses the ICMP protocol to obtain fingerprints. The latest version is Xprobe2.0.3 version. Xprobe2 actively detects the characteristics of the ICMP datagram corresponding to the datagram through fuzzy matrix statistical analysis, and then detects the type of the remote operating system.
working principle
TTL is a value in the IP protocol packet. It tells the network router whether the packet has been in the network for too long and should be discarded. There are many reasons why a packet cannot be delivered to its destination within a certain time.
For example, an incorrect routing table may cause an infinite loop of packets. Therefore, you need to set such a value in the packet. Each time the packet passes through a node, the value is reduced by 1. Repeating this operation may eventually cause two results: the packet reaches the destination when the value is still positive, or After a certain number of nodes, this value is reduced to 0. The former indicates that a normal transmission is completed, and the latter indicates that the packet may have chosen a very long path or even entered a loop. This is obviously not what we expected, so when this value is 0, the network device will not Instead of passing the packet, he is directly discarded and sends a notification to the source address of the packet saying that the packet is dead.
What we can get through the TTL value In fact, the TTL value itself does not represent anything. For users, the concern should be whether the packet reaches the destination rather than after a few nodes. But the TTL value can still get interesting information.
Each operating system defines the TTL value differently. This value can even be modified by modifying the network parameters of some systems. For example, Win2000 defaults to 128, and can also be modified through the registry. Linux is mostly defined as 64. However, in general, few people will modify this value of their own machines, which gives us the opportunity to roughly determine what operating system a machine is through the ping echo TTL. If you see 112, it may be the initial 128, which jumped 16 nodes, or the initial 160, which jumped 48 times.
Different operating systems have different default TTL values. By default, the TTL value of Linux system is 64 or 255, the TTL value of Windows NT / 2000 / XP system is 128, the TTL value of Windows 98 system is 32, and the TTL value of UNIX host is 255.
You can determine the type
of operating system from the echo of the PING command. Use the PING command to view the TTL value to determine the type of operating system. The details are as follows:
TTL = 128, this is WINNT / 2K / XP.
TTL = 32, this is WIN95 / 98 / ME.
TTL = 256, this is UNIX.
TTL = 64, this is LINUX.
Scan test
-v version information
-r displays route to destination (traceroute)
-p specifies port number, protocol and status.
For example: tcp: 23: open, UDP: 53: CLOSED
-c specifies the configuration file to be used.
-h Print this help.
-o Use a log file to record everything.
-t sets the initial reception timeout or round-trip time.
-s sets the package sending delay (milliseconds).
-d specifies the debug level.
-D disables the module number.
-M enables the module number.
-L display module.
-T Enable TCP port scanning for the specified port.
For example: -T21-23,53,110
-U enables UDP port scanning for the specified port.
-X generates XML output and saves it to the log file specified with -o.
-B uses the TCP handshake module to try to guess the open TCP port
Common methods:
xprorbe2 module
· Icmp_ping: ICMP echo exploration module
· tcp_ping: TCP-based ping exploration module
· udp_ping: UDP-based ping exploration module
· ttl_calc: calculated based on TTL distance TCP and UDP
· portscan: TCP and UDP port scanning
· icmp_echo: ICMP back explicit request fingerprint recognition module
· icmp_tstamp: ICMP timestamp request fingerprint recognition module
· icmp_amask: ICMP address mask request fingerprint recognition module
· icmp_port_unreach: ICMP port unreachable fingerprint recognition module
· tcp_hshake: TCP handshake fingerprint recognition module
· tcp_rst: TCP RST fingerprint Identification module
· smb: SMB fingerprint identification module
· snmp: SNMPv2c fingerprint identification module
-T parameter specifies the port
Udp scan is also possible
