这里写自定义目录标题
一、主动信息收集
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测
- 使用代理或已经被控制的主机,做好被封杀的准备
- 使用噪声迷惑目标,淹没真实的探测流量·扫描
- 扫描:发送不同的探测,根据返回结果判断目标状态
二、发现——分层
二层发现
数据链路层
- Arp协议
- 抓包
- 速度快
- 可靠
- 不可路由
arping
arping --help
arping 1.1.1.1 -c 1
arping 1.1.1.1 -d
arping -c 1 1.1.1.1 | grep “bytes from” | cut -d” “-f 5 | cut -d “(” -f 2 | cut -d”)” -f 1
# 脚本
arping1.sh eth0 > addrs
arping2.sh addrs
$ arping --help
ARPing 2.21, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
Options:
-0 Use this option to ping with source IP address 0.0.0.0. Use this
when you haven't configured your interface yet. Note that this
may get the MAC-ping unanswered. This is an alias for -S
0.0.0.0.
-a Audiable ping.
-A Only count addresses matching requested address (This *WILL*
break most things you do. Only useful if you are arpinging many
hosts at once. See arping-scan-net.sh for an example).
-b Like -0 but source broadcast source address (255.255.255.255).
Note that this may get the arping unanswered since it's not nor-
mal behavior for a host.
-B Use instead of host if you want to address 255.255.255.255.
-c count
Only send count requests.
-C count
Only wait for this many replies, regardless of -c and -w.
-d Find duplicate replies. Exit with 1 if there are answers from
two different MAC addresses //发现重复的ip地址
-D Display answers as exclamation points and missing packets as dots.
-e Like -a but beep when there is no reply.
-F Don't try to be smart about the interface name. (even if this
switch is not given, -i overrides smartness)
-g group
setgid() to this group instead of the nobody group.
-h Displays a help message and exits.
-i interface
Use the specified interface.
-m type
Type of timestamp to use for incoming packets. Use -vv when
pinging to list available ones.
-q Does not display messages, except error messages.
-Q pri 802.1p priority to set. Should be used with 802.1Q (-V).
Defaults to 0.
-r Raw output: only the MAC/IP address is displayed for each reply.
-R Raw output: Like -r but shows "the other one", can be combined
with -r.
-s MAC Set source MAC address. You may need to use -p with this.
-S IP Like -b and -0 but with set source address. Note that this may
get the arping unanswered if the target does not have routing to
the IP. If you don't own the IP you are using, you may need to
turn on promiscious mode on the interface (with -p). With this
switch you can find out what IP-address a host has without tak-
ing an IP-address yourself.
-t MAC Set target MAC address to use when pinging IP address.
-T IP Use -T as target address when pinging MACs that won't respond to
a broadcast ping but perhaps to a directed broadcast.
Example:
To check the address of MAC-A, use knowledge of MAC-B and IP-B.
$ arping -S <IP-B> -s <MAC-B> -p <MAC-A>
-p Turn on promiscious mode on interface, use this if you don't
"own" the MAC address you are using.
-P Send ARP replies instead of requests. Useful with -U.
-u Show index=received/sent instead of just index=received when
pinging MACs.
-U Send unsolicited ARP.
-v Verbose output. Use twice for more messages.
-V num 802.1Q tag to add. Defaults to no VLAN tag.
-w sec Specify a timeout before ping exits regardless of how many
packets have been sent or received.
-W sec Time to wait between pings.
Report bugs to: thomas@habets.se
Arping home page: <http://www.habets.pp.se/synscan/>
Development repo: http://github.com/ThomasHabets/arping
使用shell脚本
#!/bin/bash
if["$#"-ne 1]:then # $# 接变量 -ne 不是
echo"Usage - _arping.sh [interface]"
echo"Example - _/arping.sh eth0"
echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
exit
fi
interface=$1 # 第一个变量赋值给interface
# 取前缀,网络地址
prefix=$(ifconfig $interface | grep "inet addr" | cut -d ":" -f 2 | cut -d "" -f 1 | cut -d "_" -f 1-3)
for addr in $(seq 1 254 ): do
arping -c 1 $prefix.$addr |grep "bytes from"|cut -d "" -f 5 |cut -d "[" -f 2 | cut -d "]" -f 1
done
不知道以上代码到底哪里错了,太菜了
改为这个
#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机
ETH=$(ifconfig | head -1 |awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' |awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
arping -c 1 $PREFIX.$addr | grep "reply from"|cut -d" " -f 4
done
wireshark抓包可以看到挨个扫描,不过我这个网段好像没有活主机 arping2.sh #针对文件中的IP列表,进行扫描
#!/bin/bash
#该脚本主要用户实现扫描文件中的IP地址列表
FILE=$1
for addr in $(cat $FILE) # 每读取一次,都赋值给addr
do
arping -c 1 $addr | grep "reply from" | cut -d" " -f 4
done
addr
192.168.98.1
192.168.98.29
192.168.98.161
192.168.98.194
Nmap
nmap相比arping,可以扫描整个网段,扫描速度快,内容多
nmap -sn xxx.xxx.xxx.xxx # 主机发现,不进行端口扫描
nmap -sn 192.168.37.0/24 #支持扫描整个网段
nmap -iL IP.txt -sn #扫描指定的IP列表
$ nmap -sn 10.133.29.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-28 07:54 EDT
Nmap scan report for 10.133.29.109
Host is up (0.044s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 15.75 seconds
Netdiscover
- 专用于二层发现;
- 可用于无线和交换网络环境;
- 主动和被动探测;
1> 主动发现: 容易被发现
netdiscover -i eth0 -r 10.133.29.1/24
#netdiscover -i 指定网卡 -r 网段
netdiscover -l IP.txt #netdiscover -l 指定IP列表
同一网段的两台kali
2> 被动发现
主动ARP容易触发报警,所以也可以采用被动发现的方式发现网络中存活的主机;
netdiscover -p # 本网卡置入混杂模式
Scapy
- 作为python库进行调用;
- 也可作为单独的工具使用;
- 抓包,分析,创建,修改,注入网络流量
- 调用!!!
apt-get install python-gnuplot
# scapy 127 ⨯
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
aSPY//YASa
apyyyyCY//YCa |
sY//YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.4
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyPC | Have fun!
p///Ac sC///a |
PYCpc A//A | To craft a packet, you have to be a
scccccp///pSP///p p//Y | packet, and learn how to swim in
sY/y caa S//P | the wires and in the waves.
cayCyayP//Ya pY/Ya | -- Jean-Claude Van Damme
sY/PsYYCc aC//Yp |
sc sccaCY//PCypaapyCP//YSs
spCPY//YPSps
ccaacs
using IPython 7.20.0
>>>> ARP().display()
###[ ARP ]###
hwtype= 0x1
ptype= IPv4
hwlen= None
plen= None
op= who-has
hwsrc= 00:0c:29:55:65:7e
psrc= 192.168.98.161 # 源IP
hwdst= 00:00:00:00:00:00# 目的IP
pdst= 0.0.0.0
>>>
定义一个arp,继承了ARP函数
对arp赋值
>>> arp=ARP()
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= IPv4
hwlen= None
plen= None
op= who-has
hwsrc= 00:0c:29:55:65:7e
psrc= 192.168.98.161
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp.pdst="192.168.98.164"
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= IPv4
hwlen= None
plen= None
op= who-has
hwsrc= 00:0c:29:55:65:7e
psrc= 192.168.98.161
hwdst= 00:00:00:00:00:00
pdst= 192.168.98.164
>>>
发包、回包,看到响应内容
>>> sr1(arp)
Begin emission:
Finished sending 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:5f:e6:09 psrc=192.168.98.164 hwdst=00:0c:29:55:65:7e pdst=192.168.98.161 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>>
使用python脚本
#! usr /bin/ python
import logging
import subprocess
logging.getLogger( “scapy .runtine ).setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print "Usage- ./arp disc.py [interface] "
print "Example - .f arp disc.py eth0"
print "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output(* ifconfig " +interface + " [ grep 'inet addr ' | cut -d -f 2 [cut -d '· -f 1",shell=True).strip(o
prefix =ip.split('.')[0]+ ip.split('.')[1]+'.'+ip.split('.')[2]+'.'
for addr in range(0,254):
answer = sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0)
if answer == None:
pass
else:
print prefix+str(addr)