1. What does active information collection mean?
2. Discovery Phase - Identify the live hosts in the network
1. Layer 2 discovery: the data link layer captures the arp protocol packets (routers generally do not forward the arp protocol packets)
tools use --arping
a, bridge network + modify ip
vi /etc/network/interfaces
dhclient eth0
b. Command usage
arping IP -c 1 #Specify to test an arp package
arping IP -d #Found duplicate responses, different mac addresses have the same IP, arp spoofs
arping 192.168.0.1 -c 1 | grep "reply from" | cut -d " " -f 4
ps:-d connects to intercepted fields, -f connects to segmented content
c. Script
tools use --nmap
nmap -sn 192.168.0.0/24 host alive status scan (arping1.sh)
nmap -iL addr.txt -sn call address list
tools use --Netdiscover
Active: easy error method alarm
netdiscover -i eth0 -r 192.168.0.0/24
netdiscover -l addr.txt
Passive: Promiscuous mode, silently listening
ntdicover -p
Tool use --Scapy : Called as a python library for packet capture, analysis, and modification
apt-get install python-gnuplot
ARP().display()
The corresponding header structure is as follows
Variable definition, call, assignment
package, return package
2. Layer 3 discovery--detect surviving hosts
a、ping
ping 192.168.0.1 -c 1 //Specify the number of packets to be 1
b、traceroute/ping -R
ps:***Boundary protection
ps: Based on the TTL value minus one without a hop, the route is found
ps: ping -R returns the external network port address, traceroute returns the internal network port address
c. Script
3. Layer 4 discovery - by identifying whether the IP is online or not
Based on TCP:
a. Send the ack package directly
b. Modify the target port
ps: As long as the target IP exists, return a reset
c. The target IP does not exist
ps: no response packet
d. The situation of filtering ack packets, the function of the router
ps: reset ports that don't exist on the router
ps: no response, unable to judge whether the host is online, need to judge by other methods
ps: general rule, send ACK, respond to reset, judged as online; do not give a response, judged as offline
ps:flags tag
ps:可写脚本:a=sr1(IP(dst="192.168.0.1")/TCP(dport="80",flags="A"),timeout=1)
e, screenplay
Based on UDP:
ps: Send udp packets, the target IP is alive, the port is not open, and the port unreachable packet will be returned; in other cases, it will never be returned; based on the target host returning ICMP unreachable to determine whether it is online or not
a. IP exists
b. IP does not exist
c. Script
ps: proto=1, for the icmp package, the received response roughly indicates that it is alive
Based on Nmap
nmap 1.1.1.1-254 -PU53 -sn 53 port scan based on UDP protocol
nmap 1.1.1.1-254 -PA80 -sn ACK scan based
ps: port customization, -sn means no port scanning, only four-layer host discovery (ping)
nmap 1.1.1.1-254 based on nmap host discovery + port scan
ps: common parameters for host discovery
-PS based on syn package
-PY is based on SCTP protocol
-PE based on ICMP ping packets
-PP based on timestamp
-PM netmask based on request target IP
-PO ping based on IP protocol
Based on hping3
hping3 --udp 192.168.1.138 -c 1
ps: Returns the error message and judges it to be alive
Script --UDP_hping.sh
Script --TCP_hping.sh
ps: no flags state, that is, flag=0, if the target IP returns ACK+RESET, it is judged to be alive