Active Information Collection is the client and the target communicate directly interact with the target. When will leave marks on the target machine, it will be blocked, so take the initiative to collect information, to use the proxy.
1. Host found:
1.1 floor hosts found
1.2 three host discovery
1.3 four host found
1.1 Layer Discovery Protocol ARP protocol is used, fast, reliable, non-routable, only to find that the local network segment ip.
Arp router can not forward packets.
Principle: use ARP protocol, broadcast in the network segment to see if there are back packs.
(1)arping
-c // send a predetermined number of data packets
-d // Duplicate ip; two different mac addresses have the same IP; if it is a gateway ip, it is arp spoofing.
A series of discovery is not supported, you can write a script to achieve. (
2)nmap-
sn // arp floor for discovery, not for port scanning, but it is not purely arp scan will reverse dns resolution.
nmap -sn ip address
(3) Netdiscover with active and passive, wireless and wired, dedicated to the discovery floor.
-i // which were found on the card
-r // ip support in the form specified mask
-l // ip address scan texts
-p // passive scanning, promiscuous mode (
4)scapy
Calling it as a Python library
Capture, analyze, create, modify, injected into the network traffic
arp=ARP()
arp.pdst = "to check the ip address"
sr1(arp)
answer=sr1(arp)answer.display()
Using mainly found in the second floor: has won a single server within the network during infiltration, the second floor can be used within the network discovery to find viable host.
1.2 three host discovery
Three network layer
The main use of protocol: ip, icmp protocol;
Routable, faster, often filtered border firewall.
Do not trust 100%, there is an error judgment.
(1)ping
-c // specified data packets sent
-R // routed trace (traceroute + domain)
(2)scapyi=IP()
p=ICMP()
ping(i/p)
ping [IP] .dst = "to check the ip"
answer=sr1(ping)
answer.display()
(3)nmap-sn
(4)fping
-c // specified number of packets to be transmitted
-g // specify the ip address, it can be in the form of a mask
(5)hping3
-c // specified number of packets to be transmitted
--icmp // send icmp packets
It can be pressure tested
1.3 four host found
With the four protocols are TCP / UDP protocol
Routable, reliable, and less likely to be filtering firewall
But the state-based filtering firewall may filter scanning
Full port scanning is slow
TCP host found
(1) unsolicited sending ack, target returns rst package, confirm the target survival
(2) sending syn, target returns syn / ack, rst package. Confirm the target survival
UDP host discovery
ICMP port unreachable, forever target host does not open a port, port unreachable return icmp
1.scapyi=IP()
p=ICMP()r(i/p)
r [IP] .dst = "to check the ip"
r[TCP].flags="A"
the sr1 = (r)
Regardless of the port open is not open, as long as the goal of survival, sending ack packet, returns rst package
i=IP()
u=UDP()
r=(i/u)
r [IP] .dst = "to check the ip"
r [UDP] .dprt = a port not used
a = sr1 (r) host survival, ICMP packet is returned
2.nmap
-PU + // port to four ports found
-PA + // port with TCP ack packets sent to discover the host
-sn // do not make port scanning
3.hping3
--udp // survival with udp host found