"Network security and penetration tests" class notes --- 12

2019/4/29 - - -
on the use nmap stealth scans kali linux, the combination of wireshark capture software specific analysis to explain
talked about before too passive reconnaissance, click on the link - ->, to access information on passive reconnaissance

Active surveillance : the use of OSINT do almost undetectable passive surveillance, reconnaissance that can generate a lot of information about the organization and its target users.
Active surveillance will produce more information more useful, however, due to the interaction with the target system may be recorded and may pass through the firewall, intrusion detection system (IDS), intrusion prevention system (IPS) protection facility triggers an alarm.

Active surveillance most common method is the scanning target engine - defined transmission packet to the destination, and then returns the packet using the acquired information.

In order to improve the active surveillance provides detailed information on the effectiveness of our focus will be on the use of invisible, subtle technique.

Then you need to use tools nmap

When trying to reduce the detection, using a number of stealth technology to avoid detection and subsequent alarms, including the following:

·测试之前确定扫描的目标，发送需要确定目标的最小数量的数据包。
	例如，如果你想确认一个虚拟主机的存在，首先需要确定80端口，这个基于Web服务的默认端口是开放的。
·避免可能与目标系统连接的扫描，避免可能泄漏数据的扫描。
不要ping目标，或使用同步（SYN）和非常规数据包扫描，
	如确认（ACK）、完成（FIN）和复位（RST）数据包。
·随机化或欺骗分组设置，如源IP和端口地址，以及MAC地址。
·调节定时以减缓目标端的包的到来。
·通过包的分解或附加随机数据来改变数据包大小，以此混淆设备对数据包的检测。

To conduct a stealth scans and do to minimize detection, nmap can use the following command:

nmap  --spoof-mac 0 --data-length 24 -T 0 -max-hostgroup 1 --max-parallelism 10 -PN -f -D 192.168.247.66,RND：5,ME -vv -n -sS -sV -oA /tmp/nmap -p T:1-1024 --randomize-hosts 192.168.247.5-10

Next will use wireshark capture software introduced one by one the command

the first:

–spoof-mac 0

Create a completely random Mac address
, for example:

First normal scan an IP address, Mac address does not change, without any option parameters, the default is -sS, half-open connections, often used to scan hidden

catch my bag, see Mac address is the 00: 0c: 29: 54: 0a: 9b

look on kali Linux Mac address of the machine, but also the 00: 0c: 29: 54: 0a: 9b

然后用扫描一下这个直连网络
 nmap --spoof-mac 0 192.168.247.10
返回信息是对方主机看起来是关闭的。
原因是我们有了一个随机的Mac地址，对方主机找不到我们的Mac地址。

Grab my bag, but also the Mac address.

This time we look at the IP address of the external network access, random Mac address is 94: C4: 10: 6F: 19: 67

nmap --spoof-mac 0 104.193.88.123

抓包抓到的Mac地址也是94:C4:10:6F:19:67

ε=(´ο｀*)))哎~，为什么这次访问外网显示主机是开启的？
原因是我们与网关之间都有对方的Mac地址。才会找到的对方。
而访问直连网络时，不经过网关。
第二：

–data-length 24

发送报文时附加24字节的随机数据，因为正常的报文信息，都会有24字节的信息。

举例：

先来看一下不加附加信息的正常的报文信息。

抓包没有信息。

然后再用这个选项扫描

nmap --data-length 24 192.168.247.10

抓包看到有数据为24字节的随机数据。
第三：

-T 0
非常慢的扫描，用于IDS（入侵检测机制）逃避

与它相关的还有：

-T 1	缓慢的扫描，同样用于IDS逃避
-T 2	较慢的扫描，降低对带宽的消耗，（不常用）
-T 3 	正常的扫描，根据目标主机的反应自动调整时间
-T 4 	快速的扫描，消耗网络带宽，建议网络好的情况下使用
-T 5	极快的扫描，但是准确度不高。

举例：

先来正常的扫描，注意观察扫描时间

nmap 192.168.247.10

然后再使用-T 0，扫描时间是非常慢的，扫描80这个端口，大概需要10分钟o(>﹏<)o0

nmap -T 0 192.168.247.10 

第三：

-max-hostgroup 1
设置最大的组，nmap扫描不会超过这个组
什么意思呢？就是如果我扫描一百台主机，把这个
-max-hostgroup 10 设置为10的话，会一次最多扫描10台主机，不会超过这个数目
因为nmap是支持并行扫描的
那与它相对应的是-min-hostgroup 最小的组，一次扫描的数量，不会少于这个数目

第四：

–max-parallelism 10
限制发送有效探针的数量
–scan-delay
设置指针之间的停顿
scan-delay 和max-parallelism 不能一起使用

第五：

-Pn

Do not do a ping sweep, assuming the host online, skip host discovery, and try to do a scan of the host

For example:

First to a normal scan

namp 104.193.88.123

Icmp of ping packets found to have

80 port scan the ip of this

nmap -Pn -p 80 104.193.88.123

Capture a look and did not find the ICMP ping packet

sixth:

-f
specify the packet fragmentation

seventh:

-D 192.168.247.66, RND: 5, ME
bait to cover the scan, randomly generates 5 ip address, scan ip address we set to go, but data modification, does not really scan, the real intention is to hide our true scan

For example:

nmap -D 192.168.247.66,RND:5,ME  -p 80 104.193.88.123

Ethereal see a different ip to scan our designated target host

seventh:

-vv
will have detailed information
, for example:

nmap -vv 192.168.247.10

eighth:

-sS
half-open connections, commonly used in the hidden scan

ninth:

-sV
version of the service, the application

For example:

nmap  -sV 104.193.88.123

tenth:

-oA / tmp / nmap / namp
customize the output, where the output scan to / tmp / nmap

For example:

nmap -oA /tmp/nmap 192.168.247.10

XI:
-p T: 1-1024
designated port, here designated 1 through tcp port 1024

XII:
-randomize the hosts 192.168.247.5-10-
random target host, not according to the default order will be random scan.

OK, about stealth scanning introductions, have any questions, comments welcome the exchange of O (∩_∩) O ~