主动信息收集
被动信息收集可能不准确,可以用主动信息收集验证
特点:直接与目标系统交互通信,无法避免留下访问痕迹
解决方法:1、使用受控的第三方电脑进行探测,使用代理 (做好被封杀的准备)
2、伪造大量的来源IP进行探测,进行噪声迷惑,淹没真是的探测流量
扫描流程:发送不同的探测,根据返回结果判断目标状态【IP层->端口层->服务层】
发现
识别活着的主机,发现潜在的被攻击目标,输出结果为IP地址列表。二层发现数据电路层,使用ARP协议使用场景:已经取得一台主机,进入内网,对内网进行渗透优点:扫描速度快,可靠缺点:不可路由,只能扫同网段掌握更多工具,以适应不同环境1、arpingroot@kali:~# arping 192.168.1.1 -c 1 #-c 指定发包数量 ARPING 192.168.1.1 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=16.324 msecroot@kali:~# arping 192.168.1.1 -d #发现重复响应,可发现ARP欺骗(若发现不同的mac地址) ARPING 192.168.1.1 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=3.071 msec 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=1 time=2.312 msec 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=2 time=3.019 msec --- 192.168.1.1 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 2.312/2.801/3.071/0.346 ms<span style="font-weight: bold;"> </span>通过grep筛选
root@kali:~# arping -c 1 192.168.1.1 | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1 192.168.1.1 root@kali:~# arping -c 1 192.168.1.1 | grep "bytes from" 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=12.441 msec<span style="font-weight: bold;"> </span>
shell脚本
#!/bin/bash if [ "$#" -ne 1 ];then #-ne 1 参数不等于为1 echo "Usage - ./arping.sh [interface]" echo "Excample - ./arping.sh eth0" echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned" exit fi interface=$1 #输入的一个值,,赋值给interface变量 prefix=$(ifconfig $interface | grep "inet " | cut -d 't' -f 2 | cut -d '.' -f 1-3) <pre name="code" class="plain"> #取IP地址的前缀,如:192.168.1#grep "inet "这行; -d 't' 以t为分隔符 -f 选择其第2个字段for addr in $(seq 1 254);do arping -c 1 $prefix.$addr | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1 >>add.txtarping扫描一个IP范围
#>>输出到一个文本文件 done
从文本文件中读取IP地址进行扫描
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage - ./arping.sh [interface]"
echo "Excample - ./arping.sh file"
echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
exit
fi
file=$1
for addr in $(cat $file);do
arping -c 1 $addr | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1
done
nmap
做二层发现 #速度快而准,内容相对丰富,可以做IP段扫描,不用写脚本
root@kali:~# nmap -sn 192.168.1.0/24 <strong>#-sn 不做端口扫描,不仅仅发arp包,还会做ptr记录解析(反向域名解析)</strong> Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-10 12:40 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0024s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) #mac厂家 Nmap scan report for HUAWEIG750-T01-HWG75 (192.168.1.105) Host is up (0.083s latency). MAC Address: 9C:C1:72:13:6A:61 (Huawei Technologies) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00069s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00053s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap scan report for Meizu-MX4-Pro (192.168.1.146) Host is up (0.24s latency). MAC Address: 38:BC:1A:E8:85:ED (Meizu technology) Nmap scan report for 192.168.1.127 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 4.06 seconds
指定文件扫描 #-iLroot@kali:~# nmap -iL arp.txt -sn Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-10 12:44 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.011s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00028s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00042s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap scan report for Meizu-MX4-Pro (192.168.1.146) Host is up (0.079s latency). MAC Address: 38:BC:1A:E8:85:ED (Meizu technology) Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0036s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00022s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00024s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap done: 8 IP addresses (7 hosts up) scanned in 0.44 seconds
Netdiscover
专门用于二层发现的arp侦查工具,既可做主动扫描,也可以做被动式扫描。既可用于无线,也可做有线扫描。主动式netdiscover -i eth0 -r 1.1.1.0/24 #-i指定网卡netdiscover -l iplist.txt #指定文件被动式避免被发现,不主动发arp包,原理:使用混杂模式,收取非本网卡IP/MAC的数据包,基于广播,默默等待并记录。准确程度与主动无差,响应速度慢些(但网络中,主机发arp包的次数比较常见,时间不会太久)netdiscover -p #使用被动模式
Scapy #极为强大
网友官方中文文档点击打开链接
Scapy 是一个强大的操纵报文的交互程序。它可以伪造或者解析多种协议的报文,还具有发送、捕获、匹配请求和响应这些报文以及更多的功能。Scapy 可以轻松地做到像扫描(scanning)、路由跟踪(tracerouting)、探测(probing)、单元测试(unit tests)、攻击(attacks)和发现网络(network discorvery)这样的传统任务。它可以代替hping,arpspoof,arp-sk,arping,p0f 甚至是部分的Namp,tcpdump和tshark 的功能。
优点:发送无效帧、添加自定义的802.11的侦、多技术的结合(跳跃攻击(VLAN hopping)+ARP缓存中毒(ARP cache poisoning)、在WEP加密信道(WEP encrypted channel)上的VOIP解码(VOIP decoding))等
若有缺失apt-get install python-gnuplot
root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.3.2) >>> ARP().display() <strong> #函数名称必须大写,display()显示函数内容,调用ARP(),定制ARP包</strong> ###[ ARP ]### hwtype= 0x1 #硬件类型 ptype= 0x800 #协议类型 hwlen= 6 #硬件地址长度 plen= 4 #协议长度 op= who-has #操作码 hwsrc= 08:00:27:92:17:df #源mac psrc= 192.168.1.127 #源IP地址 hwdst= 00:00:00:00:00:00 #目标mac pdst= 0.0.0.0 #目标IP定制ARP包 #scapy发包,默认收不到回包,会一直等待,所以需加上timeout
>>> arp=ARP() #定义arp包 >>> arp.pdst="192.168.1.1" #指定目标ip >>> arp.display() ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= who-has hwsrc= 08:00:27:92:17:df psrc= 192.168.1.127 hwdst= 00:00:00:00:00:00 pdst= 192.168.1.1 >>> sr1(arp) Begin emission: *Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets <ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=1c:bd:b9:27:d5:32 psrc=192.168.1.1 hwdst=08:00:27:92:17:df pdst=192.168.1.127 |<Padding load='x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00' |>> >>> answer=sr1(arp) #定义一个变量answer Begin emission: *Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets >>> answer.display() ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= is-at hwsrc= 1c:bd:b9:27:d5:32 psrc= 192.168.1.1 hwdst= 08:00:27:92:17:df pdst= 192.168.1.127 ###[ Padding ]### #数据包不足位,补码 load= 'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'
python脚本【shell脚本速度比scapy脚本略快,nmap最快】#默认发两个arp包,提高准确性
#!/usr/bin/python
import logging #导入库
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import* #导入scapy所有库
if len( sys.argv ) !=2: #命令参数不等于2
print "Usage - ./arp_discpy [interface]"
print "Example - ./arp_disc.py eth0"
print "Example will perform an ARP scan of thr local subnet to which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip=subprocess.check_output("ifconfig "+interface+" | grep 'inet ' | cut -d 't' -f 2 |cut -d ' ' -f 2",shell=True).strip()
prefix = ip.split(".")[0] + '.' + ip.split(".")[1] + '.' + ip.split(".")[2] + '.'
for addr in range(0,254):
answer=sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0) #构造ARP包
if answer ==None:
pass;
else:
print prefix+str(addr)
指定文件扫描
小白日记,未完待续……#!/usr/bin/python import logging import subprocess logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* if len( sys.argv ) !=2: print "Usage - ./arp_discpy [interface]" print "Example - ./arp_disc.py eth0" print "Example will perform an ARP scan of thr local subnet to which eth0 is assigned" sys.exit() filename = str(sys.argv[1]) file = open(filename,"r") for addr in file: answer=sr1(ARP(pdst=addr.strip()),timeout=0.1,verbose=0) if answer == None: pass else: print addr.strip()