主机发现
不死鸟 edited this page Mar 23, 2018
·
1 revision
发现潜在的攻击目标,生成一个存活主机的ip地址列表
扫描速度快,结果可靠
不可路由,仅适用于内网环境.
- arping 1.1.1.1 -c 2
- arping 1.1.1.1 -c 1 -d (-d 可以发现不同的MAC有同一个IP,即挖掘arp欺骗),应多注意网关ip是否被欺骗.
缺点 每次只能检查一个ip,可以使用脚本优化一下.
脚本(实现ping一个网段或特定ip列表)
arping1.sh
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage ./arping1.sh [interface]"
echo "Example ./arping1.sh eth0"
echo "This Example will perform an ARP scan of the local subnet to which eth0 is assigned"
exit
fi
interface=$1
prefix=$(ifconfig | grep "broadcast" | awk '{print $2}' | cut -d '.' -f 1-3)
for addr in $(seq 1 254);do
arping -c 1 $prefix.$addr | grep 'reply from'|awk '{print $4}'
done
arping2.sh
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage ./arping1.sh [ip_addrs.txt]"
echo "Example ./arping1.sh ips"
echo "This Example will perform an ARP scan of ips in the file"
exit
fi
for addr in $(cat $1);do
arping -c 1 $addr | grep 'reply from'|awk '{print $4}'
done
nmap -sn 1.1.1.1/24
注:-sn: Ping Scan - disable port scan
严格意义上不仅仅发arp包,探测同一网段地址将发arp包和ip反向域名解析ptr记录请求包.
nmap -iL ips.txt -sn
特点
- 专用于二层发现
- 可用于无线和交换网络环境
- 支持主动和被动探测
主动模式
netdiscover -i eth0 -r 1.1.1.0/24
netdiscover -l ips.txt # 这里ips.txt要写成这种格式:1.1.1.1/24
被动模式
netdiscover -p
原理: 将网卡设成混杂模式,监听别人发的arp广播包.
可以定制底层数据包的字段属性
arping1.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print "Usage ./arping1.py [interface]"
print "Example ./arping1.py eth0"
print "This Example will perform an ARP scan of the local subnet to which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output("ifconfig " + interface + "| grep 'broadcast' | awk '{print $2}' | cut -d '.' -f 1-3", shell=True).strip()
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.'
for addr in range(0,254):
answer = sr1(ARP(pdst=prefix+str(addr)), timeout=0.1, verbose=0)
if answer == None:
pass
else:
print prefix+str(addr)
arping2.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print "Usage ./arping2.py [ip_list.txt]"
print "Example ./arping2.py ips.txt"
print "This Example will perform an ARP scan of ips in the file"
sys.exit()
filename = str(sys.argv[1])
ips = open(filename, "r")
for addr in ips:
addr = addr.strip()
answer = sr1(ARP(pdst=str(addr)), timeout=0.1, verbose=0)
if answer == None:
pass
else:
print str(addr)
- 可路由
- 速度较快
- 速度较二层慢
- 经常被边界防火墙过滤
ping baidu.com -c 1
ping 1.1.1.1 -c 2
ping 1.1.1.1 -R # 可以实现路由的追踪,原理与traceroute不同,返回的是一个路由离得比较远的网口的ip
缺点:只能一次探测一个ip pinger.py
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage ./pinger.sh [/24 network address]"
echo "Example ./pinger.sh 192.168.1.0"
echo "This Example will perform an ping scan of the local subnet"
exit
fi
ip=$1
prefix=$(echo "$ip" | cut -d '.' -f 1-3)
for addr in $(seq 1 254);do
ping -c 1 $prefix.$addr | grep 'bytes from'| awk '{print $4}' | cut -d ':' -f 1
done
使用路由追踪方式不仅可以发现存活主机,还可以知道经过的路由.
traceroute sina.com
原理: 设置ttl值,当ttl值减为1时,路由器会返回一个包.返回的是一个路由器离得比较近的网口的ip
pinger1.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print "Usage ./pinger1.py [ip]"
print "Example ./pinger1.py 1.1.1.1"
print "This Example will perform an ping scan of the subnet"
sys.exit()
ip = str(sys.argv[1])
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.'
for addr in range(0,254):
target = prefix+str(addr)
answer = sr1(IP(dst=target), timeout=0.1, verbose=0)
if answer == None:
pass
else:
print prefix+str(addr)
pinger2.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print "Usage ./pinger2.py [ip_list.txt]"
print "Example ./pinger2.py ips.txt"
print "This Example will perform an ping scan of ips in the file"
sys.exit()
filename = str(sys.argv[1])
ips = open(filename, "r")
for addr in ips:
target = str(addr).strip()
answer = sr1(IP(dst=target), timeout=0.1, verbose=0)
if answer == None:
pass
else:
print target
nmap -sn 1.1.1.1
不同网段内,使用-sn,nmap会发两个ICMP包(Echo和Timestamp),和两个TCP包(SYN和ACK).
fping 1.1.1.1
fping 1.1.1.1 -c 1
fping -g 1.1.1.1/24 -a 差不多同:fping -g 1.1.1.1/24 | grep "alive" # fping支持批量扫描
fping -g 1.1.1.1 1.1.3.254 -a #显示1.1.1.1 到 1.1.3.254间存活的主机
fping -f ips.txt
特性
- 能够发送几乎任意的TCP/IP包
- 功能强大但每次只能扫描一个目标
- 可以实现一定程度上的压力测试
hping3 1.1.1.1
for addr in $(seq 1 254); do hping3 1.1.1.$addr --icmp -c 1 >> /tmp/hping & done
- 可路由且结果可靠
- 不太可能被防火墙过滤
- 甚至可以发现所有端口被过滤的主机
- 基于状态过滤的防火墙可能过滤扫描
- 全端口扫描速度慢
TCP
- 发送未经请求的ACK-主机返回RST
- 正常请求SYN-开放端口时返回SYN/ACK. 否则返回RST
UDP
- 利用目标关闭端口时返回ICMP端口不可达,开放则一去不复返(目标不在线时也数据包一去不复返)
原理
发送ACK,探测是否返回RST,判断是否在线,当然,也可以发syn.
或发送UDP包探测一个确定不用的端口看是否返回端口不可达,来判断是否在线
ack_ping.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def Usage():
if len(sys.argv)!=2:
print "Usage ./ack_ping.py [ip]"
print "Example ./ack_ping.py 1.1.1.1"
print "This Example will perform an ping scan of 1.1.1.1/24 use TCP ack type protocal"
sys.exit()
def ack_ping():
ip = str(sys.argv[1])
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.'
for addr in range(0,254):
target = prefix+str(addr)
answer = sr1(IP(dst=target)/TCP(dport=80, flags='A'), timeout=1,verbose=0)
try:
if(int(answer[TCP].flags) == 4):
print prefix+str(addr)
except:
pass
if __name__ == '__main__':
Usage()
ack_ping()
udp_ping.py
#!/usr/bin/env python
# coding: utf-8
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def Usage():
if len(sys.argv)!=2:
print "Usage ./udp_ping.py [ip]"
print "Example ./udp_ping.py 1.1.1.1"
print "This Example will perform an ping scan of 1.1.1.1/24 use udp protocal"
sys.exit()
def udp_ping():
ip = str(sys.argv[1])
prefix = ip.split('.')[0] + '.' + ip.split('.')[1] + '.' + ip.split('.')[2] + '.'
for addr in range(0,254):
target = prefix+str(addr)
answer = sr1(IP(dst=target)/UDP(dport=0), timeout=1,verbose=0)
if answer: # 也可以int(answer[IP].proto)==1,也就是会返回icmp报文
print prefix+str(addr)
else:
pass
if __name__ == '__main__':
Usage()
udp_ping()
优点 扫描速度远比scapy快,且不仅扫描一次,自动扫描两次.
nmap 1.1.1.1-254 -PU0 -sn
nmap 1.1.1.1/24 -PA80 -sn
nmap -iL iplist.txt -PA80 -sn
帮助参考
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
hping3 1.1.1.1 -c #默认tcp的flags=0包
hping3 --udp 1.1.1.1 -c 1 #若有返回数据包则说明主机存活
注意: 扫描二层网络ip,会自动降级为arp去发现主机
udp_hping.sh
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage ./udp_hping.sh [/24 network address]"
echo "Example ./udp_hping.sh 1.1.1.1"
echo "This Example will perform an hping scan of the local subnet use udp protocal"
exit
fi
ip=$1
prefix=$(echo "$ip" | cut -d '.' -f 1-3)
for addr in $(seq 1 254);do
hping3 $prefix.$addr -c 1 --udp | grep Unreachable | cut -d "=" -f 2| cut -d " " -f 1 >> /tmp/udp_hping.txt
done
echo "Result:"
cat /tmp/udp_hping.txt
tcp_hping.sh (发的是flags=0,目标主机返回ack和rst)
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage ./tcp_hping.sh [/24 network address]"
echo "Example ./tcp_hping.sh 1.1.1.1"
echo "This Example will perform an hping scan of the local subnet use tcp protocal"
exit
fi
ip=$1
prefix=$(echo "$ip" | cut -d '.' -f 1-3)
for addr in $(seq 1 254);do
hping3 $prefix.$addr -c 1 | grep ^len | cut -d "=" -f 3 | cut -d " " -f 1 >> /tmp/tcp_hping.txt
done
echo "Result:"
cat /tmp/tcp_hping.txt
- web渗透简介及基础知识
- 侦查工具
- 扫描工具
- 手动漏洞挖掘
- WebShell
- HTTPS攻击
- SSL中间人攻击及ddos
- 一些概念
﹊﹊﹊﹊﹊﹊﹊﹊﹊﹊
This wiki is created by [amWiki]