主動信息收集
被動信息收集可能不准確,可以用主動信息收集驗證
特點:直接與目標系統交互通信,無法避免留下訪問痕跡
解決方法:1、使用受控的第三方電腦進行探測,使用代理 (做好被封殺的准備)
2、偽造大量的來源IP進行探測,進行噪聲迷惑,淹沒真是的探測流量
掃描流程:發送不同的探測,根據返回結果判斷目標狀態【IP層->端口層->服務層】
發現
識別活着的主機,發現潛在的被攻擊目標,輸出結果為IP地址列表。二層發現數據電路層,使用ARP協議使用場景:已經取得一台主機,進入內網,對內網進行滲透優點:掃描速度快,可靠缺點:不可路由,只能掃同網段掌握更多工具,以適應不同環境1、arpingroot@kali:~# arping 192.168.1.1 -c 1 #-c 指定發包數量 ARPING 192.168.1.1 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=16.324 msecroot@kali:~# arping 192.168.1.1 -d #發現重復響應,可發現ARP欺騙(若發現不同的mac地址) ARPING 192.168.1.1 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=3.071 msec 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=1 time=2.312 msec 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=2 time=3.019 msec --- 192.168.1.1 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 2.312/2.801/3.071/0.346 ms<span style="font-weight: bold;"> </span>通過grep篩選
root@kali:~# arping -c 1 192.168.1.1 | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1 192.168.1.1 root@kali:~# arping -c 1 192.168.1.1 | grep "bytes from" 60 bytes from 1c:bd:b9:27:d5:32 (192.168.1.1): index=0 time=12.441 msec<span style="font-weight: bold;"> </span>
shell腳本
#!/bin/bash if [ "$#" -ne 1 ];then #-ne 1 參數不等於為1 echo "Usage - ./arping.sh [interface]" echo "Excample - ./arping.sh eth0" echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned" exit fi interface=$1 #輸入的一個值,,賦值給interface變量 prefix=$(ifconfig $interface | grep "inet " | cut -d 't' -f 2 | cut -d '.' -f 1-3) <pre name="code" class="plain"> #取IP地址的前綴,如:192.168.1#grep "inet "這行; -d 't' 以t為分隔符 -f 選擇其第2個字段for addr in $(seq 1 254);do arping -c 1 $prefix.$addr | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1 >>add.txtarping掃描一個IP范圍
#>>輸出到一個文本文件 done
從文本文件中讀取IP地址進行掃描
#!/bin/bash
if [ "$#" -ne 1 ];then
echo "Usage - ./arping.sh [interface]"
echo "Excample - ./arping.sh file"
echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
exit
fi
file=$1
for addr in $(cat $file);do
arping -c 1 $addr | grep "bytes from" | cut -d" " -f 5 | cut -d "(" -f 2 | cut -d")" -f 1
done
nmap
做二層發現 #速度快而准,內容相對豐富,可以做IP段掃描,不用寫腳本
root@kali:~# nmap -sn 192.168.1.0/24 <strong>#-sn 不做端口掃描,不僅僅發arp包,還會做ptr記錄解析(反向域名解析)</strong> Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-10 12:40 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0024s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) #mac廠家 Nmap scan report for HUAWEIG750-T01-HWG75 (192.168.1.105) Host is up (0.083s latency). MAC Address: 9C:C1:72:13:6A:61 (Huawei Technologies) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00069s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00053s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap scan report for Meizu-MX4-Pro (192.168.1.146) Host is up (0.24s latency). MAC Address: 38:BC:1A:E8:85:ED (Meizu technology) Nmap scan report for 192.168.1.127 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 4.06 seconds
指定文件掃描 #-iLroot@kali:~# nmap -iL arp.txt -sn Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-10 12:44 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.011s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00028s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00042s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap scan report for Meizu-MX4-Pro (192.168.1.146) Host is up (0.079s latency). MAC Address: 38:BC:1A:E8:85:ED (Meizu technology) Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0036s latency). MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141) Host is up (0.00022s latency). MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate) Nmap scan report for kali (192.168.1.143) Host is up (0.00024s latency). MAC Address: 08:00:27:CA:63:99 (Oracle VirtualBox virtual NIC) Nmap done: 8 IP addresses (7 hosts up) scanned in 0.44 seconds
Netdiscover
專門用於二層發現的arp偵查工具,既可做主動掃描,也可以做被動式掃描。既可用於無線,也可做有線掃描。主動式netdiscover -i eth0 -r 1.1.1.0/24 #-i指定網卡netdiscover -l iplist.txt #指定文件被動式避免被發現,不主動發arp包,原理:使用混雜模式,收取非本網卡IP/MAC的數據包,基於廣播,默默等待並記錄。准確程度與主動無差,響應速度慢些(但網絡中,主機發arp包的次數比較常見,時間不會太久)netdiscover -p #使用被動模式
Scapy #極為強大
網友官方中文文檔 點擊打開鏈接
Scapy 是一個強大的操縱報文的交互程序。它可以偽造或者解析多種協議的報文,還具有發送、捕獲、匹配請求和響應這些報文以及更多的功能。Scapy 可以輕松地做到像掃描(scanning)、路由跟蹤(tracerouting)、探測(probing)、單元測試(unit tests)、攻擊(attacks)和發現網絡(network discorvery)這樣的傳統任務。它可以代替hping,arpspoof,arp-sk,arping,p0f 甚至是部分的Namp,tcpdump和tshark 的功能。
優點:發送無效幀、添加自定義的802.11的偵、多技術的結合(跳躍攻擊(VLAN hopping)+ARP緩存中毒(ARP cache poisoning)、在WEP加密信道(WEP encrypted channel)上的VOIP解碼(VOIP decoding))等
若有缺失apt-get install python-gnuplot
root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.3.2) >>> ARP().display() <strong> #函數名稱必須大寫,display()顯示函數內容,調用ARP(),定制ARP包</strong> ###[ ARP ]### hwtype= 0x1 #硬件類型 ptype= 0x800 #協議類型 hwlen= 6 #硬件地址長度 plen= 4 #協議長度 op= who-has #操作碼 hwsrc= 08:00:27:92:17:df #源mac psrc= 192.168.1.127 #源IP地址 hwdst= 00:00:00:00:00:00 #目標mac pdst= 0.0.0.0 #目標IP定制ARP包 #scapy發包,默認收不到回包,會一直等待,所以需加上timeout
>>> arp=ARP() #定義arp包 >>> arp.pdst="192.168.1.1" #指定目標ip >>> arp.display() ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= who-has hwsrc= 08:00:27:92:17:df psrc= 192.168.1.127 hwdst= 00:00:00:00:00:00 pdst= 192.168.1.1 >>> sr1(arp) Begin emission: *Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets <ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=1c:bd:b9:27:d5:32 psrc=192.168.1.1 hwdst=08:00:27:92:17:df pdst=192.168.1.127 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>> >>> answer=sr1(arp) #定義一個變量answer Begin emission: *Finished to send 1 packets. Received 1 packets, got 1 answers, remaining 0 packets >>> answer.display() ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= is-at hwsrc= 1c:bd:b9:27:d5:32 psrc= 192.168.1.1 hwdst= 08:00:27:92:17:df pdst= 192.168.1.127 ###[ Padding ]### #數據包不足位,補碼 load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
python腳本【shell腳本速度比scapy腳本略快,nmap最快】#默認發兩個arp包,提高准確性
#!/usr/bin/python
import logging #導入庫
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import* #導入scapy所有庫
if len( sys.argv ) !=2: #命令參數不等於2
print "Usage - ./arp_discpy [interface]"
print "Example - ./arp_disc.py eth0"
print "Example will perform an ARP scan of thr local subnet to which eth0 is assigned"
sys.exit()
interface = str(sys.argv[1])
ip=subprocess.check_output("ifconfig "+interface+" | grep 'inet ' | cut -d 't' -f 2 |cut -d ' ' -f 2",shell=True).strip()
prefix = ip.split(".")[0] + '.' + ip.split(".")[1] + '.' + ip.split(".")[2] + '.'
for addr in range(0,254):
answer=sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0) #構造ARP包
if answer ==None:
pass;
else:
print prefix+str(addr)
指定文件掃描
小白日記,未完待續……#!/usr/bin/python import logging import subprocess logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* if len( sys.argv ) !=2: print "Usage - ./arp_discpy [interface]" print "Example - ./arp_disc.py eth0" print "Example will perform an ARP scan of thr local subnet to which eth0 is assigned" sys.exit() filename = str(sys.argv[1]) file = open(filename,"r") for addr in file: answer=sr1(ARP(pdst=addr.strip()),timeout=0.1,verbose=0) if answer == None: pass else: print addr.strip()