四層發現
1、可路由且結果可靠;
2、不太可能被防火牆過濾,甚至可以發現所有端口都被過濾的主機。[一些比較嚴格的防火牆還是會過濾掉]
缺點:是基於狀態過濾的防火牆可能過濾掃描;全端口(UDP+TCP十幾萬個端口)掃描的速度慢。一、TCP探測【基於特徵】
tcp連接是通過三次握手建立通信過程。
1.未經請求的ACK[直接發一個ACK],活着的主機會回一個RST包;宕機主機不會回包
2.直接發一個SYN包,活着的主機會回一個SYN/ACK包[則端口打開],回RST[端口關閉];
Scapy(返回RST,則在線,否則不在線)
注:可以指定包中任意參數,構造不同包。例如:僞造IP地址;特殊情況:活着主機,不響應包,可用ping檢測root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.3.2) >>> >>> i=IP() >>> t=TCP() >>> r=(i/t) >>> >>> r.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 127.0.0.1 dst= 127.0.0.1 \options\ ###[ TCP ]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {} >>> >>> r[IP].dst="192.168.1.1" >>> r[TCP].flags="A" #構造ARP包 >>> r.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= tcp chksum= None src= 192.168.1.127 dst= 192.168.1.1 \options\ ###[ TCP ]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= A window= 8192 chksum= None urgptr= 0 options= {} >>> a=sr1(r) Begin emission: .Finished to send 1 packets. * Received 2 packets, <span style="color:#ff0000;">got 1 answers</span>, remaining 0 packets<strong> >>> </strong>
長組合語句
scapy腳本(還略有小錯)>>> a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> a <IP version=4L ihl=5L tos=0x0 len=40 id=56576 flags= frag=0L ttl=60 proto=tcp chksum=0xdda6 src=1.1.1.1 dst=192.168.1.127 options=[] |<TCP sport=http dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xeb53 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>> >>> <strong> </strong>
#!/usr/bin/python import logging import subprocess logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* if len( sys.argv ) !=2: #minglingcanshubugou2 print "Usage - ./ACK_Ping.py [/24 network address]" print "Example - ./ACK_Ping.py 172.16.36.0" print "Example will perform an ACK ping scan of the 192.168.1.0/24 range" sys.exit() address = str(sys.argv[1]) prefix = address.split(".")[0] + '.' + address.split(".")[1] + '.' + address.split(".")[2] + '.' for addr in range(1,254): response=sr1(IP[dst=prefix+str(addr)]/TCP(dport=80,flags='A') ,timeout=1) try: if imt(response[TCP].<span style="color:#ff0000;">flags)==4:</span> print prefix+str(addr) except: pass
二、UDP探測【基於特徵】
一種非連接的不可靠傳輸協議,會盡力轉發包
如果目標主機不在線,不回包;如果目標端口開啓,也可能不回包[若有DNS查詢指令內容會響應,除非構造完整的UDP數據包,但不可行];當主機在線,發包到其沒開放的端口,會迴應ICMP端口不可達,則表明其主機在線
UDP腳本<span style="font-size:18px;">root@kali:~# scapy WARNING: No route found for IPv6 destination :: (no default route?) Welcome to Scapy (2.3.2) >>> i=IP() >>> u=UDP() >>> >>> r=(i/u) >>> >>> r.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= udp chksum= None src= 127.0.0.1 dst= 127.0.0.1 \options\ ###[ UDP ]### sport= domain dport= domain len= None chksum= None >>> r[IP].dst="192.168.1.1" >>> r[UDP].dport=7345 >>> r.display() ###[ IP ]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= udp chksum= None src= 192.168.1.127 dst= 192.168.1.1 \options\ ###[ UDP ]### sport= domain dport= 7345 len= None chksum= None >>> a=sr1(r) Begin emission: .Finished to send 1 packets. * Received 2 packets, <span style="color:#ff0000;">got 1 answers</span>, remaining 0 packets >>> a.display() ###[ IP ]### version= 4L ihl= 5L tos= 0xc0 len= 56 id= 61178 flags= frag= 0L ttl= 64 proto= icmp chksum= 0x73a src= 192.168.1.1 dst= 192.168.1.127 \options\ ###[ ICMP ]### type= dest-unreach code= port-unreachable chksum= 0x80e7 reserved= 0 length= 0 nexthopmtu= 0 ###[ IP in ICMP ]### version= 4L ihl= 5L tos= 0x0 len= 28 id= 1 flags= frag= 0L ttl= 64 proto= udp chksum= 0xf6ff src= 192.168.1.127 dst= 192.168.1.1 \options\ ###[ UDP in ICMP ]### sport= domain dport= 7345 len= 8 chksum= 0x5f27 >>> </span>
nmap(速度快,但受少部分情況限制,總而言之,適合大多數)
在三四層掃描,處於無敵狀態
UDP掃描:nmap 1.1.1.1-254 -PU53 -sn #-P U:UDP端口
ACK掃描:nmap 1.1.1.1-254 -PA80 -sn #ACK
指定地址列表:nmap -iL iplist.txt -PA80 -sn
-PE/PP/PM/PO……
Hping3(默認情況下爲TCP ping)
UDP探測
<span style="font-size:18px;">root@kali:~# hping3 --udp 192.168.1.1 -c 1 HPING 192.168.1.1 (eth0 192.168.1.1): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from ip=192.168.1.1 name=DD-WRT status=0 port=1788 seq=0 --- 192.168.1.1 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 68.2/68.2/68.2 ms</span>
UDPhing腳本
for addr in $(seq 1 254); do hping3 –udp 1.1.1.$addr -c 1 >> r.txt; done
grep Unreachable r.txt | cut -d " " -f 5 | cut -d "=" -f 2
小白日記,未完待續……TCP探測
root@kali:~# hping3 196.168.1.1 -c 1 HPING 196.168.1.1 (eth0 196.168.1.1): NO FLAGS are set, 40 headers + 0 data bytes --- 196.168.1.1 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms