forked from dockercore/kali
-
Notifications
You must be signed in to change notification settings - Fork 0
/
课时29 端口扫描~1.txt
executable file
·321 lines (263 loc) · 11.5 KB
/
课时29 端口扫描~1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
课时29 端口扫描
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃隐蔽端口扫描 ┃
┃Syn-----syn/ack-----rst ┃
┃Scapy ┃
┃ sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1) ┃
┃ ./syn_scan.py ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> a=sr1(IP(dst="192.168.1.134")/TCP(dport=80),timeout=1,verbose=1)
>>>a.display
>>> a=sr1(IP(dst="192.168.1.134")/TCP(flags="S"dport=22),timeout=1)
>>> a=sr1(IP(dst="192.168.1.134")/TCP(flags="S"dport=2222),timeout=1)
╭────────────────────────────────────────────╮
[syn_scan.py]
#!/usr/bin/python
import loggging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import sys
if len(sys.argv)!=4;
print "Usage - ./syn_scan.py [Target.IP] [First Port] [Las Port]"
print "Example - ./syn_scan.py 1.1.1.5 1 100"
print "Example will TCP SYN port 1 thorough 100 om 10.0.0.5"
sys.exit()
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3]
for port in range(start,end);
a=str(IP(dst=ip)/UDP(dport=prot),timeout=1,verbose=0)
if a==None;
pass
else;
if(int(a(TCP),flags)==18;
print port
else
pass
╰────────────────────────────────────────────╯
root@kali:~# chmod u+x syn_scan.py
root@kali:~# ./syn_scan.py 192.168.1.134 1 100
root@kali:~# ./syn_scan.py 192.168.1.134 100 200
root@kali:~# ./syn_scan.py 192.168.1.134 440 450
╋━━━━━━━━━━━━━━━━━━━╋
┃隐蔽端口扫描 ┃
┃nmap -sS 1.1.1.1 -p 80,21,25,110,443 ┃
┃nmap -sS 1.1.1.1 -p 1-65535 --open ┃
┃nmap -sS 1.1.1.1 -p- --open ┃
┃nmap -sS -iL iplist.txt -p 80 ┃
╋━━━━━━━━━━━━━━━━━━━╋
root@kali:~# nmap 192.168.1.134 -p1-100
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-10-01 23:01 CST
Nmap scan report for 192.168.1.134
Host is up (0.00068s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtb
53/tcp open domain
80/tcp open http
MAC Address: 80:00:27:B0:3A:76(Cadmus Computer Systems)
Nmap done: 1 IP address(1 host up) scanned in 5.72 seconds
root@kali:~# nmap 192.168.1.134 -p1-100 --open
╋━━━━━━━━━━━━━━━━━━━━━━━━╋
┃隐蔽端口扫描 ┃
┃hping3 ┃
┃hping3 1.1.1.1 --scan 80 -S ┃
┃hping3 1.1.1.1 --scan 80,21,25,443 -S ┃
┃hping3 1.1.1.1 --scan 0-65535 ┃
┃hping3 -c 10 -S --spoof 1.1.1.2 -p ++1 1.1.1.3 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━╋
root@kali:~# hping3 192.168.1.134 --scan 1-100 -S
Scanning 192.168.1.134 (192.168.1.134), port 1-100
100 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
21 ftp : .S..A... 64 0 5840 46
22 ssh : .S..A... 64 0 5840 46
23 telnet : .S..A... 64 0 5840 46
25 smtp : .S..A... 64 0 5840 46
53 domain : .S..A... 64 0 5840 46
80 http : .S..A... 64 0 5840 46
All replies received Done.
Not responding ports:
root@kali:~# hping3 -c 10 -S --spoof 1.1.1.2 -p ++1 1.1.1.3
HPING 1.1.1.3 (eth0 1.1.1.3): S set, 40 headers + 0 data bytes
--- 1.1.1.3 hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~# hping3 -c 10 -S --spoof 192.168.1.140 -p ++1 192.168.1.134
HPING 192.168.1.134 (eth0 192.168.1.134): S set, 40 headers + 0 data bytes
--- 192.168.1.134 hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~# hping3 -c 100 -S --spoof 192.168.1.140 -p ++1 192.168.1.134
HPING 192.168.1.134 (eth0 192.168.1.134): S set, 40 headers + 0 data bytes
--- 192.168.1.134 hping statistic ---
100 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃全连接端口扫描 ┃
┃Scapy ┃
┃ Syn扫描不需要raw packets ┃
┃ 内核认为syn/ack是非法包,直接发rst终端连接 ┃
┃ 全连接扫描对scapy比较困难 ┃
┃sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S')) ┃
┃./tcp_scan1.py ┃
┃./tcp_scan2.py ┃
┃iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.20.2 -j DROP ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
╭────────────────────────────────────────────╮
[tcp_scan1.py]
#!/usr/bin/python
import loggging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
response=sr1(IP(dst="192.168.60.4")/TCP(dport=80,flags='S'))
reply=sr1(IP(dst="192.168.60.4")/TCP(dport=80,flags='A',ack(response[TCP].seq+1)))
╰────────────────────────────────────────────╯
直接按F5运行代码!
╭────────────────────────────────────────────╮
[tcp_scan2.py]
#!/usr/bin/python
import loggging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
SYN=IP(dst="192.168.1.134")/TCP(dport=25,flags='S')
print"-- SENT --"
SYN.display()
print"\n\n-- RECEIVED --"
response=sr1(SYN,timeout=1,verbose=0)
response.display()
if int(response[TCP].flags)==18;
print"\n\n-- SENT --"
A=IP(dst="192.168.1.134")/TCP(dport=25flags='A',ack(response[TCP].seq+1))
A.display()
print"\n\n-- RECEIVED --"
response2=sr1(A,timeout=1,verbose=0)
response2.display()
else;
print"SYN-ACK not returned"
╰────────────────────────────────────────────╯
root@kali:~# iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.20.2 -j DROP
root@kali:~# iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.1.134 -j DROP
oot@kali:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
╋━━━━━━━━━━━━━━━━╋
┃全连接端口扫描 ┃
┃nmap -sT 1.1.1.1 -p 80 ┃
┃nmap -sT 1.1.1.1 -p 80,21,25 ┃
┃nmap -sT 1.1.1.1 -p 80-2000 ┃
┃nmap -sT -iL iplist.txt -p 80 ┃
┃默认1000个常用端口 ┃
╋━━━━━━━━━━━━━━━━╋
root@kali:~# nmap -sT 192.168.1.134 1-100
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-10-02 13:56 CSTn
Nmap scan report for localhost(192.168.1.134)
Host is up (0.0020s latency).
Not shown 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtb
53/tcp open domain
80/tcp open http
MAC Address: 80:00:27:B0:3A:76(Cadmus Computer Systems)
Nmap done: 1 IP address(1 host up) scanned in 5.72 seconds
╋━━━━━━━━━━━━━━━━━╋
┃全连接端口扫描 ┃
┃dmitry ┃
┃ 功能简单,但使用简便 ┃
┃ 默认150个最常用的端口 ┃
┃dmitry -p 172.16.36.135 ┃
┃dmitry -p 172.16.36.135 -o output ┃
╋━━━━━━━━━━━━━━━━━╋
root@kali:~# dmitry -p 192.168.1.134
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 192.168.1.134
Continuing with limited modules
HostIP:192.168.1.134
HostName:
Gathered TCP Port information for 192.168.1.134
---------------------------------
Port State
21/tcp open
22/tcp open
23/tcp open
25/tcp open
53/tcp open
80/tcp open
111/tcp open
139/tcp open
Portscan Finished: Scanned 150 ports, 141 ports were in state closed
All scans completed, exiting
root@kali:~# dmitry -h
Deepmagic Information Gathering Tool
"There be some deep magic going on"
dmitry: invalid option -- 'h'
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃全连接端口扫描 ┃
┃nc -nv -w 1 -z 192.168.60.4 1-100 ┃
┃for x in $(seq 20 30);do nc -nv -w 1 -z 1.1.1.1 $x;done | grep open ┃
┃for x in $(seq 20 30);do nc -nv -w 1 -z 1.1.1.$x;done ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
root@kali:~# nc -h
[v1.10-41]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
root@kali:~# nc -nv -w 1 -z 192.168.1.134 1-100
(UNKNOWN) [192.168.1.134] 80 (http) open
(UNKNOWN) [192.168.1.134] 53 (domain) open
(UNKNOWN) [192.168.1.134] 25 (smtp) open
(UNKNOWN) [192.168.1.134] 23 (telnet) open
(UNKNOWN) [192.168.1.134] 22 (ssh) open
(UNKNOWN) [192.168.1.134] 21 (ftp) open