-
Notifications
You must be signed in to change notification settings - Fork 23
/
课时28 主动信息收集-发现(五).txt
executable file
·354 lines (307 loc) · 14.7 KB
/
课时28 主动信息收集-发现(五).txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
课时28 主动信息收集-发现(五)
╋━━━━━━━━━━━━━━━╋
┃发现——四层发现 ┃
┃nmap 1.1.1.1-254 -PU53 -sn ┃
┃nmap 1.1.1.1-254 -PA80 –sn ┃
┃nmap -iL iplist.txt -PA80 -sn ┃
╋━━━━━━━━━━━━━━━╋
root@kali:~# nmap 221.144.145.1-50 -PU53 -sn
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-09-29 13:59 CST
Nmap done: 50 IP addresses (0 hosts up) scanned in 10.09 seconds
root@kali:~# nmap
Nmap 6.49BETA5 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
root@kali:~# nmap 221.144.145.1 -PO -sn
Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-09-29 14:10 CST
Nmap scan report for 221.144.145.1
Host is up (0.0073s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃发现——四层发现 ┃
┃ hping3 --udp 1.1.1.1 -c 1 ┃
┃ for addr in $(seq 1 254); do hping3-upd 1.1.1$addr -c 1 >>r.txt;done ┃
┃ grep Unreachable r.txt | cut -d " " -f 5 | cut -d "=" -f 2 ┃
┃ ./udp_hping.sh 1.1.1.0 ┃
┃ hping3 1.1.1.1 -c 1 (TCP) ┃
┃ Hping3 1.1.1.1 ┃
┃ ./TCP_hping.sh ┃
┃ Flag 0------ACK、RST ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
root@kali:~# hping3 --udp 1.1.1.1 -c 1
HPING 1.1.1.1 (eth0 1.1.1.1): udp mode set, 28 headers + 0 data bytes
--- 1.1.1.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~# hping3 --udp 221.144.154.1 -c 1
HPING 221.144.154.1 (eth0 221.144.154.1): udp mode set, 28 headers + 0 data bytes
--- 221.144.154.1 hping statistic ---
1 packets transmitted, 0 packets received,
root@kali:~# hping3 --udp 192.168.1.1 -c 1
HPING 192.168.1.1 (eth0 192.168.1.1): udp mode set, 28 headers + 0 data bytes
--- 192.168.1.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~# hping3 --udp 192.168.1.138 -c 1
HPING 192.168.1.138 (eth0 192.168.1.138): udp mode set, 28 headers + 0 data bytes
--- 192.168.1.138 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
╭────────────────────────────────────────────╮
[UDP_hping.sh]
#!/bin/bash
if("$#" -ne 1);then
echo "Usage - ./udp hping.sh [/24 netwkr address]
echo "Example - ./udp_hping.sh 172.16.36.0"
echo "Example will perform a UDP ping sweep of the 172.16.36.0/24 network and output to an output.txt file"
fi
prefix=$(echo $1 | cut -d '.' -f 1=3)
for adde in $(seq 1 245);do
hping3 sprefix.$addr --udp -c 1 >> r.txt;
done
grep Unreachable r.txt | cut -d " " -f 5 | cut -d "=" -f 2 >> output.txt
rm r.txt
╰────────────────────────────────────────────╯
root@kali:~# ./UDP_hping.sh 192.168.1.1
╭────────────────────────────────────────────╮
[TCP_hping.sh]
#!/bin/bash
if("$#" -ne 1);then
echo "Usage - ./udp hping.sh [/24 netwkr address]
echo "Example - ./udp_hping.sh 172.16.36.0"
echo "Example will perform a UDP ping sweep of the 172.16.36.0/24 network and output to an output.txt file"
fi
prefix=$(echo $1 | cut -d '.' -f 1=3)
for adde in $(seq 1 245);do
hping3 profix.$addr -c 1 >> r.txt;
done
grep len r.txt | cu -d " " -f 2 | cut -d "=" -f 2 >> output.txt
rm r.txt
╰────────────────────────────────────────────╯
root@kali:~# ./TCP_hping.sh 192.168.1.1
root@kali:~# ./TCP_hping.sh 211.144.145.1
╋━━━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃端口对应网络服务及应用端程序 ┃
┃服务端程序的漏洞通过端口攻入 ┃
┃发现开放的端口 ┃
┃更具体的攻击面 ┃
╋━━━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃UDP端口扫描 ┃
┃ 假设ICMP port-unreachable响应代表端口关闭 ┃
┃ 目标系统不响应ICMP port-unreachabl时,可能产生误判 ┃
┃ 完整的UPD应用层请求 ┃
┃ 准确性高 ┃
┃ 耗时巨大 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃Scapy UDP Scan ┃
┃ 端口关闭:ICMP port unreachable ┃
┃ 端口开放:没有回包 ┃
┃ 了解每一种基于UDP的应用层包括结构很有帮组 ┃
┃ 与三层相同的技术 ┃
┃ 误判 ┃
┃Scapy ┃
┃ sr1(IP(dst="1.1.1.1")/UDP(dport=53),timeout=1,verbose=1)┃
┃./udp_scan.py 1.1.1.1 100 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
╭────────────────────────────────────────────╮
[UDP_scan.py]
import logging
logging getLogger("scapy.runtime")setLeve(logging.ERROR)
from scapy all import *
import time
import sys
#!/bin/bash
if len(sys.argv)!=4
echo "Usage - ./udp_scan.py [Target-IP] [First Port] [Last Port]"
echo "Example - ./udp_scan 10.0.0.5 100"
echo "Example will UDP port scan ports 1 through 100 in 10.0.0.5" sys.exit()
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])
for port in range(start,end);
a=str(IP(dst=ip)/UDP(dport=prot),timeout=5,verbose=0)
time.sleep(1)\
if a==None:
print port
else
pass
╰────────────────────────────────────────────╯
root@kali:~# chmod u+x udp_scan.py
root@kali:~# ./udp_scan.py 192.168.1.1 1 100
root@kali:~# ./udp_scan.py 192.168.1.138 1 100
root@kali:~# ./udp_scan.py 192.168.1.134 1 100
root@kali:~# ./udp_scan.py 192.168.1.134 101 200
╋━━━━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃Nmap ┃
┃Nmap -sU 1.1.1.1 ┃
┃ 默认的1000个参数 ┃
┃ ICMP host-unreachable ┃
┃nmap 1.1.1.1 -sU -p53 ┃
┃nmap -iL iplist.txt -sU -p 1-200┃
╋━━━━━━━━━━━━━━━━╋
root@kali:~# nmap -sU 192.168.1.134
root@kali:~# nmap -sU 192.168.1.134 -p53
root@kali:~# nmap -sU 192.168.1.134 -p161
root@kali:~# nmap -sU 192.168.1.134 -p1030
root@kali:~# nmap -sU 192.168.1.134 -p65535
root@kali:~# nmap -sU 192.168.1.134 -p- //六万个端口被扫描了
╋━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃TCP端口扫描 ┃
┃ 基于链接的协议 ┃
┃ 三次握手 ┃
┃ 隐蔽扫描 ┃
┃ 僵尸扫描 ┃
┃ 全链接扫描 ┃
┃ 所有的TCP扫描方式 ┃
┃ 都是基于三次握手的变化 ┃
┃ 来判断目标端口状态 ┃
╋━━━━━━━━━━━━━╋
1-SYN
-------------->
2-SYN,ACK
<--------------
3-SYN
-------------->
╋━━━━━━━━━━━━━━━━━╋
┃端口扫描 ┃
┃隐蔽扫描-----syn ┃
┃ 不建立完整链接 ┃
┃ 应用日志不记录扫描行为-----隐蔽 ┃
┃僵尸扫描 ┃
┃ 极度隐蔽 ┃
┃ 实施条件苛刻 ┃
┃ 可伪造源地址 ┃
┃ 选择僵尸机 ┃
┃ 闲置系统 ┃
┃ 系统使用递增的IPID ┃
┃ 0 ┃
┃ 随机 ┃
╋━━━━━━━━━━━━━━━━━╋
? ┃ ? ┃ ?
Scanner ┃ Scanner ╲ ┃ Scanner
┌─┐ │ ↑ ┌─┐ ┃ ↘ ┃ ┌─┐ │ ↑ ┌─┐
│1 │ │ │ │2 │RST┃ ┌─┐ ?? ┃ │1 │ │ │ │2 │RST
└─┘ ↓ │ └─┘ ┃ │2 │SYN/ACK ?? ┃ └─┘ ↓ │ └─┘
?? IPID=x+1 ┃ └─┘ ╱↗ ?? ┃ ?? IPID=x+2
?? ┃ ?? ↙╱ Tatget ┃ ??
?? ┃ ?? ┌─┐ ┃ ??
Zombie ┃ ?? │3 │RST ┃ Zombie
┃ └─┘IPID=x+1 ┃