僵尸扫描:
- 条件较为苛刻,首先要能够进行地址欺骗;
- 其次僵尸机没有什么网络流量产生;
- 最后僵尸机的ipid必须是递增的(win xp及以前windows机型)闲置系统;
1. 僵尸扫描的过程
Port is Open
Port is Closed
僵尸扫描的过程:
1. 扫描者向僵尸机发送SYN/ACK数据包,僵尸机会返回一个RST数据包,记录下ipid为x;
2. 扫描者向目标主机发送SYN数据包(将原地址伪造成僵尸机);
3. 若目标主机端口开放,则目标主机向僵尸机发送SYN/ACK数据包;
3.1 僵尸机收到SYN/ACK数据包,则向目标主机发送RST数据包,此时僵尸机ipid为x+1;
3.2 扫描者向僵尸机再次发送SYN/ACK数据包,僵尸机返回一个RST数据包,此时ipid为x+2;
4. 若目标主机端口关闭,则目标主机向僵尸机发送RST数据包,此时僵尸机不会产生任何数据包;
4.1 扫描者向僵尸机再次发送SYN/ACK数据包时,僵尸机返回一个RST数据包,此时ipid为x+1;
5. 通过扫描者从僵尸机接收到的两个RST数据包的ipid可以判断目标主机的目标端口是否开放;
2. 僵尸扫描——scapy
(1)scapy
实验环境:
kali(攻击者): 192.168.37.131
Windows 2008(目标主机) :192.168.37.128
win xp (僵尸机) :192.168.37.130
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> t=TCP()
>>> rz=(i/t)
>>> rt=(i/t)
>>> rz[IP].dst="192.168.37.130"
>>> rz[TCP].dport=445
>>> rz[TCP].flags="SA"
>>> rt[IP].src="192.168.37.130"
>>> rt[IP].dst="192.168.37.128"
>>> rt[TCP].dport=25
>>> rt[TCP].flags="S"
>>> az1=sr1(rz) #判断是否为好的僵尸机,先发送第一个SA包
Begin emission:
.*Finished to send 1 packets.Received 2 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1) #伪造源IP,向目标主机发包S
Begin emission:
..Finished to send 1 packets.
..*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz) #向僵尸机发送SA包,判断两次的IPID值是否相差2
Begin emission:
.Finished to send 1 packets.
...*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az1
<IP version=4L ihl=5L tos=0x0 len=40 id=2249 flags= frag=0L ttl=128 proto=tcp chksum=0x65b1 src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP version=4L ihl=5L tos=0x0 len=40 id=2251 flags= frag=0L ttl=128 proto=tcp chksum=0x65af src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>
>>> rt[TCP].dport=33445 #验证端口不开放的情况
>>> az1=sr1(rz)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1)
Begin emission:
..Finished to send 1 packets.
*
Received 3 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz)
Begin emission:
*Finished to send 1 packets.Received 1 packets, got 1 answers, remaining 0 packets
>>> az1 #IPID相差为1
<IP version=4L ihl=5L tos=0x0 len=40 id=2252 flags= frag=0L ttl=128 proto=tcp chksum=0x65ae src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP version=4L ihl=5L tos=0x0 len=40 id=2253 flags= frag=0L ttl=128 proto=tcp chksum=0x65ad src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>(2)使用python脚本实现
实验环境:
kali(攻击者): 192.168.37.131
Windows 2008(目标主机) :192.168.37.128
win xp (僵尸机) :192.168.37.130
脚本:zombie.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author:橘子女侠
# Time:2019/04/14
# 该脚本用于识别僵尸机,并使用僵尸机对目标主机进行端口扫描from scapy.all import *
import time
import sysdef IsZombie(zombie_ip): #判断僵尸机是否是一个合格的僵尸机a1 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)time.sleep(2) #给僵尸机充足的时间,以判断僵尸机网络是否繁忙a2 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)if (a1[IP].id + 1) == a2[IP].id: #比较两次ipid值print ("this is a good zombie!")action = raw_input("do you want to use this zombie?(y/n)")if action == "y":target_ip = raw_input("please input the target's ip:") #目标主机ipscan(zombie_ip,target_ip)else:sys.exit()else:print ("this is not a good zombie!")def scan(zombie_ip,target_ip):print("\nScanning target:"+target_ip+" with zombie:"+zombie_ip)print("\n------------------Open Ports on Target---------------\n")for port in range(1,1000):try:start_val=sr1(IP(dst=zombie_ip)/TCP(flags="SA",dport=port),timeout=2,verbose=0) #给僵尸机发送第一个SYN/ACK数据包send(IP(dst=target_ip,src=zombie_ip)/TCP(flags="S",dport=port),verbose=0) #给目标主机发送一个伪造原地址的SYN数据包end_val = sr1(IP(dst=zombie_ip)/TCP(flags="SA"),timeout=2,verbose=0) #给僵尸机发送第二个SYN/ACK数据包if (start_val[IP].id+2) == end_val[IP].id: #比较ipid值,从而判断端口是否开放print(port)except:passprint("------------------Zombie Scan Suite-------------------\n")
ip = raw_input("the zombie's ip:")
IsZombie(ip)
结果如下:
root@root:~# python zombie.py
------------------Zombie Scan Suite-------------------the zombie's ip:192.168.37.130
this is a good zombie!
do you want to use this zombie?(y/n)y
please input the target's ip:192.168.37.128Scanning target:192.168.37.128 with zombie:192.168.37.130------------------Open Ports on Target---------------25
53
80
88
110
135
139
143
389
445
464
465
593
636
995
3. 僵尸扫描——Nmap
root@root:~# nmap -p445 192.168.37.130 --script=ipidseq.nse #脚本判断是否是好的僵尸
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:35 CST
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00060s latency).PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)Host script results:
|_ipidseq: Incremental! #IPID递增Nmap done: 1 IP address (1 host up) scanned in 1.31 secondsroot@root:~# nmap 192.168.37.128 -sI 192.168.37.130 -Pn -p 1-150 #扫描1——150端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:41 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:80); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.050s latency).
Not shown: 142 closed|filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds
root@root:~# nmap 192.168.37.128 -p 1-150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00071s latency).
Not shown: 142 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
root@root:~# nmap 192.168.37.128 -sI 192.168.37.130 #扫描1000个常用端口
WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:443); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.051s latency).
Not shown: 973 closed|filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
465/tcp open smtps
593/tcp open http-rpc-epmap
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3306/tcp open mysql
6000/tcp open X11
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49167/tcp open unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds