当前位置: 代码迷 >> 综合 >> Kali Linux 渗透测试之主动信息收集(一)——二层发现(arping/shell脚本、nmap、netdiscover、scapy)
  详细解决方案

Kali Linux 渗透测试之主动信息收集(一)——二层发现(arping/shell脚本、nmap、netdiscover、scapy)

热度:26   发布时间:2023-12-25 06:58:26.0

1. 主动信息收集

(1)主动信息收集的特点

  •   直接与目标系统交互通信;
  •   无法避免留下访问的痕迹;

(2)解决方法

  •   用受控的第三方电脑进行探测,例如使用代理或已经被控制的主机;
  •   做好被封杀的准备;
  •   使用噪声迷惑目标,淹没真实的探测流量;

(3)发现(IP层面)

  •  识别活着的主机,即潜在的被攻击目标(存活的主机,会有一些开放的端口,端口对应服务,可以针对服务寻找存在漏洞等——扩大目标系统的攻击面);
  •  将结果输出一个IP地址列表;
  •  以下发现主要针对的是2、 3 、4层发现;

2. 发现——二层发现

原理:使用ARP协议,在网段内进行广播,查看是否有回包,如果有,证明该主机存活;

优点:扫描速度快、可靠;

缺点:不可路由,只能发现同一网段内的主机;

(1)arping

1.1> arping 单个的IP地址

root@root:~# arping 192.168.37.130        #会一直ping下去,Ctrl+C暂停
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  2.265ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.578ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.645ms
^CSent 3 probes (1 broadcast(s))
Received 3 response(s)
root@root:~# arping 192.168.37.130 -c 2   #指定发包的数量
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.534ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC]  1.376ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)
root@root:~# arping 192.168.37.130 -c 1 |grep "reply from" |awk '{print $4}'
192.168.37.130#只过滤出IP地址

1.2> arping命令无法一次性实现多个ip的扫描,但可以配合shell脚本实现整个局域网的扫描

脚本1:arping.sh     #扫描整个网段

#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机  ETH=$(ifconfig | head -1 |awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' |awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254)
doarping -c 1 $PREFIX.$addr | grep "reply from"|cut -d" " -f 4
done

结果如下:并使用Wireshark抓包查看

root@root:~# sh arping.sh 
192.168.37.1
192.168.37.2
192.168.37.130
192.168.37.254

脚本2:arping2.sh      #针对文件中的IP列表,进行扫描

#!/bin/bash
#该脚本主要用户实现扫描文件中的IP地址列表
FILE=$1
for addr in $(cat  $FILE)
doarping -c 1 $addr | grep  "reply from" | cut -d" " -f 4
done

结果如下:并使用Wireshark抓包查看

root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# sh arping2.sh IP.txt 
192.168.37.2
192.168.37.130

(2)Nmap(很强大)

nmap相比arping,可以扫描整个网段,而且扫描速度快,内容多;

  • nmap -sn 192.168.37.130         # -sn: Ping Scan  - disable port scan,只进行主机发现,不进行端口扫描
  • nmap -sn 192.168.37.0/24        #可以扫描整个网段;
root@root:~# nmap -sn 192.168.37.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.130
Host is up (0.00045s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
root@root:~# nmap -sn 192.168.37.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.37.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00037s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap scan report for 192.168.37.254
Host is up (0.00030s latency).
MAC Address: 00:50:56:E2:44:F8 (VMware)
Nmap scan report for 192.168.37.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds
  •  nmap -iL IP.txt -sn           #扫描指定的IP列表
root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 20:06 CST
Nmap scan report for 192.168.37.2
Host is up (0.000064s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 6 IP addresses (2 hosts up) scanned in 0.31 seconds

 (3)Netdiscover

  • 专用于二层发现;
  • 可用于无线和交换网络环境;
  • 主动和被动探测;

3.1> 主动发现

  • netdiscover -i eth0 -r 192.168.37.0/24       #netdiscover  -i  指定网卡  -r   网段
  • netdiscover -l IP.txt                                    #netdiscover -l 指定IP列表
root@root:~# netdiscover -i eth0 -r 192.168.37.0/24Currently scanning: Finished!   |   Screen View: Unique Hosts                 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240               _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.37.1    00:50:56:c0:00:08      1      60  VMware, Inc.                192.168.37.2    00:50:56:e8:e0:56      1      60  VMware, Inc.                192.168.37.130  00:0c:29:b6:06:cc      1      60  VMware, Inc.                192.168.37.254  00:50:56:e2:44:f8      1      60  VMware, Inc.  
root@root:~# netdiscover -l IP.txt Currently scanning: Finished!   |   Screen View: Unique Hosts                 24 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1440             _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.37.1    00:50:56:c0:00:08      6     360  VMware, Inc.                192.168.37.2    00:50:56:e8:e0:56      6     360  VMware, Inc.                192.168.37.130  00:0c:29:b6:06:cc      6     360  VMware, Inc.                192.168.37.254  00:50:56:e2:44:f8      6     360  VMware, Inc.  

3.2> 被动发现

主动ARP容易触发报警,所以也可以采用被动发现的方式发现网络中存活的主机;

  • netdiscover -p
root@root:~# netdiscover -p Currently scanning: (passive)   |   Screen View: Unique Hosts           3 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 180         _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.37.1    00:50:56:c0:00:08      1      60  VMware, Inc.          192.168.37.130  00:0c:29:b6:06:cc      2     120  VMware, Inc.  

(4)scapy

  • 作为python库进行调用;
  • 也可作为单独的工具使用;
  • 抓包,分析,创建,修改,注入网络流量;
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> ARP().display()           #显示ARP包中的信息
###[ ARP ]### hwtype= 0x1ptype= 0x800hwlen= 6plen= 4op= who-hashwsrc= 00:0c:29:3e:df:60psrc= 192.168.37.131hwdst= 00:00:00:00:00:00pdst= 0.0.0.0>>> arp=ARP()
>>> arp.display()
###[ ARP ]### hwtype= 0x1ptype= 0x800hwlen= 6plen= 4op= who-hashwsrc= 00:0c:29:3e:df:60psrc= 192.168.37.131hwdst= 00:00:00:00:00:00pdst= 0.0.0.0>>> arp.pdst="192.168.37.130"        
>>> arp.display()
###[ ARP ]### hwtype= 0x1ptype= 0x800hwlen= 6plen= 4op= who-hashwsrc= 00:0c:29:3e:df:60psrc= 192.168.37.131hwdst= 00:00:00:00:00:00pdst= 192.168.37.130>>> sr1(arp)           #发包
Begin emission:
*Finished to send 1 packets.Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:b6:06:cc psrc=192.168.37.130 hwdst=00:0c:29:3e:df:60 pdst=192.168.37.131 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display()   #接收包,其中padding为部位,当包的大小小于最小包长时,就会采用16进制0补位
###[ ARP ]### hwtype= 0x1ptype= 0x800hwlen= 6plen= 4op= is-athwsrc= 00:0c:29:b6:06:ccpsrc= 192.168.37.130hwdst= 00:0c:29:3e:df:60pdst= 192.168.37.131
###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'