当前位置: 代码迷 >> 综合 >> Kali Linux渗透测试之端口扫描(二)——僵尸扫描(scapy/python脚本、nmap)
  详细解决方案

Kali Linux渗透测试之端口扫描(二)——僵尸扫描(scapy/python脚本、nmap)

热度:18   发布时间:2023-12-25 06:57:30.0

僵尸扫描:

  • 条件较为苛刻,首先要能够进行地址欺骗;
  • 其次僵尸机没有什么网络流量产生;
  • 最后僵尸机的ipid必须是递增的(win xp及以前windows机型)闲置系统;

1. 僵尸扫描的过程

Port   is  Open

Port   is  Closed

僵尸扫描的过程:

1. 扫描者向僵尸机发送SYN/ACK数据包,僵尸机会返回一个RST数据包,记录下ipid为x;

2. 扫描者向目标主机发送SYN数据包(将原地址伪造成僵尸机);

3. 若目标主机端口开放,则目标主机向僵尸机发送SYN/ACK数据包;

       3.1 僵尸机收到SYN/ACK数据包,则向目标主机发送RST数据包,此时僵尸机ipid为x+1;

       3.2 扫描者向僵尸机再次发送SYN/ACK数据包,僵尸机返回一个RST数据包,此时ipid为x+2;

4. 若目标主机端口关闭,则目标主机向僵尸机发送RST数据包,此时僵尸机不会产生任何数据包;

       4.1 扫描者向僵尸机再次发送SYN/ACK数据包时,僵尸机返回一个RST数据包,此时ipid为x+1;

5. 通过扫描者从僵尸机接收到的两个RST数据包的ipid可以判断目标主机的目标端口是否开放;

 2. 僵尸扫描——scapy

(1)scapy

实验环境:

  kali(攻击者): 192.168.37.131

  Windows 2008(目标主机) :192.168.37.128

  win xp (僵尸机) :192.168.37.130

root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> t=TCP()
>>> rz=(i/t)
>>> rt=(i/t)
>>> rz[IP].dst="192.168.37.130"
>>> rz[TCP].dport=445
>>> rz[TCP].flags="SA"
>>> rt[IP].src="192.168.37.130"
>>> rt[IP].dst="192.168.37.128"
>>> rt[TCP].dport=25
>>> rt[TCP].flags="S"
>>> az1=sr1(rz)          #判断是否为好的僵尸机,先发送第一个SA包
Begin emission:
.*Finished to send 1 packets.Received 2 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1) #伪造源IP,向目标主机发包S
Begin emission:
..Finished to send 1 packets.
..*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz)         #向僵尸机发送SA包,判断两次的IPID值是否相差2
Begin emission:
.Finished to send 1 packets.
...*
Received 5 packets, got 1 answers, remaining 0 packets
>>> az1
<IP  version=4L ihl=5L tos=0x0 len=40 id=2249 flags= frag=0L ttl=128 proto=tcp chksum=0x65b1 src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP  version=4L ihl=5L tos=0x0 len=40 id=2251 flags= frag=0L ttl=128 proto=tcp chksum=0x65af src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> rt[TCP].dport=33445      #验证端口不开放的情况
>>> az1=sr1(rz)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> zt=sr1(rt,timeout=1)
Begin emission:
..Finished to send 1 packets.
*
Received 3 packets, got 1 answers, remaining 0 packets
>>> az2=sr1(rz)
Begin emission:
*Finished to send 1 packets.Received 1 packets, got 1 answers, remaining 0 packets
>>> az1               #IPID相差为1
<IP  version=4L ihl=5L tos=0x0 len=40 id=2252 flags= frag=0L ttl=128 proto=tcp chksum=0x65ae src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>
>>> az2
<IP  version=4L ihl=5L tos=0x0 len=40 id=2253 flags= frag=0L ttl=128 proto=tcp chksum=0x65ad src=192.168.37.130 dst=192.168.37.131 options=[] |<TCP  sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0xe1b9 urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>

 (2)使用python脚本实现

实验环境:

  kali(攻击者): 192.168.37.131

  Windows 2008(目标主机) :192.168.37.128

  win xp (僵尸机) :192.168.37.130

脚本:zombie.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author:橘子女侠
# Time:2019/04/14
# 该脚本用于识别僵尸机,并使用僵尸机对目标主机进行端口扫描from scapy.all import *
import time
import sysdef IsZombie(zombie_ip):  #判断僵尸机是否是一个合格的僵尸机a1 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)time.sleep(2)   #给僵尸机充足的时间,以判断僵尸机网络是否繁忙a2 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)if (a1[IP].id + 1) == a2[IP].id: #比较两次ipid值print ("this is a good zombie!")action = raw_input("do you want to use this zombie?(y/n)")if action == "y":target_ip = raw_input("please input the target's ip:") #目标主机ipscan(zombie_ip,target_ip)else:sys.exit()else:print ("this is not a good zombie!")def scan(zombie_ip,target_ip):print("\nScanning target:"+target_ip+" with zombie:"+zombie_ip)print("\n------------------Open Ports on Target---------------\n")for port in range(1,1000):try:start_val=sr1(IP(dst=zombie_ip)/TCP(flags="SA",dport=port),timeout=2,verbose=0) #给僵尸机发送第一个SYN/ACK数据包send(IP(dst=target_ip,src=zombie_ip)/TCP(flags="S",dport=port),verbose=0) #给目标主机发送一个伪造原地址的SYN数据包end_val = sr1(IP(dst=zombie_ip)/TCP(flags="SA"),timeout=2,verbose=0) #给僵尸机发送第二个SYN/ACK数据包if (start_val[IP].id+2) == end_val[IP].id:   #比较ipid值,从而判断端口是否开放print(port)except:passprint("------------------Zombie Scan Suite-------------------\n")
ip = raw_input("the zombie's ip:")
IsZombie(ip)

 结果如下:

root@root:~# python zombie.py 
------------------Zombie Scan Suite-------------------the zombie's ip:192.168.37.130
this is a good zombie!
do you want to use this zombie?(y/n)y
please input the target's ip:192.168.37.128Scanning target:192.168.37.128 with zombie:192.168.37.130------------------Open Ports on Target---------------25
53
80
88
110
135
139
143
389
445
464
465
593
636
995

 3. 僵尸扫描——Nmap

root@root:~# nmap -p445 192.168.37.130 --script=ipidseq.nse  #脚本判断是否是好的僵尸
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:35 CST
Nmap scan report for bogon (192.168.37.130)
Host is up (0.00060s latency).PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:0C:29:B6:06:CC (VMware)Host script results:
|_ipidseq: Incremental!            #IPID递增Nmap done: 1 IP address (1 host up) scanned in 1.31 secondsroot@root:~# nmap 192.168.37.128 -sI 192.168.37.130 -Pn -p 1-150 #扫描1——150端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:41 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:80); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.050s latency).
Not shown: 142 closed|filtered ports
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
110/tcp open  pop3
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds
root@root:~# nmap 192.168.37.128 -p 1-150
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00071s latency).
Not shown: 142 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos-sec
110/tcp open  pop3
135/tcp open  msrpc
139/tcp open  netbios-ssn
143/tcp open  imap
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
root@root:~# nmap 192.168.37.128 -sI 192.168.37.130  #扫描1000个常用端口
WARNING: Many people use -Pn w/Idlescan to prevent pings from their true IP.  On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 11:42 CST
Idle scan using zombie 192.168.37.130 (192.168.37.130:443); Class: Incremental
Nmap scan report for bogon (192.168.37.128)
Host is up (0.051s latency).
Not shown: 973 closed|filtered ports
PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
465/tcp   open  smtps
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
993/tcp   open  imaps
995/tcp   open  pop3s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3306/tcp  open  mysql
6000/tcp  open  X11
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49158/tcp open  unknown
49167/tcp open  unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds