kali渗透测试之主动信息收集——二层发现

一、主动信息搜集

被动信息收集可能不准确,可以用主动信息收集验证

特点:

  • 直接与目标系统交互通信 
  • 无法避免留下访问的痕迹

解决方法:

  • 使用代理或已经被控制的第三方电脑进行探测(做好被封杀的准备)
  • 使用噪声迷惑目标,淹没真实的探测流量

扫描:发送不同的探测,根据返回结果判断目标状态

二、发现

识别活着的主机(潜在的被攻击目标),输出结果为IP地址列表。

二层发现

数据链路层,使用ARP协议

使用场景:已经取得一台主机,进入内网,对内网进行渗透

优点:扫描速度快,可靠

缺点:不可路由,只能扫描同网段

1、arping

root@kali:~# arping 192.168.247.129 -w 2     // -w 等待答复的时间(s)
ARPING 192.168.247.129 from 192.168.247.157 eth0
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.836ms
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  1.538ms
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  1.325ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)
root@kali:~# arping -c 1 192.168.247.129                        // -c 指定发包数量
ARPING 192.168.247.129 from 192.168.247.157 eth0
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.877ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
root@kali:~# arping -c 1 192.168.247.129 | grep 'reply from'   //通过grep筛选
Unicast reply from 192.168.247.129 [00:0C:29:8F:74:74]  0.869ms
root@kali:~# arping -c 1 192.168.247.129 | grep 'reply from' | cut -d' ' -f4    //截取IP地址
192.168.247.129

2、nmap

速度快而准,内容相对丰富,可以做IP段扫描,不用写脚本。能扫描出自己(本机:192.168.247.157)

  • nmap 192.168.247.0/24 -sn     //-sn 只主机发现,不进行端口扫描
  • nmap -iL arp.txt -sn                 //-iL  指定文件扫描
root@kali:~# nmap 192.168.247.0/24 -sn        //-sn 只主机发现,不进行端口扫描。不仅仅发arp包,还会做ptr记录解析(反向域名解析)
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:48 CST
Nmap scan report for bogon (192.168.247.1)
Host is up (0.00019s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.247.2)
Host is up (0.00012s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap scan report for 192.168.247.129
Host is up (0.00076s latency).
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap scan report for bogon (192.168.247.254)
Host is up (0.00030s latency).
MAC Address: 00:50:56:F3:49:7E (VMware)
Nmap scan report for bogon (192.168.247.157)  //本机
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 3.74 seconds
root@kali:~# cat arp.txt
192.168.247.1
192.168.247.2
192.168.247.3
192.168.247.4
192.168.247.5
192.168.247.6
192.168.247.7
192.168.247.8
192.168.247.9
192.168.247.10

root@kali:~# nmap -iL arp.txt -sn     //-iL  指定文件扫描
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 19:57 CST
Nmap scan report for 192.168.247.1
Host is up (0.000093s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.247.2)
Host is up (0.00014s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap done: 10 IP addresses (2 hosts up) scanned in 2.23 seconds

3、Netdiscover

专门用于二层发现的arp侦查工具,既可做主动扫描,也可以做被动式扫描。既可用于无线,也可做有线扫描。扫描不出自己(本机:192.168.247.157)

主动扫描

  • netdiscover -i eth0 -r 1.1.1.0/24            #-i指定网卡
  • netdiscover -l iplist.txt   #指定文件
root@kali:~# netdiscover -i eth0 -r 192.168.247.0/24  //-i  指定网卡

 Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 25 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 1500             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     22    1320  VMware, Inc.                
 192.168.247.2   00:50:56:e6:d3:4d      1      60  VMware, Inc.                
 192.168.247.129 00:0c:29:8f:74:74      1      60  VMware, Inc.                
 192.168.247.254 00:50:56:f3:49:7e      1      60  VMware, Inc. 

root@kali:~# netdiscover -l arp.txt      //-l  指定扫描文件

 Currently scanning: 192.168.247.0/24   |   Screen View: Unique Hosts          
                                                                               
 39 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 2340             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     11     660  VMware, Inc.                
 192.168.247.2   00:50:56:e6:d3:4d     10     600  VMware, Inc.                
 192.168.247.129 00:0c:29:8f:74:74      9     540  VMware, Inc.                
 192.168.247.254 00:50:56:f3:49:7e      9     540  VMware, Inc.                

ERROR: Network range must be 0.0.0.0/8 , /16 or /24

已终止

被动扫描

        避免被发现,不主动发arp包,原理:使用混杂模式,收取非本网卡IP/MAC的数据包,基于广播,默默等待并记录。准确程度与主动无差,响应速度慢些(但网络中,主机发arp包的次数比较常见,时间不会太久)

  • netdiscover -p      #使用被动模式
root@kali:~# netdiscover -p    //使用被动模式
 
Currently scanning: (passive)   |   Screen View: Unique Hosts                 
                                                                               
 20 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 1200             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.247.1   00:50:56:c0:00:08     20    1200  VMware, Inc.  

4、Scapy(极为强大)

        Scapy 是一个强大的操纵报文的交互程序。它可以伪造或者解析多种协议的报文,还具有发送、捕获、匹配请求和响应这些报文以及更多的功能。Scapy 可以轻松地做到像扫描(scanning)、路由跟踪(tracerouting)、探测(probing)、单元测试(unit tests)、攻击(attacks)和发现网络(network discorvery)这样的传统任务。它可以代替hping、arpspoof、arp-sk、arping、p0f 甚至是部分的Namp、tcpdump和tshark 的功能。 

scapy后如果有warning,输入该命令 —— apt-get install python-gnuplot

root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> ARP().display()     //函数名称必须大写,display()显示函数内容
###[ ARP ]### 
  hwtype= 0x1           //硬件类型
  ptype= 0x800          //协议类型
  hwlen= 6              //硬件地址长度
  plen= 4               //协议长度
  op= who-has           //操作码
  hwsrc= 00:0c:29:78:33:fb      //源mac地址
  psrc= 192.168.247.157         //源IP地址
  hwdst= 00:00:00:00:00:00      //目标mac地址
  pdst= 0.0.0.0                 //目标IP

>>> arp=ARP()         
>>> arp.pdst='192.168.247.129'  //指定目标IP
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= who-has
  hwsrc= 00:0c:29:78:33:fb
  psrc= 192.168.247.157
  hwdst= 00:00:00:00:00:00
  pdst= 192.168.247.129

>>> sr1(arp)                    //发包,并收到应答包
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=00:0c:29:8f:74:74 psrc=192.168.247.129 hwdst=00:0c:29:78:33:fb pdst=192.168.247.157 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
*Finished to send 1 packets.

Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display()           //显示应答包的内容
###[ ARP ]### 
  hwtype= 0x1
  ptype= 0x800
  hwlen= 6
  plen= 4
  op= is-at
  hwsrc= 00:0c:29:8f:74:74
  psrc= 192.168.247.129
  hwdst= 00:0c:29:78:33:fb
  pdst= 192.168.247.157
###[ Padding ]### 
     #数据包不足位,补码
     load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

 

上一篇:Kali Linux渗透测试之服务扫描1(Banner、服务识别、操作系统识别)


下一篇:2018-2019-2 网络对抗技术 20165210 Exp3 免杀原理与实践