主动信息收集的原理
主动信息收集的特点
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测,使用代理或已经被控制的机器
- 扫描发送不同的探测,根据返回结果判断目标状态
发现目标主机的过程
- 识别存活主机,发现潜在的被攻击目标
- 输出一个IP地址列表比如IP地址段IP地址范围
- 使用二,三,四层进行探测发现
OSI七层模型与TCP/IP协议对应关系
二层发现:arping,netdiscover
arping
arping 命令用于向目标主机发送ARP请求,查看目标主机的MAC地址以及IP占用情况。(功能与ping相似)
用法
arping 选项 目标主机IP常用选项:
-
-c count: 发送指定数量的ARP包。┌──(root㉿kali)-[~] └─# arping -c 3 192.168.1.6 ARPING 192.168.1.6 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=0 time=372.832 msec 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=1 time=401.824 msec 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=2 time=423.266 msec --- 192.168.1.6 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 372.832/399.308/423.266/20.666 ms ''' -
-d: 当有相同IP的不同MAC地址reply的时候,arping退出。 -
-r: 输出时只打印MAC地址。┌──(root㉿kali)-[~] └─# arping -r 192.168.1.6 34:79:16:e5:e8:e4 34:79:16:e5:e8:e4 34:79:16:e5:e8:e4 34:79:16:e5:e8:e4 34:79:16:e5:e8:e4 ^C ┌──(root㉿kali)-[~] └─# ''' -
-R: 输出时只打印IP。┌──(root㉿kali)-[~] └─# arping -R 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 192.168.1.6 ^C ┌──(root㉿kali)-[~] └─# -
-W sec: 指定两次ping之间的间隔时间 -
-w sec: 设置超时时间,如果超过指定时间未收到响应就退出。
netdiscover
netdiscover拥有主动扫描和被动嗅探两种模式,可以快速扫描局域网中存活的设备。
用法
netdiscover 选项 参数常用选项
-i device: 指定网卡。-r range: 指定扫描范围(/8./16,/24)。-p: 被动模式,不发送任何报文,仅嗅探。-s time: 指定每个ARP请求间的休眠时间(ms)-c count: 指定每个ARP请求发送的次数,默认一次。
┌──(root㉿kali)-[~]
└─# netdiscover -i wlan0 -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
33 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1386
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 8c:8f:8b:a4:0e:38 29 1218 China Mobile Chongqing branch
192.168.1.8 40:23:43:a8:7f:17 2 84 CHONGQING FUGUI ELECTRONICS CO.,LTD.
192.168.1.2 2c:1f:23:d0:e3:86 1 42 Apple, Inc.
192.168.1.6 34:79:16:e5:e8:e4 1 42 HUAWEI TECHNOLOGIES CO.,LTD
三层发现:ping,traceroute
ping
ping命令用于检测本机与目标主机是否联通,以及检测连接的速度与稳定性。(ping使用ICMP协议)
用法
ping 选项 目标主机(支持域名与IP)常用选项
-
-c count: 指定ping的次数┌──(root㉿kali)-[~] └─# ping -c 4 www.baidu.com PING www.baidu.com (39.156.66.18) 56(84) bytes of data. 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=31.9 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.4 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.9 ms www.baidu.com ping statistics 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 31.867/32.107/32.375/0.209 ms -
-f: 多次快速ping一台主机,速度可达100次每秒。┌──(root㉿kali)-[~] └─# ping -f www.baidu.com PING www.baidu.com (39.156.66.18) 56(84) bytes of data. .............................................www.baidu.com ping statistics 1410 packets transmitted, 1365 received, 3.19149% packet loss, time 21815ms rtt min/avg/max/mdev = 30.895/33.664/203.372/10.158 ms, pipe 12, ipg/ewma 15.482/32.027 ms -
-i interval: 指定每次ping的时间间隔,默认一秒一次。┌──(root㉿kali)-[~] └─# ping -i 5 www.baidu.com PING www.baidu.com (39.156.66.18) 56(84) bytes of data. 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=43.8 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=792 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=107 ms 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.8 ms www.baidu.com ping statistics transmitted, 4 received, 0% packet 4 packets loss, time 15012ms rtt min/avg/max/mdev = 31.830/243.720/791.816/317.747 ms -
-s size: 指定每次ping发送的数据字节数。(默认是56字节+28字节的ICMP头)┌──(root㉿kali)-[~] └─# ping -s 100 www.baidu.com PING www.baidu.com (39.156.66.18) 100(128) bytes of data. 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=33.4 ms 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.7 ms 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=32.8 ms 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=5 ttl=51 time=32.1 ms ^C www.baidu.com ping statistics 5 packets transmitted, 5 received, 0% packet loss, time 4002ms rtt min/avg/max/mdev = 32.095/32.647/33.431/0.475 ms -
-t ttl: 指定发送包的生存时间(Time To Live)┌──(root㉿kali)-[~] └─# ping -t 10 baidu.com PING baidu.com (39.156.66.10) 56(84) bytes of data. From 39.156.67.33 (39.156.67.33) icmp_seq=1 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=2 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=3 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=4 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=5 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=6 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=7 Time to live exceeded From 39.156.67.33 (39.156.67.33) icmp_seq=8 Time to live exceeded ^C baidu.com ping statistics 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 7012ms
PS:这里是因为我设置的TTL太小数据包无法到达目标主机所以返回了Time to live exceeded
-W timeout: 设置每次等待响应的超时时间。
fping
fing与ping类似,这里不做过多赘述。fping的优点是可以一次ping多个主机,速度快。
┌──(root㉿kali)-[~]
└─# fping -g 192.168.1.0/24 > 1.txt
192.168.1.113: error while sending ping: No buffer space available
192.168.1.16: error while sending ping: No buffer space available
...
ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.254
ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253
ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253
┌──(root㉿kali)-[~]
└─# cat 1.txt
192.168.1.1 is alive
192.168.1.5 is alive
192.168.1.6 is alive
192.168.1.2 is unreachable
192.168.1.3 is unreachable
...
192.168.1.252 is unreachable
192.168.1.253 is unreachable
192.168.1.254 is unreachabletraceroute
通过traceroute可以显示出到达目的地的数据包路由。
┌──(root㉿kali)-[~]
└─# traceroute baidu.com
traceroute to baidu.com (110.242.68.66), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 1.116 ms 1.277 ms 1.634 ms
2 10.173.0.1 (10.173.0.1) 7.903 ms 9.271 ms 9.383 ms
3 117.157.95.177 (117.157.95.177) 24.544 ms 117.157.95.181 (117.157.95.181) 10.895 ms 117.157.95.177 (117.157.95.177) 10.865 ms
4 * * *
5 117.157.95.93 (117.157.95.93) 14.162 ms 117.157.95.89 (117.157.95.89) 14.102 ms 14.088 ms
6 * * *
7 * * *
8 221.183.40.41 (221.183.40.41) 27.134 ms 221.183.37.213 (221.183.37.213) 33.591 ms 33.556 ms
9 221.183.94.38 (221.183.94.38) 33.515 ms 221.183.94.42 (221.183.94.42) 31.676 ms 221.183.94.38 (221.183.94.38) 33.413 ms
10 221.183.95.62 (221.183.95.62) 41.847 ms 221.183.123.14 (221.183.123.14) 41.135 ms 221.183.68.194 (221.183.68.194) 46.689 ms
11 219.158.3.65 (219.158.3.65) 42.812 ms 43.617 ms 44.816 ms
12 219.158.11.94 (219.158.11.94) 52.969 ms 219.158.9.174 (219.158.9.174) 42.867 ms 219.158.11.74 (219.158.11.74) 42.658 ms
13 110.242.66.174 (110.242.66.174) 49.035 ms 110.242.66.162 (110.242.66.162) 44.764 ms 44.715 ms
14 * 221.194.45.134 (221.194.45.134) 46.658 ms 47.579 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
通过 -m 参数可以设置数据包TTL的大小
┌──(root㉿kali)-[~]
└─# traceroute -m 5 baidu.com
traceroute to baidu.com (110.242.68.66), 5 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 1.514 ms 1.471 ms 1.876 ms
2 10.173.0.1 (10.173.0.1) 6.051 ms 6.019 ms 6.144 ms
3 117.157.95.177 (117.157.95.177) 5.703 ms 117.157.95.181 (117.157.95.181) 6.558 ms 6.520 ms
4 * * *
5 117.157.95.93 (117.157.95.93) 7.324 ms 8.665 ms 117.157.95.89 (117.157.95.89) 6.848 ms
四层发现:Nmap
Nmap是一个网络连接端扫描软件,用来扫描网络中电脑开放的连接端,同是也能检测目标主机的操作系统等信息,这里只写最基本的用法!!后面大概可能会写一个详细的介绍!!
用法
nmap 选项 IP常用选项
-
直接扫描单个IP
┌──(root㉿kali)-[~] └─# nmap 111.13.149.108 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:29 CST Nmap scan report for 111.13.149.108 Host is up (0.079s latency). Not shown: 993 filtered tcp ports (no-response) PORT STATE SERVICE #目标主机所开放的端口 80/tcp open http 443/tcp open https 2000/tcp closed cisco-sccp 2001/tcp closed dc 2002/tcp closed globe 2003/tcp closed finger 2004/tcp closed mailbox Nmap done: 1 IP address (1 host up) scanned in 25.21 seconds -
扫描多个IP:
nmap IP1 IP2┌──(root㉿kali)-[~] └─# nmap 111.13.149.108 140.205.220.96 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:32 CST Nmap scan report for 111.13.149.108 Host is up (0.033s latency). Not shown: 993 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https 2000/tcp closed cisco-sccp 2001/tcp closed dc 2002/tcp closed globe 2003/tcp closed finger 2004/tcp closed mailbox Nmap scan report for 140.205.220.96 Host is up (0.043s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 2 IP addresses (2 hosts up) scanned in 7.22 seconds -
扫描目标地址所在网段:
nmap xxx.xxx.xxx.xxx/xx
┌──(root㉿kali)-[~]
└─# nmap 192.168.1.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:36 CST Nmap scan report for 192.168.1.1
Host is up (0.0042s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
5080/tcp open onscreen
5555/tcp open freeciv
8080/tcp open http-proxy
MAC Address: 8C:8F:8B:A4:0E:38 (China Mobile Chongqing branch)
Nmap scan report for 192.168.1.4
Host is up (0.037s latency).
All 1000 scanned ports on 192.168.1.4 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 20:FF:36:1F:32:DF (Iflytek)
Nmap scan report for 192.168.1.8
Host is up (0.033s latency).
All 1000 scanned ports on 192.168.1.8 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 40:23:43:A8:7F:17 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.1.5
Host is up (0.0000060s latency).
All 1000 scanned ports on 192.168.1.5 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Nmap done: 256 IP addresses (4 hosts up) scanned in 47.08 seconds
-
指定端口进行扫描:
nmap IP -p 端口号┌──(root㉿kali)-[~] └─# nmap 111.13.149.108 -p 80 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:39 CST Nmap scan report for 111.13.149.108 Host is up (0.070s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds -
检测目标主机的操作系统:
nmap -O IP
┌──(root㉿kali)-[~]
└─# nmap -O 111.13.149.108
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:47 CST
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 86.63% done; ETC: 14:47 (0:00:02 remaining)
Nmap scan report for 111.13.149.108
Host is up (0.037s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
2000/tcp closed cisco-sccp
2001/tcp closed dc
2002/tcp closed globe
2003/tcp closed finger
2004/tcp closed mailbox
Device type: general purpose|specialized
Running (JUST GUESSING): Linux 3.X|4.X (89%), AVtech embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.9
Aggressive OS guesses: Linux 3.18 (89%), AVtech Room Alert 26W environmental monitor (88%), Linux 4.9 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.79 seconds-
对目标地址进行路由跟踪:
nmap --traceroute IP┌──(root㉿kali)-[~] └─# nmap --traceroute 140.205.220.96 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:53 CST Nmap scan report for 140.205.220.96 Host is up (0.088s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 2.23 ms 192.168.1.1 2 6.71 ms 10.173.0.1 3 115.40 ms 117.157.95.177 4 ... 5 7.16 ms 117.157.95.93 6 ... 7 8 40.94 ms 221.183.39.130 9 47.57 ms 120.204.35.238 10 ... 11 12 47.12 ms 116.251.106.194 13 ... 14 15 108.64 ms 140.205.220.96 Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds -
扫描目标主机开放的端口服务版本:
nmap -sV IP┌──(root㉿kali)-[~] └─# nmap -sV 140.205.220.96 Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:55 CST Nmap scan report for 140.205.220.96 Host is up (0.080s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Tengine httpd 443/tcp open ssl/http Tengine httpd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.28 seconds -
探测防火墙:
nmap -sF -T4 IP -
绕过防火墙进行全面扫描:
nmap -Pn -A IP
Comments NOTHING