主机发现原理及工具使用 - 安全工具篇

2019-04-10  本文已影响0人  DreamsonMa

OSI及TCP/IP模型

互联网的本质就是一系列的网络协议,这个协议就叫OSI协议(即开放式系统互联)


OSI协议

按照功能不同,分工不同,人为的分层七层。实际上还有人把它划成五层、四层。

网络分成模型

每一层的功能和用到的协议:


OSI分层和用到的协议 OSI分层和用到的协议

二层主机发现

二层主机发现指:利用OSI中链路层中的协议进行主机发现。一般使用ARP协议(局域网中通信使用ARP协议,利用MAC地址作为对应的识别地址)。

优点:1、速度快;2、可靠性高
缺点:无法扫描经过路由的主机

二层主机发现工具使用

arping工具

Arping 是一个 ARP 级别的 ping 工具,可用来直接 ping MAC 地址,以及找出那些 ip 地址被哪些电脑所使用了。缺点:无法多个主机同时扫描

通过eth0网卡对同网段ip进行ARP嗅探,只请求一次。

root@kali:~# arping -c 1 -i eth0  192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=25.626 msec

--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 25.626/25.626/25.626/0.000 ms

有时候,本地查不到某主机,可以通过让网关或别的机器进行ARP嗅探。

root@kali:~# arping -c 1 -S 192.168.56.0 192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=19.355 msec

--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 19.355/19.355/19.355/0.000 ms

netdiscover工具

Netdiscover是一个主动/被动的APR侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用Netdiscover工具可以在网络上扫描IP地址,检查在主机或搜索为它们发送的APR请求。

使用Netdiscover工具,扫描局域网中所有的主机

root@kali:~# netdiscover 

 Currently scanning: 192.168.50.0/16   |   Screen View: Unique Hosts                                                                                     
                                                                                                                                                         
 1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 60                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.102  0a:00:27:00:00:05      1      60  Unknown vendor  

使用Netdiscover工具,使用被动模式,监听指定网卡,指定子网中的所有主机

root@kali:~# netdiscover -p  -i eth1 -r 10.0.2.0/24

 Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                           
                                                                                                                                                         
 4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 240                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.2.9        08:00:27:89:4b:13      2     120  PCS Systemtechnik GmbH                                                                                
 10.0.2.8        08:00:27:c4:40:af      2     120  PCS Systemtechnik GmbH 

三层主机发现

三层主机发现指:利用OSI中网络中的协议进行主机发现。一般使用ICMP协议。
优点:1、可以发现远程主机,经过路由的主机;2、速度相对比较快
缺点:1、经常被防火墙过滤;2、速度相比二层发现慢

三层主机发现工具使用

ping工具

ping工具通过ICMP协议回复请求以检测主机是否存在,它在Linux和windows都有自带,Linux下ping如果不指定-c参数,一直扫描。Windows下默认进行四次探测。

root@kali:~# ping 192.168.56.102 -c 1
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=1.17 ms

--- 192.168.56.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.167/1.167/1.167/0.000 ms

fping工具

fping程序类似于ping,与ping不同的地方在于,可以针对多个主机同时进行主机发现。

fping对多个IP进行嗅探

root@kali:~# fping -4 -a  10.0.2.8 10.0.2.9 10.0.2.10
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10

fping利用文本对多个IP进行嗅探

root@kali:~# cat ips.txt
10.0.2.8
10.0.2.9
10.0.2.10
root@kali:~# fping -4 -f ips.txt
10.0.2.8 is alive
10.0.2.9 is alive
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
10.0.2.10 is unreachable

fping对一个子网或IP范围进行修改

root@kali:~# fping  -c 1  -4 -g 10.0.2.0/24 > result.txt 
...
root@kali:~# cat result.txt 
10.0.2.1   : [0], 84 bytes, 0.19 ms (0.19 avg, 0% loss)
10.0.2.2   : [0], 84 bytes, 1.46 ms (1.46 avg, 0% loss)
10.0.2.7   : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
10.0.2.8   : [0], 84 bytes, 0.22 ms (0.22 avg, 0% loss)
10.0.2.9   : [0], 84 bytes, 0.24 ms (0.24 avg, 0% loss)

root@kali:~# fping  -a  -4 -g 10.0.2.7 10.0.2.10
10.0.2.7
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10

hping3工具

hping3,它支持TCP,UDP,ICMP和RAW-IP协议,具有跟踪路由模式,能够在覆盖的信道之间发送文件以及许多其他功能,支持使用tcl脚本自动化地调用其API。特点:支持发送自定义ICMP数据包

使用hping3工具,利用icmp协议嗅探主机

root@kali:~# hping3 -c 1 --icmp 10.0.2.9 
HPING 10.0.2.9 (eth1 10.0.2.9): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 id=14501 icmp_seq=0 rtt=9.5 ms

--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.5/9.5/9.5 ms

端口扫描。Hping3支持指定TCP各个标志位、长度等信息。

参数 说明
-I eth0 指定使用eth0端口
-S 指定TCP包的标志位SYN
-p 68 指定探测的目的端口68
root@kali:~# hping3 -c 1 -I eth1 -S  10.0.2.9  -p 68
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 DF id=62866 sport=68 flags=RA seq=0 win=0 rtt=7.5 ms

--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.5/7.5/7.5 ms

拒绝服务攻击,比如对目标机发起大量SYN连接,伪造源地址为10.0.2.8,并使用1000微秒的间隔发送各个SYN包。其他攻击如smurf、teardrop、land attack等也很容易构建出来。

root@kali:~# hping3 -I eth1 -a 10.0.2.8 -S 10.0.2.9 -p 68 -i u1000
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
3020 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

LandAttack攻击(Land Attack是将发送源地址设置为与目标地址相同,诱使目标机与自己不停地建立连接)

root@kali:~# hping3 -S -c 1000000 -a 10.0.2.9 -p 53 10.0.2.9
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
36 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

使用Hping3测试防火墙规则,测试防火墙对ICMP包的反应、是否支持traceroute、是否开放某个端口、对防火墙进行拒绝服务攻击(DoS attack)等。

四层主机发现

四层发现指利用OSI中的传输层协议进行主机发现,一般使用TCP、UDP探测。

优点:1、可以探测远程主机;2、比三层发现更为可靠
缺点:花费时间更长

四层主机发现工具使用

Nmap工具

Nmap可以进行二、三、四层的探测,功能十分强大。
-sn:使用ping探测
--traceroute:二层发现

root@kali:~# nmap  10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:34 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00041s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

hping3工具

hping3同样可以用来做四层主机发现

root@kali:~# hping3 -c 1 --udp 10.0.2.5
HPING 10.0.2.5 (eth1 10.0.2.5): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.0.2.5 name=UNKNOWN   
status=0 port=1356 seq=0

--- 10.0.2.5 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 14.5/14.5/14.5 ms

使用python脚本

使用Github上分享的主机发现脚本: https://github.com/Cyber-Forensic/nWatch

root@kali:~/Desktop# git clone https://github.com/Cyber-Forensic/nWatch.git
Cloning into 'nWatch'...
remote: Enumerating objects: 80, done.
remote: Total 80 (delta 0), reused 0 (delta 0), pack-reused 80
Unpacking objects: 100% (80/80), done.
root@kali:~/Desktop# cd nWatch/
root@kali:~/Desktop/nWatch# pip install python-nmap
Collecting python-nmap
  Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB)
    100% |████████████████████████████████| 51kB 59kB/s 
Building wheels for collected packages: python-nmap
  Running setup.py bdist_wheel for python-nmap ... done
  Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.6.1
root@kali:~/Desktop/nWatch# python nwatch.py 

         888       888          888            888      
         888   o   888          888            888      
         888  d8b  888          888            888      
    88888b.  888 d888b 888  8888b.  888888 .d8888b 88888b.  
    888 "88b 888d88888b888     "88b 888   d88P"    888 "88b 
    888  888 88888P Y88888 .d888888 888   888      888  888 
    888  888 8888P   Y8888 888  888 Y88b. Y88b.    888  888 
    888  888 888P     Y888 "Y888888  "Y888 "Y8888P 888  888 

                    [&] Created by suraj (#r00t)
[+] Started at 22:47:35
[*] Choose a network interface

------------------------------------------------------------------------------------------
| Sl-no | Interface name |     IPv4-address     |              IPv6-address              |
------------------------------------------------------------------------------------------
|   1   |       lo       |      127.0.0.1       |                  ::1                   |<= DO NOT USE LOCALHOST
|   2   |      eth1      |       10.0.2.7       |        fe80::a00:27ff:fec2:3234        | 
|   3   |      eth0      |    192.168.56.103    |        fe80::a00:27ff:fee9:b184        | 
------------------------------------------------------------------------------------------
choose an interface> 2
[*] Interface => eth1
[*] Scanning subnet(10.0.2.7/24) on eth1 interface
------------
| 10.0.2.5 |
------------
      |_ MAC : 08:00:27:87:7b:b0
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     21      open
      |     22      open
      |     23      open
      |     25      open
      |     53      open
      |     80      open
      |     111     open
      |     139     open
      |     445     open
      |     512     open
      |     513     open
      |     514     open
      |     1099        open
      |     1524        open
      |     2049        open
      |     2121        open
      |     3306        open
      |     5432        open
      |     5900        open
      |     6000        open
      |     6667        open
      |     8009        open
      |     8180        open
      |_ OS fingerprinting
        [+] Name : Linux 2.6.9 - 2.6.33 (accuracy 100%)
------------
| 10.0.2.3 |
------------
      |_ MAC : 08:00:27:cf:7a:bb
      |_ Hostname : -unknown-
      |_ DHCP server : True
      |_ State : up
      |_ Ports : -none-
      |_ OS fingerprinting
------------
| 10.0.2.2 |
------------
      |_ MAC : 52:54:00:12:35:00
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     135     open
      |     445     open
      |     8081        open
      |_ OS fingerprinting
        [+] Name : Grandstream GXP1105 VoIP phone (accuracy 90%)
        [+] Name : FireBrick FB2700 firewall (accuracy 87%)
        [+] Name : Garmin Virb Elite action camera (accuracy 87%)
        [+] Name : 2N Helios IP VoIP doorbell (accuracy 87%)
------------
| 10.0.2.1 |
------------
      |_ MAC : 52:54:00:12:35:00
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     53      open
      |_ OS fingerprinting
        [+] Name : Grandstream GXP1105 VoIP phone (accuracy 98%)
        [+] Name : Garmin Virb Elite action camera (accuracy 94%)
        [+] Name : 2N Helios IP VoIP doorbell (accuracy 93%)
        [+] Name : NodeMCU firmware (lwIP stack) (accuracy 93%)
        [+] Name : Philips Hue Bridge (lwIP stack v1.4.0) (accuracy 92%)
        [+] Name : Rigol DSG3060 signal generator (accuracy 92%)
        [+] Name : Ocean Signal E101V emergency beacon (FreeRTOS/lwIP) (accuracy 91%)
        [+] Name : Espressif esp8266 firmware (lwIP stack) (accuracy 91%)
        [+] Name : lwIP 1.4.0 lightweight TCP/IP stack (accuracy 91%)
        [+] Name : Sony PlayStation 2 game console (accuracy 91%)

[*] Scanning took 171 seconds, task completed at 22:50:33.
上一篇下一篇

猜你喜欢

热点阅读