美文网首页
主机发现原理及工具使用 - 安全工具篇

主机发现原理及工具使用 - 安全工具篇

作者: DreamsonMa | 来源:发表于2019-04-10 17:06 被阅读0次

    OSI及TCP/IP模型

    互联网的本质就是一系列的网络协议,这个协议就叫OSI协议(即开放式系统互联)


    OSI协议

    按照功能不同,分工不同,人为的分层七层。实际上还有人把它划成五层、四层。

    网络分成模型

    每一层的功能和用到的协议:


    OSI分层和用到的协议 OSI分层和用到的协议

    二层主机发现

    二层主机发现指:利用OSI中链路层中的协议进行主机发现。一般使用ARP协议(局域网中通信使用ARP协议,利用MAC地址作为对应的识别地址)。

    优点:1、速度快;2、可靠性高
    缺点:无法扫描经过路由的主机

    二层主机发现工具使用

    arping工具

    Arping 是一个 ARP 级别的 ping 工具,可用来直接 ping MAC 地址,以及找出那些 ip 地址被哪些电脑所使用了。缺点:无法多个主机同时扫描

    通过eth0网卡对同网段ip进行ARP嗅探,只请求一次。

    root@kali:~# arping -c 1 -i eth0  192.168.56.102
    ARPING 192.168.56.102
    60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=25.626 msec
    
    --- 192.168.56.102 statistics ---
    1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
    rtt min/avg/max/std-dev = 25.626/25.626/25.626/0.000 ms
    

    有时候,本地查不到某主机,可以通过让网关或别的机器进行ARP嗅探。

    root@kali:~# arping -c 1 -S 192.168.56.0 192.168.56.102
    ARPING 192.168.56.102
    60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=19.355 msec
    
    --- 192.168.56.102 statistics ---
    1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
    rtt min/avg/max/std-dev = 19.355/19.355/19.355/0.000 ms
    

    netdiscover工具

    Netdiscover是一个主动/被动的APR侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用Netdiscover工具可以在网络上扫描IP地址,检查在主机或搜索为它们发送的APR请求。

    使用Netdiscover工具,扫描局域网中所有的主机

    root@kali:~# netdiscover 
    
     Currently scanning: 192.168.50.0/16   |   Screen View: Unique Hosts                                                                                     
                                                                                                                                                             
     1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 60                                                                                          
     _____________________________________________________________________________
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------
     192.168.56.102  0a:00:27:00:00:05      1      60  Unknown vendor  
    

    使用Netdiscover工具,使用被动模式,监听指定网卡,指定子网中的所有主机

    root@kali:~# netdiscover -p  -i eth1 -r 10.0.2.0/24
    
     Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                           
                                                                                                                                                             
     4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 240                                                                                         
     _____________________________________________________________________________
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------
     10.0.2.9        08:00:27:89:4b:13      2     120  PCS Systemtechnik GmbH                                                                                
     10.0.2.8        08:00:27:c4:40:af      2     120  PCS Systemtechnik GmbH 
    

    三层主机发现

    三层主机发现指:利用OSI中网络中的协议进行主机发现。一般使用ICMP协议。
    优点:1、可以发现远程主机,经过路由的主机;2、速度相对比较快
    缺点:1、经常被防火墙过滤;2、速度相比二层发现慢

    三层主机发现工具使用

    ping工具

    ping工具通过ICMP协议回复请求以检测主机是否存在,它在Linux和windows都有自带,Linux下ping如果不指定-c参数,一直扫描。Windows下默认进行四次探测。

    root@kali:~# ping 192.168.56.102 -c 1
    PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
    64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=1.17 ms
    
    --- 192.168.56.102 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 1.167/1.167/1.167/0.000 ms
    

    fping工具

    fping程序类似于ping,与ping不同的地方在于,可以针对多个主机同时进行主机发现。

    fping对多个IP进行嗅探

    root@kali:~# fping -4 -a  10.0.2.8 10.0.2.9 10.0.2.10
    10.0.2.8
    10.0.2.9
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    

    fping利用文本对多个IP进行嗅探

    root@kali:~# cat ips.txt
    10.0.2.8
    10.0.2.9
    10.0.2.10
    root@kali:~# fping -4 -f ips.txt
    10.0.2.8 is alive
    10.0.2.9 is alive
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    10.0.2.10 is unreachable
    

    fping对一个子网或IP范围进行修改

    root@kali:~# fping  -c 1  -4 -g 10.0.2.0/24 > result.txt 
    ...
    root@kali:~# cat result.txt 
    10.0.2.1   : [0], 84 bytes, 0.19 ms (0.19 avg, 0% loss)
    10.0.2.2   : [0], 84 bytes, 1.46 ms (1.46 avg, 0% loss)
    10.0.2.7   : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
    10.0.2.8   : [0], 84 bytes, 0.22 ms (0.22 avg, 0% loss)
    10.0.2.9   : [0], 84 bytes, 0.24 ms (0.24 avg, 0% loss)
    
    root@kali:~# fping  -a  -4 -g 10.0.2.7 10.0.2.10
    10.0.2.7
    10.0.2.8
    10.0.2.9
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
    

    hping3工具

    hping3,它支持TCP,UDP,ICMP和RAW-IP协议,具有跟踪路由模式,能够在覆盖的信道之间发送文件以及许多其他功能,支持使用tcl脚本自动化地调用其API。特点:支持发送自定义ICMP数据包

    使用hping3工具,利用icmp协议嗅探主机

    root@kali:~# hping3 -c 1 --icmp 10.0.2.9 
    HPING 10.0.2.9 (eth1 10.0.2.9): icmp mode set, 28 headers + 0 data bytes
    len=46 ip=10.0.2.9 ttl=64 id=14501 icmp_seq=0 rtt=9.5 ms
    
    --- 10.0.2.9 hping statistic ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 9.5/9.5/9.5 ms
    

    端口扫描。Hping3支持指定TCP各个标志位、长度等信息。

    参数 说明
    -I eth0 指定使用eth0端口
    -S 指定TCP包的标志位SYN
    -p 68 指定探测的目的端口68
    root@kali:~# hping3 -c 1 -I eth1 -S  10.0.2.9  -p 68
    HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
    len=46 ip=10.0.2.9 ttl=64 DF id=62866 sport=68 flags=RA seq=0 win=0 rtt=7.5 ms
    
    --- 10.0.2.9 hping statistic ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 7.5/7.5/7.5 ms
    

    拒绝服务攻击,比如对目标机发起大量SYN连接,伪造源地址为10.0.2.8,并使用1000微秒的间隔发送各个SYN包。其他攻击如smurf、teardrop、land attack等也很容易构建出来。

    root@kali:~# hping3 -I eth1 -a 10.0.2.8 -S 10.0.2.9 -p 68 -i u1000
    HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
    ^C
    --- 10.0.2.9 hping statistic ---
    3020 packets transmitted, 0 packets received, 100% packet loss
    round-trip min/avg/max = 0.0/0.0/0.0 ms
    

    LandAttack攻击(Land Attack是将发送源地址设置为与目标地址相同,诱使目标机与自己不停地建立连接)

    root@kali:~# hping3 -S -c 1000000 -a 10.0.2.9 -p 53 10.0.2.9
    HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
    ^C
    --- 10.0.2.9 hping statistic ---
    36 packets transmitted, 0 packets received, 100% packet loss
    round-trip min/avg/max = 0.0/0.0/0.0 ms
    

    使用Hping3测试防火墙规则,测试防火墙对ICMP包的反应、是否支持traceroute、是否开放某个端口、对防火墙进行拒绝服务攻击(DoS attack)等。

    四层主机发现

    四层发现指利用OSI中的传输层协议进行主机发现,一般使用TCP、UDP探测。

    优点:1、可以探测远程主机;2、比三层发现更为可靠
    缺点:花费时间更长

    四层主机发现工具使用

    Nmap工具

    Nmap可以进行二、三、四层的探测,功能十分强大。
    -sn:使用ping探测
    --traceroute:二层发现

    root@kali:~# nmap  10.0.2.5
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:34 EDT
    Nmap scan report for 10.0.2.5
    Host is up (0.00041s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    23/tcp   open  telnet
    25/tcp   open  smtp
    53/tcp   open  domain
    80/tcp   open  http
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    512/tcp  open  exec
    513/tcp  open  login
    514/tcp  open  shell
    1099/tcp open  rmiregistry
    1524/tcp open  ingreslock
    2049/tcp open  nfs
    2121/tcp open  ccproxy-ftp
    3306/tcp open  mysql
    5432/tcp open  postgresql
    5900/tcp open  vnc
    6000/tcp open  X11
    6667/tcp open  irc
    8009/tcp open  ajp13
    8180/tcp open  unknown
    MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
    
    Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
    

    hping3工具

    hping3同样可以用来做四层主机发现

    root@kali:~# hping3 -c 1 --udp 10.0.2.5
    HPING 10.0.2.5 (eth1 10.0.2.5): udp mode set, 28 headers + 0 data bytes
    ICMP Port Unreachable from ip=10.0.2.5 name=UNKNOWN   
    status=0 port=1356 seq=0
    
    --- 10.0.2.5 hping statistic ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 14.5/14.5/14.5 ms
    

    使用python脚本

    使用Github上分享的主机发现脚本: https://github.com/Cyber-Forensic/nWatch

    root@kali:~/Desktop# git clone https://github.com/Cyber-Forensic/nWatch.git
    Cloning into 'nWatch'...
    remote: Enumerating objects: 80, done.
    remote: Total 80 (delta 0), reused 0 (delta 0), pack-reused 80
    Unpacking objects: 100% (80/80), done.
    root@kali:~/Desktop# cd nWatch/
    root@kali:~/Desktop/nWatch# pip install python-nmap
    Collecting python-nmap
      Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB)
        100% |████████████████████████████████| 51kB 59kB/s 
    Building wheels for collected packages: python-nmap
      Running setup.py bdist_wheel for python-nmap ... done
      Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
    Successfully built python-nmap
    Installing collected packages: python-nmap
    Successfully installed python-nmap-0.6.1
    root@kali:~/Desktop/nWatch# python nwatch.py 
    
             888       888          888            888      
             888   o   888          888            888      
             888  d8b  888          888            888      
        88888b.  888 d888b 888  8888b.  888888 .d8888b 88888b.  
        888 "88b 888d88888b888     "88b 888   d88P"    888 "88b 
        888  888 88888P Y88888 .d888888 888   888      888  888 
        888  888 8888P   Y8888 888  888 Y88b. Y88b.    888  888 
        888  888 888P     Y888 "Y888888  "Y888 "Y8888P 888  888 
    
                        [&] Created by suraj (#r00t)
    [+] Started at 22:47:35
    [*] Choose a network interface
    
    ------------------------------------------------------------------------------------------
    | Sl-no | Interface name |     IPv4-address     |              IPv6-address              |
    ------------------------------------------------------------------------------------------
    |   1   |       lo       |      127.0.0.1       |                  ::1                   |<= DO NOT USE LOCALHOST
    |   2   |      eth1      |       10.0.2.7       |        fe80::a00:27ff:fec2:3234        | 
    |   3   |      eth0      |    192.168.56.103    |        fe80::a00:27ff:fee9:b184        | 
    ------------------------------------------------------------------------------------------
    choose an interface> 2
    [*] Interface => eth1
    [*] Scanning subnet(10.0.2.7/24) on eth1 interface
    ------------
    | 10.0.2.5 |
    ------------
          |_ MAC : 08:00:27:87:7b:b0
          |_ Hostname : -unknown-
          |_ State : up
          |_ Ports
          | [+] Protocol : tcp
          |     Port        State
          |     ====        =====
          |     21      open
          |     22      open
          |     23      open
          |     25      open
          |     53      open
          |     80      open
          |     111     open
          |     139     open
          |     445     open
          |     512     open
          |     513     open
          |     514     open
          |     1099        open
          |     1524        open
          |     2049        open
          |     2121        open
          |     3306        open
          |     5432        open
          |     5900        open
          |     6000        open
          |     6667        open
          |     8009        open
          |     8180        open
          |_ OS fingerprinting
            [+] Name : Linux 2.6.9 - 2.6.33 (accuracy 100%)
    ------------
    | 10.0.2.3 |
    ------------
          |_ MAC : 08:00:27:cf:7a:bb
          |_ Hostname : -unknown-
          |_ DHCP server : True
          |_ State : up
          |_ Ports : -none-
          |_ OS fingerprinting
    ------------
    | 10.0.2.2 |
    ------------
          |_ MAC : 52:54:00:12:35:00
          |_ Hostname : -unknown-
          |_ State : up
          |_ Ports
          | [+] Protocol : tcp
          |     Port        State
          |     ====        =====
          |     135     open
          |     445     open
          |     8081        open
          |_ OS fingerprinting
            [+] Name : Grandstream GXP1105 VoIP phone (accuracy 90%)
            [+] Name : FireBrick FB2700 firewall (accuracy 87%)
            [+] Name : Garmin Virb Elite action camera (accuracy 87%)
            [+] Name : 2N Helios IP VoIP doorbell (accuracy 87%)
    ------------
    | 10.0.2.1 |
    ------------
          |_ MAC : 52:54:00:12:35:00
          |_ Hostname : -unknown-
          |_ State : up
          |_ Ports
          | [+] Protocol : tcp
          |     Port        State
          |     ====        =====
          |     53      open
          |_ OS fingerprinting
            [+] Name : Grandstream GXP1105 VoIP phone (accuracy 98%)
            [+] Name : Garmin Virb Elite action camera (accuracy 94%)
            [+] Name : 2N Helios IP VoIP doorbell (accuracy 93%)
            [+] Name : NodeMCU firmware (lwIP stack) (accuracy 93%)
            [+] Name : Philips Hue Bridge (lwIP stack v1.4.0) (accuracy 92%)
            [+] Name : Rigol DSG3060 signal generator (accuracy 92%)
            [+] Name : Ocean Signal E101V emergency beacon (FreeRTOS/lwIP) (accuracy 91%)
            [+] Name : Espressif esp8266 firmware (lwIP stack) (accuracy 91%)
            [+] Name : lwIP 1.4.0 lightweight TCP/IP stack (accuracy 91%)
            [+] Name : Sony PlayStation 2 game console (accuracy 91%)
    
    [*] Scanning took 171 seconds, task completed at 22:50:33.
    

    相关文章

      网友评论

          本文标题:主机发现原理及工具使用 - 安全工具篇

          本文链接:https://www.haomeiwen.com/subject/jhvgiqtx.html