OSI及TCP/IP模型
互联网的本质就是一系列的网络协议,这个协议就叫OSI协议(即开放式系统互联)
按照功能不同,分工不同,人为的分层七层。实际上还有人把它划成五层、四层。
每一层的功能和用到的协议:
二层主机发现
二层主机发现指:利用OSI中链路层中的协议进行主机发现。一般使用ARP协议(局域网中通信使用ARP协议,利用MAC地址作为对应的识别地址)。
优点:1、速度快;2、可靠性高
缺点:无法扫描经过路由的主机
二层主机发现工具使用
arping工具
Arping 是一个 ARP 级别的 ping 工具,可用来直接 ping MAC 地址,以及找出那些 ip 地址被哪些电脑所使用了。缺点:无法多个主机同时扫描
通过eth0网卡对同网段ip进行ARP嗅探,只请求一次。
root@kali:~# arping -c 1 -i eth0 192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=25.626 msec
--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 25.626/25.626/25.626/0.000 ms
有时候,本地查不到某主机,可以通过让网关或别的机器进行ARP嗅探。
root@kali:~# arping -c 1 -S 192.168.56.0 192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=19.355 msec
--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received, 0% unanswered (0 extra)
rtt min/avg/max/std-dev = 19.355/19.355/19.355/0.000 ms
netdiscover工具
Netdiscover是一个主动/被动的APR侦查工具。该工具在不使用DHCP的无线网络上非常有用。使用Netdiscover工具可以在网络上扫描IP地址,检查在主机或搜索为它们发送的APR请求。
使用Netdiscover工具,扫描局域网中所有的主机
root@kali:~# netdiscover
Currently scanning: 192.168.50.0/16 | Screen View: Unique Hosts
1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.102 0a:00:27:00:00:05 1 60 Unknown vendor
使用Netdiscover工具,使用被动模式,监听指定网卡,指定子网中的所有主机
root@kali:~# netdiscover -p -i eth1 -r 10.0.2.0/24
Currently scanning: (passive) | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 2 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.2.9 08:00:27:89:4b:13 2 120 PCS Systemtechnik GmbH
10.0.2.8 08:00:27:c4:40:af 2 120 PCS Systemtechnik GmbH
三层主机发现
三层主机发现指:利用OSI中网络中的协议进行主机发现。一般使用ICMP协议。
优点:1、可以发现远程主机,经过路由的主机;2、速度相对比较快
缺点:1、经常被防火墙过滤;2、速度相比二层发现慢
三层主机发现工具使用
ping工具
ping工具通过ICMP协议回复请求以检测主机是否存在,它在Linux和windows都有自带,Linux下ping如果不指定-c参数,一直扫描。Windows下默认进行四次探测。
root@kali:~# ping 192.168.56.102 -c 1
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=1.17 ms
--- 192.168.56.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.167/1.167/1.167/0.000 ms
fping工具
fping程序类似于ping,与ping不同的地方在于,可以针对多个主机同时进行主机发现。
fping对多个IP进行嗅探
root@kali:~# fping -4 -a 10.0.2.8 10.0.2.9 10.0.2.10
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
fping利用文本对多个IP进行嗅探
root@kali:~# cat ips.txt
10.0.2.8
10.0.2.9
10.0.2.10
root@kali:~# fping -4 -f ips.txt
10.0.2.8 is alive
10.0.2.9 is alive
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
10.0.2.10 is unreachable
fping对一个子网或IP范围进行修改
root@kali:~# fping -c 1 -4 -g 10.0.2.0/24 > result.txt
...
root@kali:~# cat result.txt
10.0.2.1 : [0], 84 bytes, 0.19 ms (0.19 avg, 0% loss)
10.0.2.2 : [0], 84 bytes, 1.46 ms (1.46 avg, 0% loss)
10.0.2.7 : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
10.0.2.8 : [0], 84 bytes, 0.22 ms (0.22 avg, 0% loss)
10.0.2.9 : [0], 84 bytes, 0.24 ms (0.24 avg, 0% loss)
root@kali:~# fping -a -4 -g 10.0.2.7 10.0.2.10
10.0.2.7
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
hping3工具
hping3,它支持TCP,UDP,ICMP和RAW-IP协议,具有跟踪路由模式,能够在覆盖的信道之间发送文件以及许多其他功能,支持使用tcl脚本自动化地调用其API。特点:支持发送自定义ICMP数据包
使用hping3工具,利用icmp协议嗅探主机
root@kali:~# hping3 -c 1 --icmp 10.0.2.9
HPING 10.0.2.9 (eth1 10.0.2.9): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 id=14501 icmp_seq=0 rtt=9.5 ms
--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.5/9.5/9.5 ms
端口扫描。Hping3支持指定TCP各个标志位、长度等信息。
参数 | 说明 |
---|---|
-I eth0 | 指定使用eth0端口 |
-S | 指定TCP包的标志位SYN |
-p 68 | 指定探测的目的端口68 |
root@kali:~# hping3 -c 1 -I eth1 -S 10.0.2.9 -p 68
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 DF id=62866 sport=68 flags=RA seq=0 win=0 rtt=7.5 ms
--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.5/7.5/7.5 ms
拒绝服务攻击,比如对目标机发起大量SYN连接,伪造源地址为10.0.2.8,并使用1000微秒的间隔发送各个SYN包。其他攻击如smurf、teardrop、land attack等也很容易构建出来。
root@kali:~# hping3 -I eth1 -a 10.0.2.8 -S 10.0.2.9 -p 68 -i u1000
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
3020 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
LandAttack攻击(Land Attack是将发送源地址设置为与目标地址相同,诱使目标机与自己不停地建立连接)
root@kali:~# hping3 -S -c 1000000 -a 10.0.2.9 -p 53 10.0.2.9
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
36 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
使用Hping3测试防火墙规则,测试防火墙对ICMP包的反应、是否支持traceroute、是否开放某个端口、对防火墙进行拒绝服务攻击(DoS attack)等。
四层主机发现
四层发现指利用OSI中的传输层协议进行主机发现,一般使用TCP、UDP探测。
优点:1、可以探测远程主机;2、比三层发现更为可靠
缺点:花费时间更长
四层主机发现工具使用
Nmap工具
Nmap可以进行二、三、四层的探测,功能十分强大。
-sn
:使用ping探测
--traceroute
:二层发现
root@kali:~# nmap 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:34 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00041s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
hping3工具
hping3同样可以用来做四层主机发现
root@kali:~# hping3 -c 1 --udp 10.0.2.5
HPING 10.0.2.5 (eth1 10.0.2.5): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.0.2.5 name=UNKNOWN
status=0 port=1356 seq=0
--- 10.0.2.5 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 14.5/14.5/14.5 ms
使用python脚本
使用Github上分享的主机发现脚本: https://github.com/Cyber-Forensic/nWatch
root@kali:~/Desktop# git clone https://github.com/Cyber-Forensic/nWatch.git
Cloning into 'nWatch'...
remote: Enumerating objects: 80, done.
remote: Total 80 (delta 0), reused 0 (delta 0), pack-reused 80
Unpacking objects: 100% (80/80), done.
root@kali:~/Desktop# cd nWatch/
root@kali:~/Desktop/nWatch# pip install python-nmap
Collecting python-nmap
Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB)
100% |████████████████████████████████| 51kB 59kB/s
Building wheels for collected packages: python-nmap
Running setup.py bdist_wheel for python-nmap ... done
Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.6.1
root@kali:~/Desktop/nWatch# python nwatch.py
888 888 888 888
888 o 888 888 888
888 d8b 888 888 888
88888b. 888 d888b 888 8888b. 888888 .d8888b 88888b.
888 "88b 888d88888b888 "88b 888 d88P" 888 "88b
888 888 88888P Y88888 .d888888 888 888 888 888
888 888 8888P Y8888 888 888 Y88b. Y88b. 888 888
888 888 888P Y888 "Y888888 "Y888 "Y8888P 888 888
[&] Created by suraj (#r00t)
[+] Started at 22:47:35
[*] Choose a network interface
------------------------------------------------------------------------------------------
| Sl-no | Interface name | IPv4-address | IPv6-address |
------------------------------------------------------------------------------------------
| 1 | lo | 127.0.0.1 | ::1 |<= DO NOT USE LOCALHOST
| 2 | eth1 | 10.0.2.7 | fe80::a00:27ff:fec2:3234 |
| 3 | eth0 | 192.168.56.103 | fe80::a00:27ff:fee9:b184 |
------------------------------------------------------------------------------------------
choose an interface> 2
[*] Interface => eth1
[*] Scanning subnet(10.0.2.7/24) on eth1 interface
------------
| 10.0.2.5 |
------------
|_ MAC : 08:00:27:87:7b:b0
|_ Hostname : -unknown-
|_ State : up
|_ Ports
| [+] Protocol : tcp
| Port State
| ==== =====
| 21 open
| 22 open
| 23 open
| 25 open
| 53 open
| 80 open
| 111 open
| 139 open
| 445 open
| 512 open
| 513 open
| 514 open
| 1099 open
| 1524 open
| 2049 open
| 2121 open
| 3306 open
| 5432 open
| 5900 open
| 6000 open
| 6667 open
| 8009 open
| 8180 open
|_ OS fingerprinting
[+] Name : Linux 2.6.9 - 2.6.33 (accuracy 100%)
------------
| 10.0.2.3 |
------------
|_ MAC : 08:00:27:cf:7a:bb
|_ Hostname : -unknown-
|_ DHCP server : True
|_ State : up
|_ Ports : -none-
|_ OS fingerprinting
------------
| 10.0.2.2 |
------------
|_ MAC : 52:54:00:12:35:00
|_ Hostname : -unknown-
|_ State : up
|_ Ports
| [+] Protocol : tcp
| Port State
| ==== =====
| 135 open
| 445 open
| 8081 open
|_ OS fingerprinting
[+] Name : Grandstream GXP1105 VoIP phone (accuracy 90%)
[+] Name : FireBrick FB2700 firewall (accuracy 87%)
[+] Name : Garmin Virb Elite action camera (accuracy 87%)
[+] Name : 2N Helios IP VoIP doorbell (accuracy 87%)
------------
| 10.0.2.1 |
------------
|_ MAC : 52:54:00:12:35:00
|_ Hostname : -unknown-
|_ State : up
|_ Ports
| [+] Protocol : tcp
| Port State
| ==== =====
| 53 open
|_ OS fingerprinting
[+] Name : Grandstream GXP1105 VoIP phone (accuracy 98%)
[+] Name : Garmin Virb Elite action camera (accuracy 94%)
[+] Name : 2N Helios IP VoIP doorbell (accuracy 93%)
[+] Name : NodeMCU firmware (lwIP stack) (accuracy 93%)
[+] Name : Philips Hue Bridge (lwIP stack v1.4.0) (accuracy 92%)
[+] Name : Rigol DSG3060 signal generator (accuracy 92%)
[+] Name : Ocean Signal E101V emergency beacon (FreeRTOS/lwIP) (accuracy 91%)
[+] Name : Espressif esp8266 firmware (lwIP stack) (accuracy 91%)
[+] Name : lwIP 1.4.0 lightweight TCP/IP stack (accuracy 91%)
[+] Name : Sony PlayStation 2 game console (accuracy 91%)
[*] Scanning took 171 seconds, task completed at 22:50:33.