发现——四层发现
四层发现简介:
四层发现虽然使用了端口的探测,但是并不对端口进行解析,只是利用了四层的通信,通过端口识别目标主机是否存活;
最终目的,判断目标IP是否存活;
优点:
可路由且结果可靠(根据TCP/UDP 探测端口,根据端口返回的结果,探测目标IP是否存活)
不太可能被防火墙过滤;
甚至可以发现所有端口都被过滤的主机;
缺点:
基于状态过滤的防火墙可能过滤扫描;
全端口扫描速度慢;
TCP发现:
TCP发现是直接发送ACK数据包,一般来说目标主机存活会返回一个RST数据包以终止这个不正常的TCP链接。也可以发送正常的SYN数据包,若果目标主机返回SYN/ACK或者SRT数据包,都可以证明目标主机存活。
UDP发现:
如果目标主机是存活的且UDP目标端口为关闭状态,目标主机就会返回一个目标端口不可达的数据包,这就可以证明目标主机是存活的;
如果目标主机是关闭的,或者目标主机存活且目标端口为开放的状态,都不会有任何数据包返回,不能证明目标主机存活,这也就是UDP发现时选择一个最不常用的端口的原因;
(1)scapy
1.1> ACK——TCP Port——RST(发现单个主机)
TCP发现是直接发送ACK数据包,一般来说目标主机存活会返回一个RST数据包以终止这个不正常的TCP链接。也可以发送正常的SYN数据包,若果目标主机返回SYN/ACK或者RST数据包,都可以证明目标主机存活。
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> t=TCP()
>>> r=(i/t)
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
>>> r[IP].dst="192.168.37.128"
>>> r[TCP].flags="A"
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.37.131
dst= 192.168.37.128
\options\
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= A
window= 8192
chksum= None
urgptr= 0
options= {}
>>> a=sr1(r)
Begin emission:
..*Finished to send 1 packets.
Received 3 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 21833
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0xd932
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 0
dataofs= 5L
reserved= 0L
flags= R #返回RST包
window= 0
chksum= 0xe328
urgptr= 0
options= {}
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
>>> r[TCP].dport=8888
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 21833
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0xd932
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 0
dataofs= 5L
reserved= 0L
flags= R
window= 0
chksum= 0xe328
urgptr= 0
options= {}
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
>>> a1=sr1(r)
Begin emission:
..Finished to send 1 packets.
*
Received 3 packets, got 1 answers, remaining 0 packets
>>> a1.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 21874
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0xd909
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ TCP ]###
sport= 8888
dport= ftp_data
seq= 0
ack= 0
dataofs= 5L
reserved= 0L
flags= R
window= 0
chksum= 0xc0c0
urgptr= 0
options= {}
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
>>> a=sr1(IP(dst='192.168.37.128')/TCP(dport=80,flags='A'),timeout=1)
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 22015
flags= DF
frag= 0L
ttl= 128
proto= tcp
chksum= 0xd87c
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 0
dataofs= 5L
reserved= 0L
flags= R
window= 0
chksum= 0xe328
urgptr= 0
options= {}
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
1.2> 使用python脚本实现多个主机的ACK扫描(多个主机的发现)
脚本:ACK_ping.py
#!/usr/bin/python
# Author:橘子女侠
# 该脚本用于实现对整个网段的扫描
from scapy.all import *
prefix="192.168.37."
for addr in range(1,255):
response=sr1(IP(dst=prefix+str(addr))/TCP(dport=80,flags='A'),timeout=0.1,verbose=0)
try:
if int(response[TCP].flags)==4:
print(prefix+str(addr))
except:
pass
结果如下:并使用Wireshark抓包查看;
root@root:~# python ACK_ping.py
192.168.37.2
192.168.37.128
对于为什么脚本中写的int(response[TCP].flags)==4,是因为当回包是RST包,即值为4时,证明目标主机存活;
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set #...
.... ...1 .... = Acknowledgment: Set #16
.... .... 0... = Push: Not set #8
.... .... .0.. = Reset: Not set #4
.... .... ..0. = Syn: Not set #2
.... .... ...0 = Fin: Not set #1
[TCP Flags: ·······A····]
1.3> UDP发现(扫描单个主机):
如果目标主机是存活的且UDP目标端口为关闭状态,目标主机就会返回一个目标端口不可达的数据包,这就可以证明目标主机是存活的;
如果目标主机是关闭的,或者目标主机存活且目标端口为开放的状态,都不会有任何数据包返回,不能证明目标主机存活,这也就是UDP发现时选择一个最不常用的端口的原因;
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> u=UDP()
>>> r=(i/u)
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ UDP ]###
sport= domain
dport= domain
len= None
chksum= None
>>> r[IP].dst="192.168.37.128"
>>> r[UDP].dport=7345
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 192.168.37.131
dst= 192.168.37.128
\options\
###[ UDP ]###
sport= domain
dport= 7345
len= None
chksum= None
>>> a=sr1(r)
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 56
id= 22161
flags=
frag= 0L
ttl= 128
proto= icmp
chksum= 0x17e0
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ ICMP ]###
type= dest-unreach
code= port-unreachable
chksum= 0xc96a
reserved= 0
length= 0
nexthopmtu= 0
###[ IP in ICMP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1
flags=
frag= 0L
ttl= 64
proto= udp
chksum= 0xae7c
src= 192.168.37.131
dst= 192.168.37.128
\options\
###[ UDP in ICMP ]###
sport= domain
dport= 7345
len= 8
chksum= 0x16a4
>>> r[IP].dst="192.168.37.100"
>>> a=sr1(r,timeout=1)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished to send 1 packets.
..
Received 2 packets, got 0 answers, remaining 1 packets
>>> a=sr1(IP(dst="192.168.37.128")/UDP(dport=7456),timeout=1)
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets
>>> a=sr1(IP(dst="192.168.37.100")/UDP(dport=7456),timeout=1)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
.Finished to send 1 packets.
.
Received 2 packets, got 0 answers, remaining 1 packets1.4> 使用python脚本实现多个主机的UDP扫描(多个主机的发现)
脚本:UDP_ping.py
#!/usr/bin/python
# Author:橘子女侠
# 该脚本用于实现对整个网段的扫描
from scapy.all import *
prefix="192.168.37."
for addr in range(1,255):
response=sr1(IP(dst=prefix+str(addr))/UDP(dport=8981),timeout=0.1,verbose=0)
try:
if int(response[IP].proto)==1:
print(prefix+str(addr))
except:
pass
结果如下:并使用Wireshark抓包查看
root@root:~# python UDP_ping.py
192.168.37.128
对于脚本中为什么int(response[IP].proto)==1,是因为使用UDP的方式去扫描目标主机时,使用的是一个最不常见的端口,如果该主机存活,则会返回目标端口不可达,即一个ICMP包;其中,IP协议中的 Protocol: ICMP (1) ,即值为1;
Internet Protocol Version 4, Src: 192.168.37.128, Dst: 192.168.37.131
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 56
Identification: 0x58e3 (22755)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: ICMP (1) #ICMP的值为1
......
(2)Nmap
- nmap 221.204.241.150-200 -PU53543 -sn #使用UDP的方式去扫描多个主机,当返回端口不可达时,即主机存活;
- nmap 221.204.241.150-200 -PA53543 -sn #使用ACK的方式去扫描多个主机,当收到RST包时,目标主机存活;
- nmap -iL IP.txt -PA80 -sn #nmap可以扫描指定的IP地址列表,当收到RST包时,目标主机存活;
root@root:~# nmap 221.204.241.150-200 -PU53543 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 10:24 CST
Nmap done: 51 IP addresses (0 hosts up) scanned in 12.04 seconds
root@root:~# nmap 221.204.241.150-200 -PA53543 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 10:25 CST
Nmap scan report for 150.241.204.221.adsl-pool.sx.cn (221.204.241.150)
Host is up (0.000078s latency).
Nmap scan report for 151.241.204.221.adsl-pool.sx.cn (221.204.241.151)
Host is up (0.00028s latency).
Nmap scan report for 152.241.204.221.adsl-pool.sx.cn (221.204.241.152)
Host is up (0.00018s latency).
Nmap scan report for 153.241.204.221.adsl-pool.sx.cn (221.204.241.153)
Host is up (0.00017s latency).
......
Nmap scan report for 194.241.204.221.adsl-pool.sx.cn (221.204.241.194)
Host is up (0.000076s latency).
Nmap scan report for 195.241.204.221.adsl-pool.sx.cn (221.204.241.195)
Host is up (0.000084s latency).
Nmap scan report for 196.241.204.221.adsl-pool.sx.cn (221.204.241.196)
Host is up (0.000095s latency).
Nmap scan report for 197.241.204.221.adsl-pool.sx.cn (221.204.241.197)
Host is up (0.000075s latency).
Nmap scan report for 198.241.204.221.adsl-pool.sx.cn (221.204.241.198)
Host is up (0.000084s latency).
Nmap scan report for 199.241.204.221.adsl-pool.sx.cn (221.204.241.199)
Host is up (0.00015s latency).
Nmap scan report for 200.241.204.221.adsl-pool.sx.cn (221.204.241.200)
Host is up (0.00014s latency).
Nmap done: 51 IP addresses (51 hosts up) scanned in 0.25 seconds
root@root:~# cat IP.txt
221.204.241.2
221.204.241.20
221.204.241.200
221.204.241.90
221.204.241.199
root@root:~# nmap -iL IP.txt -PA80 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 10:36 CST
Nmap scan report for 2.241.204.221.adsl-pool.sx.cn (221.204.241.2)
Host is up (0.000030s latency).
Nmap scan report for 20.241.204.221.adsl-pool.sx.cn (221.204.241.20)
Host is up (0.00020s latency).
Nmap scan report for 200.241.204.221.adsl-pool.sx.cn (221.204.241.200)
Host is up (0.000030s latency).
Nmap scan report for 90.241.204.221.adsl-pool.sx.cn (221.204.241.90)
Host is up (0.000036s latency).
Nmap scan report for 199.241.204.221.adsl-pool.sx.cn (221.204.241.199)
Host is up (0.000030s latency).
Nmap done: 5 IP addresses (5 hosts up) scanned in 0.09 seconds
(3)Hping3
3.1> 使用hping3 --udp扫描单个主机,当返回端口不可达时,证明主机存活;
root@root:~# hping3 --udp 221.204.241.2 -c 1
HPING 221.204.241.2 (eth0 221.204.241.2): udp mode set, 28 headers + 0 data bytes
--- 221.204.241.2 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@root:~# hping3 --udp 192.168.37.128 -c 1
HPING 192.168.37.128 (eth0 192.168.37.128): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.37.128 name=bogon
status=0 port=2378 seq=0
--- 192.168.37.128 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 125.5/125.5/125.5 ms3.2> 使用shell脚本判断多个主机是否存活;
脚本1:UDP_hping.sh
#!/bin/bash
#Author:橘子女侠
#该脚本用户实现扫描多个IP地址,并将存活主机的ip显示出来
if [ "$#" -ne 1 ]
then
echo "Example ./UDP_hping.sh 172.16.36.0"
fi
prefix=$(echo $1 |cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
hping3 $prefix.$addr --udp -c 1 >> r.txt
done
grep Unreachable r.txt | cut -d " " -f 5 | cut -d "=" -f 2 >> output.txt
rm r.txt结果如下: 并使用Wireshark抓包查看;
root@root:~# chmod u+x UDP_hping.sh
root@root:~# ./UDP_hping.sh 221.204.241.0
--- 221.204.241.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.2 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.3 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.4 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.5 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.6 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.7 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.8 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.9 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.10 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
......
--- 221.204.241.252 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.253 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.254 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
脚本2: TCP_hping.sh
#!/bin/bash
#Author:橘子女侠
#该脚本用于实现扫描多个IP地址,并将存活主机的IP地址显示出来
if [ "$#" -ne 1 ]
then
echo "Example ./UDP_hping.sh 172.16.36.0"
fi
prefix=$(echo $1 |cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
hping3 $prefix.$addr -c 1 >> r.txt
done
grep Unreachable r.txt | cut -d " " -f 5 | cut -d "=" -f 2 >> output.txt
rm r.txt结果如下:并使用Wireshark抓包查看
root@root:~# chmod u+x TCP_hping.sh
root@root:~# ./TCP_hping.sh 221.204.241.0
./TCP_hping.sh:行2: [1: 未找到命令
--- 221.204.241.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.2 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.3 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.4 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.5 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.6 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.7 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.8 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.9 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.10 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
......
--- 221.204.241.252 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.253 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
--- 221.204.241.254 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms