Kali Linux 渗透测试之主动信息收集（二）——三层发现（ping/shell脚本、scapy/python脚本、nmap、fping、hping3）

发现——三层发现

原理：使用IP/ICMP协议；

优点：相对于二层可以路由，速度比较快；

缺点：速度比二层慢，经常被防火墙过滤掉；

（1）ping

1.1> ping单个主机

• ping 192.168.37.128            #ping目标主机，会一直ping下去，按CTRL+C可暂停；
• ping 192.168.37.128 -c 2     #使用-c参数，指定ping的次数；
• ping 192.168.37.128 -c 1 | grep 'bytes from'|awk '{print $4}'|awk -F':' '{print $1}'   #获取成功ping通主机的IP地址

root@root:~# ping 192.168.37.128    
PING 192.168.37.128 (192.168.37.128) 56(84) bytes of data.
64 bytes from 192.168.37.128: icmp_seq=1 ttl=128 time=0.495 ms
64 bytes from 192.168.37.128: icmp_seq=2 ttl=128 time=0.403 ms
^C
--- 192.168.37.128 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1026ms
rtt min/avg/max/mdev = 0.403/0.449/0.495/0.046 ms
root@root:~# ping 192.168.37.128 -c 2
PING 192.168.37.128 (192.168.37.128) 56(84) bytes of data.
64 bytes from 192.168.37.128: icmp_seq=1 ttl=128 time=0.351 ms
64 bytes from 192.168.37.128: icmp_seq=2 ttl=128 time=0.460 ms

--- 192.168.37.128 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1024ms
rtt min/avg/max/mdev = 0.351/0.405/0.460/0.058 ms
root@root:~# ping 192.168.37.128 -c 1 | grep 'bytes from'|awk '{print $4}'|awk -F':' '{print $1}'
192.168.37.128

1.2> ping命令无法一次性实现多个IP的扫描，但可以配合shell脚本实现整个局域网内的扫描；

脚本：ping.sh        #扫描整个网段

#!/bin/bash
#该脚本用户实现整个局域网内的扫描
PREFIX=192.168.37
for addr in $(seq 1 254);
do
	ping -c 1 $PREFIX.$addr | grep "bytes from" |awk '{print $4}'|awk -F':' '{print $1}'
done

 结果如下：并使用Wireshark抓包查看扫描过程；

root@root:~# sh ping.sh 
192.168.37.2
192.168.37.128
192.168.37.131

（2）scapy

2.1> scapy扫描一个IP地址

root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> p=ICMP()
>>> ping=(i/p)
>>> ping.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\
###[ ICMP ]### 
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0

>>> ping[IP].dst="192.168.37.128"
>>> ping.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 192.168.37.131
  dst= 192.168.37.128
  \options\
###[ ICMP ]### 
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0

>>> answer=sr1(ping)
Begin emission:
..*Finished to send 1 packets.

Received 3 packets, got 1 answers, remaining 0 packets
>>> answer.display()
###[ IP ]### 
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 28
  id= 15491
  flags= 
  frag= 0L
  ttl= 128
  proto= icmp
  chksum= 0x320a
  src= 192.168.37.128
  dst= 192.168.37.131
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> answer1=sr1(IP(dst="192.168.37.128")/ICMP())
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> answer1.display()
###[ IP ]### 
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 28
  id= 15495
  flags= 
  frag= 0L
  ttl= 128
  proto= icmp
  chksum= 0x3206
  src= 192.168.37.128
  dst= 192.168.37.131
  \options\
###[ ICMP ]### 
     type= echo-reply
     code= 0
     chksum= 0xffff
     id= 0x0
     seq= 0x0
###[ Padding ]### 
        load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> sr1(IP(dst="192.168.37.100")/ICMP())    #不存在的IP地址
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
.Finished to send 1 packets.
.......^C
Received 8 packets, got 0 answers, remaining 1 packets
>>> sr1(IP(dst="192.168.37.100")/ICMP(),timeout=1)   #直接写在一起
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
.Finished to send 1 packets.
.
Received 2 packets, got 0 answers, remaining 1 packets

2.2> 使用python脚本实现对整个局域网内的扫描

脚本1：ping2.py          #扫描整个网段

#!/usr/bin/python
#该脚本用户实现扫描整个局域网的主机
from scapy.all import *
PREFIX="192.168.37."

for addr in range(1,255):
	answer=sr1(IP(dst=PREFIX+str(addr))/ICMP(),timeout=0.1,verbose=0)
	if answer==None:
		pass
	else:
		print(PREFIX+str(addr))

结果如下：  #相比ping脚本，scapy模块不扫描自己

root@root:~# python ping2.py 
192.168.37.2
192.168.37.128

脚本2：ping3.py          #扫描指定的某个文件

#!/usr/bin/python
#该脚本用户扫描指定的IP地址列表
from scapy.all import *
import sys
filename=sys.argv[1]
file=open(filename,'r')

for addr in file:
	answer=sr1(IP(dst=addr.strip())/ICMP(),timeout=0.1,verbose=0)
	if answer==None:
		pass
	else:
		print(addr.strip())

结果如下：

root@root:~# ./ping3.py IP.txt 
192.168.37.2
192.168.37.128

（3） Nmap

• nmap -sn 192.168.37.128       ## -sn: Ping Scan  - disable port scan，只进行主机发现，不进行端口扫描
• nmap -sn 192.168.37.0/24        #可以扫描整个网段；

root@root:~# nmap -sn 192.168.37.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-11 15:37 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00040s latency).
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
root@root:~# nmap -sn 192.168.37.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.37.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00037s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap scan report for 192.168.37.254
Host is up (0.00030s latency).
MAC Address: 00:50:56:E2:44:F8 (VMware)
Nmap scan report for 192.168.37.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds

•   nmap -iL IP.txt -sn           #扫描指定的IP列表

root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.128
192.168.37.131
192.168.37.180
192.168.37.190
root@root:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-11 15:40 CST
Nmap scan report for bogon (192.168.37.2)
Host is up (0.000054s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00014s latency).
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap scan report for bogon (192.168.37.131)
Host is up.
Nmap done: 6 IP addresses (3 hosts up) scanned in 0.42 seconds

（4） fping

4.1> fping单个主机

• fping 192.168.37.128 -c 2        # -c 选项指定fping的次数

root@root:~# fping 192.168.37.128 -c 2
192.168.37.128 : [0], 84 bytes, 0.43 ms (0.43 avg, 0% loss)
192.168.37.128 : [1], 84 bytes, 0.35 ms (0.39 avg, 0% loss)

4.2> fping扫描多个IP地址

• fping  -g  192.168.37.1  192.168.37.150 -c 2    #fping  -g   IP地址起始   IP地址结束  -c  指定次数
• fping  -g  整个网段
• fping  -f  指定的IP地址列表

root@root:~# fping -g 192.168.37.1 192.168.37.150 -c 2
192.168.37.2   : [0], 84 bytes, 0.16 ms (0.16 avg, 0% loss)
192.168.37.128 : [0], 84 bytes, 0.67 ms (0.67 avg, 0% loss)
192.168.37.131 : [0], 84 bytes, 0.05 ms (0.05 avg, 0% loss)
192.168.37.2   : [1], 84 bytes, 1.70 ms (0.93 avg, 0% loss)
192.168.37.128 : [1], 84 bytes, 0.40 ms (0.53 avg, 0% loss)
........
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.3
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.3
192.168.37.131 : [1], 84 bytes, 0.04 ms (0.04 avg, 0% loss)
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.6
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.6
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.5
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.5
192.168.37.127 : xmt/rcv/%loss = 2/0/100%
192.168.37.128 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 0.40/0.53/0.67
192.168.37.129 : xmt/rcv/%loss = 2/0/100%
192.168.37.130 : xmt/rcv/%loss = 2/0/100%
192.168.37.131 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 0.04/0.04/0.05

root@root:~# fping -g 192.168.37.0/24
192.168.37.2 is alive
192.168.37.128 is alive
192.168.37.131 is alive
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.4
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.4
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.3
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.3
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.7
......

root@root:~# cat IP.txt 
192.168.37.2
192.168.37.8
192.168.37.128
192.168.37.131
192.168.37.180
192.168.37.190
root@root:~# fping -f IP.txt
192.168.37.2 is alive
192.168.37.128 is alive
192.168.37.131 is alive
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.8
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.8
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.8
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.8
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.190
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.190
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.190
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.190
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.180
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.180
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.180
ICMP Host Unreachable from 192.168.37.131 for ICMP Echo sent to 192.168.37.180
192.168.37.8 is unreachable
192.168.37.180 is unreachable
192.168.37.190 is unreachable

（5） hping3

• 能够发送几乎任意的TCP/IP包；
• 功能强大但每次只能扫描一个主机；

5.1> 扫描单个主机

• hping3 192.168.37.128 --icmp -c 2     #扫描局域网内存活的某主机
• hping3 192.168.37.100 --icmp -c 2     #扫描局域网内不存活的某主机
• hping3 192.168.37.128 -c 2                #扫描局域网内存活的某主机

root@root:~# hping3 192.168.37.128 --icmp -c 2     #扫描局域网内存活的主机
HPING 192.168.37.128 (eth0 192.168.37.128): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.37.128 ttl=128 id=15787 icmp_seq=0 rtt=8.0 ms
len=46 ip=192.168.37.128 ttl=128 id=15788 icmp_seq=1 rtt=7.1 ms

--- 192.168.37.128 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.1/7.5/8.0 ms 
root@root:~# hping3 192.168.37.100 --icmp -c 2    #扫描局域网内不存活的主机
HPING 192.168.37.100 (eth0 192.168.37.100): icmp mode set, 28 headers + 0 data bytes

--- 192.168.37.100 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@root:~# hping3 192.168.37.128 -c 2
HPING 192.168.37.128 (eth0 192.168.37.128): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.37.128 ttl=128 DF id=20924 sport=0 flags=RA seq=0 win=0 rtt=33.2 ms
len=46 ip=192.168.37.128 ttl=128 DF id=20925 sport=0 flags=RA seq=1 win=0 rtt=4.8 ms

--- 192.168.37.128 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.8/19.0/33.2 ms

5.2> 使用命令实现扫描多个IP地址

root@root:~# for addr in $(seq 127 132); do hping3 192.168.37.$addr --icmp -c 1 >> handle.txt & done
[1] 14185
[2] 14186
[3] 14187
[4] 14188
[5] 14189
[6] 14190
root@root:~# 
--- 192.168.37.128 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.3/7.3/7.3 ms

--- 192.168.37.129 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.37.130 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.37.132 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.37.127 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

--- 192.168.37.131 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
^C
[1]   退出 1                hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
[2]   已完成               hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
[3]   退出 1                hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
[4]   退出 1                hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
[5]-  退出 1                hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
[6]+  退出 1                hping3 192.168.37.$addr --icmp -c 1 >> handle.txt
root@root:~# cat handle.txt 
HPING 192.168.37.128 (eth0 192.168.37.128): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.37.128 ttl=128 id=20986 icmp_seq=0 rtt=7.3 ms
HPING 192.168.37.129 (eth0 192.168.37.129): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.37.130 (eth0 192.168.37.130): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.37.132 (eth0 192.168.37.132): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.37.127 (eth0 192.168.37.127): icmp mode set, 28 headers + 0 data bytes
HPING 192.168.37.131 (eth0 192.168.37.131): icmp mode set, 28 headers + 0 data bytes
root@root:~# cat handle.txt | grep ^len | awk '{print $2}'
ip=192.168.37.128