一、僵尸扫描
1、极度隐蔽;
2、实施条件苛刻;
3、扫描发起方和被扫描的目标服务器之间的网络必须实现地址伪造(现在的边界路由器大都加入了防地址伪造过滤的策略);
4、必须有一个僵尸机。
选择僵尸机的条件:
- 闲置系统
- 系统使用递增的IPID(如果目标系统的IPID永远是0或者是随机产生的,则僵尸扫描无法实现)。现在主流的Linux系统和新版Windows系统的IPID都是随机产生的,早期的XP、2003、2000的IPID都是顺序产生的)
二、扫描目的
控制僵尸机,通过僵尸机的IPID值判断被扫服务器上那些端口是开放的。
三、扫描原理
扫描过程:
1、Scanner(扫描者)向Zombie(僵尸机)发送一个SYN/ACK 数据包(在此之前,扫描者和僵尸机没有建立三次握手)
2、正常情况下,僵尸机向扫描者返回一个RST,RST包中会有一个IPID,假设为X
3、扫描者向目标主机发送一个SYN包,SYN包中伪造源IP地址为僵尸机的IP地址,所以在目标主机看来,SYN包是由僵尸机发给它的
4、如果目标主机的端口是开放状态,则目标主机向僵尸机发送SYN/ACK包
5、在僵尸机看来,它和目标主机之前并没有建立TCP连接,因此,僵尸机会向目标主机返回一个RST包,算上它上次向扫描者发的RST包,这是僵尸机发的第二个RST包,故RST包中的IPID值为X+1
6、此时,扫描者再向僵尸机发送一个SYN/ACK数据包,僵尸机一看,扫描者又向它无缘无故发送了一个SYN/ACK数据包,所以二话不说,直接向扫描者发出它的第三个RST包,此时IPID=X+2。
7、扫描者根据僵尸机发给它的RST包中的IPID值来判断目标端口的开放状态。如果目标端口开放,则IPID为X+2;否则为X+1。
在上述扫描过程中,如果僵尸机和其他主机之间产生数据包的传输,IPID就会递增,从而影响结果的准确性,这也就是为什么要求僵尸机必须足够空闲且IPID值递增的原因。即使最后被发现,暴露的也是僵尸机,不会透漏任何和扫描者有关的信息,在整个过程中,没有建立一次完整的三次握手,所以说该扫描方法及其隐蔽,但同时实施的条件也及其苛刻。
四、实验环境
实现僵尸扫描只能用nmap或者scapy来实现
- Kali(攻击者):192.168.247.157
- Red Hat 6.5(目标主机):192.168.247.130
- Window XP(僵尸机):192.168.247.132
1、僵尸扫描——Scapy
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
#给僵尸机发送SYN|ACK包,回包中的IPID值为16019
>>> sr1(IP(dst='192.168.247.132')/TCP(dport=445,flags='SA'))
Begin emission:
*Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=40 id=16019 flags= frag=0L ttl=128 proto=tcp chksum=0x8bc9 src=192.168.247.132 dst=192.168.247.157 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0x3d9c urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>
#给目标主机发送一个伪造源IP为僵尸机的SYN包
>>> sr1(IP(src='192.168.247.132',dst='192.168.247.130')/TCP(dport=22,flags='S'))
.Begin emission:
*Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=44 id=0 flags=DF frag=0L ttl=64 proto=tcp chksum=0xca73 src=192.168.247.130 dst=192.168.247.132 options=[] |<TCP sport=ssh dport=ftp_data seq=3271218019 ack=1 dataofs=6L reserved=0L flags=SA window=14600 chksum=0x582c urgptr=0 options=[('MSS', 1460)] |<Padding load='\x00\x00' |>>>
#再次给僵尸机发送SYN|ACK包,回包中的IPID值为16021;IPID增加了2,因此目标主机的445端口开放.
>>> sr1(IP(dst='192.168.247.132')/TCP(dport=445,flags='SA'))
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=40 id=16021 flags= frag=0L ttl=128 proto=tcp chksum=0x8bc7 src=192.168.247.132 dst=192.168.247.157 options=[] |<TCP sport=microsoft_ds dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=0 chksum=0x3d9c urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>WireShark抓包情况如下:
Scapy扫描——python脚本
#!/usr/bin/python
# -*- coding: utf-8 -*-
# 该脚本用于识别僵尸机,并控制僵尸机对目标主机进行端口扫描
from scapy.all import *
import time
import sys
def IsZombie(zombie_ip): #判断僵尸机是否是一个合格的僵尸机
a1 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)
time.sleep(2) #给僵尸机充足的时间,以判断僵尸机网络是否繁忙
a2 = sr1(IP(dst = zombie_ip)/TCP(flags = "SA", dport = 445),timeout = 1,verbose = 0)
if (a1[IP].id + 1) == a2[IP].id: #比较两次ipid值
print ("this is a good zombie!")
action = raw_input("do you want to use this zombie?(y/n)")
if action == "y":
target_ip = raw_input("please input the target's ip:") #目标主机ip
scan(zombie_ip,target_ip)
else:
sys.exit()
else:
print ("this is not a good zombie!")
def scan(zombie_ip,target_ip):
print("\nScanning target:"+target_ip+" with zombie:"+zombie_ip)
print("\n------------------Open Ports on Target---------------\n")
for port in range(1,1000):
try:
start_val=sr1(IP(dst=zombie_ip)/TCP(flags="SA",dport=port),timeout=2,verbose=0) #给僵尸机发送第一个SYN/ACK数据包
send(IP(dst=target_ip,src=zombie_ip)/TCP(flags="S",dport=port),verbose=0) #给目标主机发送一个伪造原地址的SYN数据包
end_val = sr1(IP(dst=zombie_ip)/TCP(flags="SA"),timeout=2,verbose=0) #给僵尸机发送第二个SYN/ACK数据包
if (start_val[IP].id+2) == end_val[IP].id: #比较ipid值,从而判断端口是否开放
print(port)
except:
pass
print("------------------Zombie Scan Suite-------------------\n")
ip = raw_input("the zombie's ip:")
IsZombie(ip)运行结果如下:
root@kali:~# python zombie.py
------------------Zombie Scan Suite-------------------
the zombie's ip:192.168.247.132
this is a good zombie!
do you want to use this zombie?(y/n)y
please input the target's ip:192.168.247.130
Scanning target:192.168.247.130 with zombie:192.168.247.132
------------------Open Ports on Target---------------
22
80
89
106
111
112
118
124
142
148
1542、僵尸扫描——nmap
- 发现僵尸机
nmap -p445 僵尸机IP --script=ipidseq.nse //--script=ipidseq.nse为nmap自带脚本
root@kali:~# nmap -p445 192.168.247.132 --script=ipidseq.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 21:22 CST
Nmap scan report for bogon (192.168.247.132)
Host is up (0.0014s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:84:C8:F7 (VMware)
Host script results:
|_ipidseq: Incremental! //IPID递增
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds- 扫描目标
nmap 目标IP -sI 僵尸机IP -Pn -p 扫描端口范围
root@kali:~# nmap 192.168.247.129 -sI 192.168.247.132 -Pn -p 0-100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 21:37 CST
Idle scan using zombie 192.168.247.132 (192.168.247.132:80); Class: Incremental
Nmap scan report for bogon (192.168.247.129)
Host is up (0.030s latency).
Not shown: 100 closed|filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds