四层发现
原理:使用TCP/UDP协议(TCP、UDP各65535个端口)
优点:可路由且结果可靠;不太可能被防火墙过滤掉;甚至可以发现所有端口都被过滤的主机
缺点:基于状态过滤的防火墙可能过滤扫描;全端口扫描速度慢
二、三、四层发现的目的都是发现网络中存活的IP地址。四层发现针对端口的探测来识别主机是否在线,并不对端口状态进行识别,其本质是利用四层协议来识别目标IP是否在线。
1、TCP
正常的TCP连接是通过三次握手建立通信过程。客户端(C)先给服务器(S)发送SYN包,然后S给C发送SYN、ACK包,最后C给S发送ACK包,从而建立TCP连接。
- 未经请求的ACK(直接发送一个ACK),活着的主机会回一个RST,中断这种不正常的通信;目标主机不在线,则不会有响应。
- 基于正常的TCP连接,先发一个SYN包给目标主机,主机在线且端口开放会回一个SYN/ACK包,端口关闭则会发RST包;目标主机不在线,则不会有响应。
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> t=TCP()
>>> r=(i/t)
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= {}
>>> r[IP].dst='192.168.247.129'
>>> r[TCP].flags='A' //使用TCP ACK进行扫描
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.247.157
dst= 192.168.247.129
\options\
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= A
window= 8192
chksum= None
urgptr= 0
options= {}
>>> a=sr1(r)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 40
id= 16124
flags=
frag= 0L
ttl= 128
proto= tcp
chksum= 0x8b63
src= 192.168.247.129
dst= 192.168.247.157
\options\
###[ TCP ]###
sport= http
dport= ftp_data
seq= 0
ack= 0
dataofs= 5L
reserved= 0L
flags= R //回包的标志位为RST
window= 0
chksum= 0x3f0c
urgptr= 0
options= {}
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00'
长组合语句
>>> a=sr1(IP(dst='1.1.1.1')/TCP(dport=80,flags='A'),timeout=1)
Begin emission:
*Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>>> a
<IP version=4L ihl=5L tos=0x0 len=40 id=1628 flags= frag=0L ttl=128 proto=tcp chksum=0x7a2c src=1.1.1.1 dst=192.168.247.157 options=[] |<TCP sport=http dport=ftp_data seq=0 ack=0 dataofs=5L reserved=0L flags=R window=32767 chksum=0x7535 urgptr=0 |<Padding load='\x00\x00\x00\x00\x00\x00' |>>>
TCP脚本
#!/usr/bin/python
from scapy.all import *
import sys
address=sys.argv[1]
prefix=address.split(".")[0] + '.' + address.split(".")[1] + '.' +address.split(".")[2] + '.'
for addr in range(1,254):
answer=sr1(IP(dst=prefix+str(addr))/TCP(dport=80,flags='A'),timeout=1,verbose=0)
try:
if int(answer[TCP].flags) == 4:
print prefix+str(addr)
except:
pass
2、UDP
UDP不需要进行三次握手,UDP使用的是尽力转发的传输机制,因此进行主机发现的难度较高。
如果目标IP不在线,发送UDP包,则不会有任何响应;如果目标IP在线,且目标端口开放,发送数据包且目标主机接收到后也不会有响应;只有当主机存活,且目标端口不开放时,目标主机会返回一个ICMP端口不可达数据包。
UDP——UDP Port——ICMP
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> i=IP()
>>> u=UDP()
>>> r=(i/u)
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp //udp协议
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ UDP ]###
sport= domain //53端口
dport= domain
len= None
chksum= None
>>> r[IP].dst='192.168.247.129'
>>> r[UDP].dport=7345
>>> r.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= udp
chksum= None
src= 192.168.247.157 //自动检测本地网卡
dst= 192.168.247.129
\options\
###[ UDP ]###
sport= domain
dport= 7345
len= None
chksum= None
>>> a=sr1(r)
Begin emission:
.*Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 56
id= 16217
flags=
frag= 0L
ttl= 128
proto= icmp //目标主机存活,且端口不开放,回包的协议为icmp
chksum= 0x8afb
src= 192.168.247.129
dst= 192.168.247.157
\options\
###[ ICMP ]###
type= dest-unreach
code= port-unreachable //icmp端口不可达
chksum= 0x6d87
reserved= 0
length= 0
nexthopmtu= 0
###[ IP in ICMP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1
flags=
frag= 0L
ttl= 64
proto= udp
chksum= 0xa60
src= 192.168.247.157
dst= 192.168.247.129
\options\
###[ UDP in ICMP ]###
sport= domain
dport= 7345
len= 8
chksum= 0x7287
长组合语句
>>> a=sr1(IP(dst='192.168.247.129')/UDP(dport=7345),timeout=1)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> a
<IP version=4L ihl=5L tos=0x0 len=56 id=16228 flags= frag=0L ttl=128 proto=icmp chksum=0x8af0 src=192.168.247.129 dst=192.168.247.157 options=[] |<ICMP type=dest-unreach code=port-unreachable chksum=0x6d87 reserved=0 length=0 nexthopmtu=0 |<IPerror version=4L ihl=5L tos=0x0 len=28 id=1 flags= frag=0L ttl=64 proto=udp chksum=0xa60 src=192.168.247.157 dst=192.168.247.129 options=[] |<UDPerror sport=domain dport=7345 len=8 chksum=0x7287 |>>>>
UDP脚本
#!/usr/bin/python
from scapy.all import *
import sys
address=sys.argv[1]
prefix=address.split(".")[0] + '.' + address.split(".")[1] + '.' +address.split(".")[2] + '.'
for addr in range(1,254):
answer=sr1(IP(dst=prefix+str(addr))/UDP(dport=7345),timeout=1,verbose=0)
try:
if int(answer[IP].proto) == 1: //该语句可判断目标主机是否返回ICMP端口不可达数据包
print prefix+str(addr)
except:
pass
3、nmap
nmap在三四层扫描是一个无敌的状态,速度快。
#-PU:UDP ping -sn:不做端口扫描,只做四层的主机发现(扫两遍,确保结果的准确性)
root@kali:~# nmap 192.168.247.1-254 -PU53 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 14:24 CST
Nmap scan report for 192.168.247.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.247.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap scan report for 192.168.247.129
Host is up (0.00052s latency).
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap scan report for bogon (192.168.247.254)
Host is up (0.00013s latency).
MAC Address: 00:50:56:EF:3B:10 (VMware)
Nmap scan report for bogon (192.168.247.157)
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 3.86 seconds
#-PA:TCP ACK ping
root@kali:~# nmap 192.168.247.1-254 -PA53 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 14:28 CST
Nmap scan report for bogon (192.168.247.1)
Host is up (0.00010s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for bogon (192.168.247.2)
Host is up (0.00022s latency).
MAC Address: 00:50:56:E6:D3:4D (VMware)
Nmap scan report for bogon (192.168.247.129)
Host is up (0.00019s latency).
MAC Address: 00:0C:29:8F:74:74 (VMware)
Nmap scan report for bogon (192.168.247.254)
Host is up (0.000091s latency).
MAC Address: 00:50:56:EF:3B:10 (VMware)
Nmap scan report for bogon (192.168.247.157)
Host is up.
Nmap done: 254 IP addresses (5 hosts up) scanned in 2.10 seconds
nmap -iL iplist.txt -PA80 -sn //-iL 指定IP扫描文件
4、hping3
TCP探测
root@kali:~# hping3 119.75.217.109 -c 1
HPING 119.75.217.109 (eth0 119.75.217.109): NO FLAGS are set, 40 headers + 0 data bytes
--- 119.75.217.109 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
UDP探测
root@kali:~# hping3 --udp 192.168.247.129 -c 1
HPING 192.168.247.129 (eth0 192.168.247.129): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.247.129 name=bogon //不管是nmap、scapy、hping3,基于UDP协议的扫描都是根据ICMP端口不可达来实现的
status=0 port=1850 seq=0
--- 192.168.247.129 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 183.2/183.2/183.2 ms
#!/bin/bash
#hping3 UDP 扫描脚本
prefix=$(echo $1 | cut -d'.' -f 1-3)
for addr in $(seq 1 254)
do
hping3 $prefix.$addr --udp -c 1 >> r.txt
done
cat r.txt | grep 'Unreachable' | cut -d' ' -f5 | cut -d'=' -f2 >> output.txt
rm r.txt