端口扫描
二三四层发现的目的只是为了准确发现所有活着主机IP,确定攻击面,端口扫描即发现攻击点,发现开放端口。端口对应网络服务及应用端程序,服务端程序的漏洞通过端口攻入。【所有的扫描结果,都不要完全相信】
一个端口就是一个潜在的通信通道,也就是一个入侵通道。对目标计算机进行端口扫描,能得到许多有用的信息。进行扫描的方法很多,可以是手工进行扫描,也可以用端口扫描软件进行扫描。在手工进行扫描时,需要熟悉各种命令。对命令执行后的输出进行分析。用扫描软件进行扫描时,许多扫描器软件都有分析数据的功能。通过端口扫描,可以得到许多有用的信息,从而发现系统的安全漏洞。
对端口扫描中出现的服务结果,不要相信,那只是一个惯例,并不准确
UDP端口扫描【ports off:回应】
完整的UDP应用层请求,准确高,但耗时大,相比TCP还是会比较快。了解每一种基于UDP的应用包头结构,构造专门基于应用层的协议包,结果会更准确。
scapy#!/usr/bin/python import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* import time import sys if len( sys.argv ) !=4: print "Usage - ./udp_scan.py [Target.IP] [First Port] [Last Port]" print "Example - ./udp_scan.py 1.1.1.1 1 100" print "Example will UDP port scan ports 1 through 100 on 1.1.1.1" sys.exit() ip=sys.argv[1] start=int(sys.argv[2]) end=int(sys.argv[3]) for port in range(start,end): a=sr1(IP(dst=ip)/UDP(dport=port),timeout=5,verbose=0) time.sleep(1) #防止因扫描过快,造成误判 if a==None: print port else: passNmap
root@kali:~# nmap 192.168.1.1 -sU -p 53,67 #默认不加-p,扫描1000常用端口 Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 11:39 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0048s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds指定地址列表nmap -iL iplist.txt -sU -p 1-200
TCP端口扫描
1、全连接扫描——SYN、SYN+ACK、ACK
建立完整TCP三次连接,结果最最准确不需要任何权限,系统中的任何用户都有权利使用这个调用,而且速度快,但容易被发觉。scapy对全连接扫描比较困难若直接给目标系统发SYN+ACK/ACK,dst会认为是异常包,回应RSTTCP扫描:【操作系统内核,会认为没建立完整的连接,会返回一个RST,表示请求断开连接】需要避免接受此包,以免混淆后续操作。让RST包不产生iptables,linux防火墙,工作位置在内核之前使用策略:iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.20.2 -j DROP再运行脚本#!/usr/bin/python import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* SYN=IP(dst="1.1.1.1")/TCP(doprt=80,flags="S") print"-- SENT --" SYN.display() print" -- REVEIED" response=sr1(SYN,timeout=1,verbose=0) response.diplay() if int(response[TCP],flags)==18: print " -- SENT --" A=IP(dst="192.168.1.134")/TCP(dport=25,flags="A",ack=(response[TCP].seq+1)) A.display() print" -- RECEIVED --" response2=sr1(A,timeout=1,verbose=0) response2.display() else: print "SYN-ACK not returned"
nmap #-sT tcp连接root@kali:~# nmap -sT 192.168.1.115 -p 100-200 Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 10:56 CST Nmap scan report for PC (192.168.1.115) Host is up (0.41s latency). Not shown: 99 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds【不加-p,会扫描1000个常用端口】Dmitry用来查询IP或域名WHOIS信息,但是不能判断出这个网络范围root@kali:~# dmitry Deepmagic Information Gathering Tool "There be some deep magic going on" Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host -o Save output to %host.txt or to file specified by -o file -i Perform a whois lookup on the IP address of a host -w Perform a whois lookup on the domain name of a host -n Retrieve Netcraft.com information on a host -s Perform a search for possible subdomains -e Perform a search for possible email addresses -p Perform a TCP port scan on a host #执行TCP的端口扫描 * -f Perform a TCP port scan on a host showing output reporting filtered ports * -b Read in the banner received from the scanned port * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) *Requires the -p flagged to be passed
NCroot@kali:~# nc -nv -w 1 -z 192.168.1.115 100-200 #-nv:n表示跟数字内容,v不做域名解析 -w超时时间 -z使用扫描模式 (UNKNOWN) [192.168.1.115] 139 (netbios-ssn) open (UNKNOWN) [192.168.1.115] 135 (loc-srv) openfor x in $(seq 20 30); do nc -nv -w 1 -z 1.1.1.1 $x; done | grep openfor x in $(seq 1 254); do nc -nv -w 1 -z 1.1.1.$x 80; done
2、隐蔽扫描(SYN足够准确,除非极其特殊情况)
不建立完整的TCP连接,不在应用层留痕,只能在网络层有些迹像可循1.只发SYN包,若收到SYN+ACK,则端口开放;若收到R+A,端口关闭>>> a=sr1(IP(dst="192.168.1.1")/TCP(flags="S"),timeout=1,verbose=0) #默认80 >>> a.display() ###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 44 id= 0 flags= DF frag= 0L ttl= 64 proto= tcp chksum= 0xb6fb src= 192.168.1.1 dst= 192.168.1.127 options ###[ TCP ]### sport= http dport= ftp_data seq= 3205019844 ack= 1 dataofs= 6L reserved= 0L flags= SA #SYN+ACK window= 5840 chksum= 0x8543 urgptr= 0 options= [('MSS', 1460)] ###[ Padding ]### load= 'x00x00' >>> a=sr1(IP(dst="192.168.1.1")/TCP(flags="S",dport=22222),timeout=1,verbose=0) >>> a.display() ###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 40 id= 0 flags= DF frag= 0L ttl= 64 proto= tcp chksum= 0xb6ff src= 192.168.1.1 dst= 192.168.1.127 options ###[ TCP ]### sport= 22222 dport= ftp_data seq= 0 ack= 1 dataofs= 5L reserved= 0L <strong style="font-family: Arial, Helvetica, sans-serif; white-space: normal; "></strong><pre name="code" class="plain"> flags= RA #RST+ACK <strong style="font-family: Arial, Helvetica, sans-serif; "></strong><pre name="code" class="plain" style="display: inline !important;"><strong style="font-family: Arial, Helvetica, sans-serif; white-space: normal; "></strong><pre name="code" class="plain" style="display: inline !important;"><span style="color:#ff0000;">windows系统默认100以下端口不开放,若开着防火墙,也只会应答RA</span>window= 0 chksum= 0xd51c urgptr= 0 options= {}###[ Padding ]### load= 'x00x00x00x00x00x00'>>>可用python脚本实现#!/usr/bin/python import logging import subprocess logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import* import sys if len( sys.argv ) !=4: print "Usage - ./syn_scan.py [Target.IP] [StartPort] [End Port]" print "Example - ./syn_scan.py 1.1.1.1 1 100" print "Example will TCP SYN scan ports 1 through 100 on 1.1.1.1" sys.exit() ip = str(sys.argv[1]) start = int(sys.argv[2]) end = int(sys.argv[3]) for port in range(start,end): a=sr1(IP(dst=ip)/TCP(dport=port),timeout=0.1,verbose=0) if a ==None: pass else: if int(a[TCP].flags)==18: print port else: pass
若不会或没功夫写脚本,可以用nmap
2、Nmap
syn(乱序扫描)
root@kali:~# nmap 192.168.1.115 -p100-200 #默认-sS(SYN) Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 09:46 CST Nmap scan report for PC (192.168.1.115) Host is up (0.0010s latency). Not shown: 99 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.41 secondsroot@kali:~# nmap 192.168.1.115 -p100-200 --open <span style="color:#ff0000;">#若目标主机在防火墙保护</span>下,--open可过滤杂项 Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 09:49 CST Nmap scan report for PC (192.168.1.115) Host is up (0.00047s latency). Not shown: 99 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.33 secondsroot@kali:~# nmap -sS 192.168.1.115 -p100-200 --open #SYN Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 09:50 CST Nmap scan report for PC (192.168.1.115) Host is up (0.00033s latency). Not shown: 99 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.27 secondsroot@kali:~# nmap -sS 192.168.1.115 -p100-200,445,3389 --open #用","分隔指定端口 Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 09:50 CST Nmap scan report for PC (192.168.1.115) Host is up (0.00021s latency). Not shown: 100 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:2B:32:0F (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
3、Hping(结果比较清晰)
root@kali:~# hping3 192.168.1.115 --scan 100-200 -S #-S:SYN包 Scanning 192.168.1.115 (192.168.1.115), port 100-200 101 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 135 loc-srv : .S..A... 128 27139 8192 46 139 netbios-ssn: .S..A... 128 28163 8192 46 All replies received. Done. Not responding ports:源地址欺骗 必须有权登陆伪造的IP地址主机,查看回包,或者能在交换机做镜像端口
root@kali:~# hping3 -c 100 -S --spoof 192.168.1.140 -p ++1 192.168.1.1 #-c指定包数量,--spoof伪造IP,src,-p指定端口 dst HPING 192.168.1.1 (eth0 192.168.1.1): S set, 40 headers + 0 data bytes --- 192.168.1.1 hping statistic --- 100 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
僵尸扫描
极度隐蔽,实施条件苛刻,原理:能实现地址伪造(目前边界防火墙基本会过滤),通过僵尸机(闲置系统,系统使用递增PID[只有早期的XP、2000、2003])scapyi=IP() t=TCP() rz=(i/t) #僵尸机 rt=(i/t) #目标机rz[IP].dst=IPz #僵尸机IP rz[TCP].dport=445 #windows系统下445都默认开放 #僵尸机需保证端口开放 rz[TCP].flags="SA" #SYN+ACKrt[IP].src=IPz #伪造源地址为僵尸机IP rt[IP].dst=IPt #目标IP rt[TCP].dport=22 rt[TCP].flags="S" #SYN</pre><pre name="code" class="plain" style="font-size:24px;">az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz) #向僵尸发的第一包 #向目标机器发包,回包是发给僵尸机 #向僵尸机发包 az1.display() / az2.display()脚本namp发现僵尸nmap -p445 192.168.1.133 --script=ipidseq.nse ##--scriptroot@kali:~# nmap -p445 192.168.1.1 --script=ipidseq.nse Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 12:57 CST Nmap scan report for DD-WRT (192.168.1.1) Host is up (0.0037s latency). PORT STATE SERVICE 445/tcp closed microsoft-ds MAC Address: 1C:BD:B9:27:D5:32 (D-Link International) Host script results: |_ipidseq: All zeros #全为零,则不能做僵尸机 #incremental为递增,则可 Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds扫描目标nmap 172.16.36.135 -sI 172.16.36.134 -Pn -p 0-100 ## [dst] -sI [zome]
小白日记,未完待续……