扫描发现-四层发现

Published by 王健 on 

· 优点
  - 可路由且结果可靠
  - 不太可能被防火墙过滤
  - 甚至可以发现所有端口被过滤的主机
· 缺点
  - 基于状态过滤的防火墙可能过滤扫描
  - 全端口扫描速度慢
#命令行执行,扫描本地网关的80端口
>>> a=sr1(IP(dst="10.0.0.2")/TCP(dport=80,flags="A"),timeout=1)
Begin emission:
Finished sending 1 packets.
.....*
Received 6 packets, got 1 answers, remaining 0 packets

#输入a结果展示
>>> a
<IP  version=4 ihl=5 tos=0x0 len=40 id=65245 flags= frag=0 ttl=128 proto=tcp chksum=0x275f src=10.0.0.2 dst=10.0.0.146 |<TCP  sport=http dport=ftp_data seq=0 ack=0 dataofs=5 reserved=0 flags=R window=32767 chksum=0x1aea urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>

#也可以a.display
>>> a.display
<bound method Packet.display of <IP  version=4 ihl=5 tos=0x0 len=40 id=65245 flags= frag=0 ttl=128 proto=tcp chksum=0x275f src=10.0.0.2 dst=10.0.0.146 |<TCP  sport=http dport=ftp_data seq=0 ack=0 dataofs=5 reserved=0 flags=R window=32767 chksum=0x1aea urgptr=0 |<Padding  load='\x00\x00\x00\x00\x00\x00' |>>>>
#将IP协议和UDP协议组合
>>> i = IP()
>>> u = UDP()
>>> r = (i/u)
>>> r.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= udp
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\
###[ UDP ]### 
     sport= domain
     dport= domain
     len= None
     chksum= None
#修改目标主机和目标端口
r[IP].dst="10.0.0.2"
r[UDP].dport=56
>>> r.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= udp
  chksum= None
  src= 10.0.0.146
  dst= 10.0.0.2
  \options\
###[ UDP ]### 
     sport= domain
     dport= 56
     len= None
     chksum= None

>>> 
#准备一台存活的主机和开放的22端口
[root@db2 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6948/sshd           
tcp6       0      0 :::22   

>>> i = IP()
>>> u = UDP()
>>> r=(i/u)
>>> r[IP].dst="10.0.0.52"
>>> r[UDP].dport=22

#构造IP为10.0.0.52和port为22的数据包
>>> r.display()
###[ IP ]### 
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= udp
  chksum= None
  src= 10.0.0.146
  dst= 10.0.0.52
  \options\
###[ UDP ]### 
     sport= domain
     dport= 22
     len= None
     chksum= None

#发送请求,有应答,目标主机存活
>>> a=sr1(r)
Begin emission:
Finished sending 1 packets.
...*
Received 4 packets, got 1 answers, remaining 0 packets

#返回结果展示
>>> a.display()
###[ IP ]### 
  version= 4
  ihl= 5
  tos= 0xc0
  len= 56
  id= 21145
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= 0x12a7
  src= 10.0.0.52
  dst= 10.0.0.146
  \options\
###[ ICMP ]### 
     type= dest-unreach
     code= port-unreachable
     chksum= 0x11dc
     reserved= 0
     length= 0
     nexthopmtu= 0
###[ IP in ICMP ]### 
        version= 4
        ihl= 5
        tos= 0x0
        len= 28
        id= 1
        flags= 
        frag= 0
        ttl= 64
        proto= udp
        chksum= 0x660b
        src= 10.0.0.146
        dst= 10.0.0.52
        \options\
###[ UDP in ICMP ]### 
           sport= domain
           dport= 22
           len= 8
           chksum= 0xeacd
           
#设置不存活的主机,查看返回信息,0 answer。
>>> r[IP].dst="10.0.0.67"
>>> 
>>> a=sr1(r,timeout=1)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished sending 1 packets.
.........................................................................................................................................................................................................................................................................................................................................................................................
Received 377 packets, got 0 answers, remaining 1 packets
>>> 
#一条命令行执行,并设置超时时间
>>> a=sr1(IP(dst="10.0.0.52")/UDP(dport=22),timeout=1)
Begin emission:
Finished sending 1 packets.
....*
Received 5 packets, got 1 answers, remaining 0 packets
#设定不存活的主机发送数据包
>>> a=sr1(IP(dst="10.0.0.22")/UDP(dport=2289),timeout=1)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished sending 1 packets.
...........................................................................................................................................................................................................................................................................................................................................................................
Received 363 packets, got 0 answers, remaining 1 packets
#设定存活的主机不存在的端口
>>> a=sr1(IP(dst="10.0.0.52")/UDP(dport=5555),timeout=1)
Begin emission:
Finished sending 1 packets.
..*
Received 3 packets, got 1 answers, remaining 0 packets


#查看报文显示,port不可达,icmp不可达,ip协议有响应
>>> a.display()
###[ IP ]### 
  version= 4
  ihl= 5
  tos= 0xc0
  len= 56
  id= 16950
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= 0x230a
  src= 10.0.0.52
  dst= 10.0.0.146
  \options\
###[ ICMP ]### 
     type= dest-unreach
     code= port-unreachable
     chksum= 0x11dc
     reserved= 0
     length= 0
     nexthopmtu= 0
###[ IP in ICMP ]### 
        version= 4
        ihl= 5
        tos= 0x0
        len= 28
        id= 1
        flags= 
        frag= 0
        ttl= 64
        proto= udp
        chksum= 0x660b
        src= 10.0.0.146
        dst= 10.0.0.52
        \options\
###[ UDP in ICMP ]### 
           sport= domain
           dport= rplay
           len= 8
           chksum= 0xd530

>>>
Categories: kali
Tags:

0 Comments

发表评论

Avatar placeholder

邮箱地址不会被公开。 必填项已用*标注

Related Posts

kali

kali安装ftp服务

一、服务端10.0.0.146安装vsftpd服务 二、客户端10.0 Read more…

kali

Nessus扫描

一、下载链接 二、上传至kali上 三、赋予权限 四、安装 五、启动 Read more…

kali

openvas漏洞扫描器

#浏览器输入:https://127.0.0.1:9392 admin Read more…