OSI二层网络扫描

Published by 王健 on

优点:扫描速度快、可靠

缺点:不可路由

①arping 扫描工具

root@kali:~# arping 10.0.0.52 -c 3  
ARPING 10.0.0.52
60 bytes from 00:0c:29:81:16:8a (10.0.0.52): index=0 time=343.092 usec
60 bytes from 00:0c:29:81:16:8a (10.0.0.52): index=1 time=605.351 usec
60 bytes from 00:0c:29:81:16:8a (10.0.0.52): index=2 time=633.986 usec

--- 10.0.0.52 statistics ---
3 packets transmitted, 3 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 0.343/0.527/0.634/0.131 ms

目标主机存活
#!/bin/bash
if [ "$#" -ne 1];then
  echo "Usage ./arping.sh [interface]"
  echo "Example ./arping.sh eth0"
  echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
  exit
fi

interface=$1
prefix=$(ifconfig $interface|grep -w inet|awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254);do
  arping -c 1 $prefix.$addr |grep "bytes from" |cut -d" " -f 5|cut -d"(" -f 2|cut -d")" -f 1 >>addr.txt
done

编写脚本对网段主机请求


root@kali:~# ./arping.sh eth0
10.0.0.1
10.0.0.2
10.0.0.52
10.0.0.254

②nmap扫描工具

nmap 10.0.0.0/24 -sn #主机发现 ,只做ping ,不做端口扫描
root@kali:~# nmap 10.0.0.0/24 -sn
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-26 23:09 CST
Nmap scan report for 10.0.0.1
Host is up (0.00015s latency).
MAC Address: 00:50:56:C0:00:03 (VMware)
Nmap scan report for 10.0.0.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:FB:BB:9D (VMware)
Nmap scan report for 10.0.0.52
Host is up (0.00040s latency).
MAC Address: 00:0C:29:81:16:8A (VMware)
Nmap scan report for 10.0.0.254
Host is up (0.00053s latency).
MAC Address: 00:50:56:FE:0A:FD (VMware)
Nmap scan report for 10.0.0.146
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.07 seconds
扫描速度比脚本快,耗时2s多

nmap -iL ip.txt -sn #运用txt扫描

③netdiscover扫描工具

netdiscover -i eth0 -r 10.0.0.0/24  主动扫描
netdiscover -p 被动扫描
arping 10.0.0.2 -c 1 

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                         
                                                                                                                       
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                       
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.0.1        00:50:56:c0:00:03      1      60  VMware, Inc.                                                        
 10.0.0.2        00:50:56:fb:bb:9d      1      60  VMware, Inc.                                                        
 10.0.0.254      00:50:56:e5:90:a0      1      60  VMware, Inc.

④scapy扫描工具

作为python库调用;也可作为单独的工具使用,修改、扫描、注入网络流量等。

apt-get install -y scapy  #默认系统不带,yum下载
scapy #命令行输入,进入scapy模式
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
                                      
                     aSPY//YASa       
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.4
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | Wanna support scapy? Rate it on
       scccccp///pSP///p          p//Y   | sectools!
      sY/////////y  caa           S//P   | http://sectools.org/tool/scapy/
       cayCyayP//Ya              pY/Ya   |             -- Satoshi Nakamoto
        sY/PsY////YCc          aC//Yp    |
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//////YPSps    
                       ccaacs         
                                       using IPython 7.20.0
>>> 
>>> ARP().display()  #ARP函数用法
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:85:8a:54
  psrc= 10.0.0.146
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0
>>> arp=ARP()   #为其设定变量
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:85:8a:54
  psrc= 10.0.0.146
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0
>>> arp.pdst="10.0.0.2"  #修改函数内的某个值
>>> 
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:85:8a:54
  psrc= 10.0.0.146
  hwdst= 00:00:00:00:00:00
  pdst= 10.0.0.2
>>> sr1(arp)   #对10.0.0.2 本地局域网的网关发起请求
Begin emission:
Finished sending 1 packets.
..*
Received 3 packets, got 1 answers, remaining 0 packets
<ARP  hwtype=0x1 ptype=IPv4 hwlen=6 plen=4 op=is-at hwsrc=00:50:56:fb:bb:9d psrc=10.0.0.2 hwdst=00:0c:29:85:8a:54 pdst=10.0.0.146 |<Padding  load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
Finished sending 1 packets.
..*
Received 3 packets, got 1 answers, remaining 0 packets
>>> answer.display()  #返回结果函数显示
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= 6
  plen= 4
  op= is-at
  hwsrc= 00:50:56:fb:bb:9d
  psrc= 10.0.0.2
  hwdst= 00:0c:29:85:8a:54
  pdst= 10.0.0.146
###[ Padding ]### 
     load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

>>> 
>>> sr1(ARP(pdst="10.0.0.222"),timeout=1,verbose=1)  #检测不存活的主机为其设置超时时间和错误打印
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished sending 1 packets.

Received 6 packets, got 0 answers, remaining 1 packets
Categories: kali
Tags:

0 Comments

发表评论

Avatar placeholder

邮箱地址不会被公开。 必填项已用*标注

Related Posts

kali

kali安装ftp服务

一、服务端10.0.0.146安装vsftpd服务 二、客户端10.0 Read more…

kali

Nessus扫描

一、下载链接 二、上传至kali上 三、赋予权限 四、安装 五、启动 Read more…

kali

openvas漏洞扫描器

#浏览器输入:https://127.0.0.1:9392 admin Read more…