本文介绍了网络扫描中的主动信息收集,包括使用arping、Nmap、Netdiscover和Scapy等工具进行二层发现。通过shell脚本展示了如何扫描特定IP列表或整个网段,同时讲解了Scapy库在Python中的应用,用于创建、修改和注入网络流量。
这里写自定义目录标题
一、主动信息收集
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测
- 使用代理或已经被控制的主机,做好被封杀的准备
- 使用噪声迷惑目标,淹没真实的探测流量·扫描
- 扫描:发送不同的探测,根据返回结果判断目标状态
二、发现——分层
二层发现
数据链路层
- Arp协议
- 抓包
- 速度快
- 可靠
- 不可路由
arping
arping --help
arping 1.1.1.1 -c 1
arping 1.1.1.1 -d
arping -c 1 1.1.1.1 | grep “bytes from” | cut -d” “-f 5 | cut -d “(” -f 2 | cut -d”)” -f 1
# 脚本
arping1.sh eth0 > addrs
arping2.sh addrs
$ arping --help
ARPing 2.21, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w <sec> ] [ -W <sec> ] [ -S <host/ip> ]
[ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
[ -C <count> ] [ -i <interface> ] [ -m <type> ] [ -g <group> ]
[ -V <vlan> ] [ -Q <priority> ] <host/ip/MAC | -B>
Options:
-0 Use this option to ping with source IP address 0.0.0.0. Use this
when you haven't configured your interface yet. Note that this
may get the MAC-ping unanswered. This is an alias for -S
0.0.0.0.
-a Audiable ping.
-A Only count addresses matching requested address (This *WILL*
break most things you do. Only useful if you are arpinging many
hosts at once. See arping-scan-net.sh for an example).
-b Like -0 but source broadcast source address (255.255.255.255).
Note that this may get the arping unanswered since it's not nor-
mal behavior for a host.
-B Use instead of host if you want to address 255.255.255.255.
-c count
Only send count requests.
-C count
Only wait for this many replies, regardless of -c and -w.
-d Find duplicate replies. Exit with 1 if there are answers from
two different MAC addresses //发现重复的ip地址
-D Display answers as exclamation points and missing packets as dots
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
