-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy path课时25 主动信息收集-发现(二).txt
executable file
·252 lines (215 loc) · 8.3 KB
/
课时25 主动信息收集-发现(二).txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
课时25 主动信息收集-发现(二)
╋━━━━━━━━━━━━━━━━━━╋
┃发现-----二层发现 ┃
┃Netdiscover ┃
┃ 专门于二层发现 ┃
┃ 可用于无线和交换网络环境 ┃
┃ 主动和被动探测 ┃
┃主动 ┃
┃ netdiscover -i eth0 -r 1.1.1.0/24 ┃
┃ netdiscover -l iplist.txt ┃
┃被动 ┃
┃ netdiscover -p ┃
┃ 主动arp容易触发报警 ┃
╋━━━━━━━━━━━━━━━━━━╋
root@kali:~# netdiscover -i eth0 -r 1.1.1.0/24
[3;J
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 1 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.1 f0:eb:d0:22:46:b4 03 180 Unknown vendor
root@kali:~# netdiscover -p
[3;J
Currently scanning: (passive) | Screen View: Unique Hosts
36 Captured ARP Req/Rep packets, from 1 hosts. Total size: 2160
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.1 f0:eb:d0:22:46:b4 36 2160 Unknown vendor
root@kali:~# arping 192.168.1.1
╋━━━━━━━━━━━━━━━━━━━╋
┃发现-----二层发现 ┃
┃Scapy ┃
┃ 作为Python库进行调用 ┃
┃ 也可作为单独的工具使用 ┃
┃ 抓包、分析、创建、修改、注入网络流量┃
┃apt-get install python-gnuplot ┃
┃Scapy ┃
┃ ARP().display() ┃
┃ Sr1() ┃
┃Python脚本 ┃
┃ Arp1.py ┃
┃ Arp2.py ┃
╋━━━━━━━━━━━━━━━━━━━╋
root@kali:~# scapy
INFO: Can't import python gnuplot wrapper . Won't be able to plot.
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> exit()
"WARNING: No route found for IPv6 destination"这个信息表示缺少gnuplot
root@kali:~# apt-get install python-gnuplot
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
将会安装下列额外的软件包:
python-central
下列【新】软件包将被安装:
python-central python-gnuplot
升级了 0 个软件包,新安装了 2 个软件包,要卸载 0 个软件包,有 1 个软件包未被升级。
需要下载 153 kB 的软件包。
解压缩后会消耗掉 1,229 kB 的额外空间。
您希望继续执行吗? [Y/n] y
获取:1 http://mirrors.163.com/debian/ squeeze/main python-central all 0.6.16+nmu1 [47.4 kB]
获取:2 http://mirrors.163.com/debian/ squeeze/main python-gnuplot all 1.8-1.1 [106 kB]
下载 153 kB,耗时 0秒 (400 kB/s)
正在选中未选择的软件包 python-central。
(正在读取数据库 ... 系统当前共安装有 337367 个文件和目录。)
正准备解包 .../python-central_0.6.16+nmu1_all.deb ...
正在解包 python-central (0.6.16+nmu1) ...
正在选中未选择的软件包 python-gnuplot。
正准备解包 .../python-gnuplot_1.8-1.1_all.deb ...
正在解包 python-gnuplot (1.8-1.1) ...
正在处理用于 man-db (2.7.0.2-5) 的触发器 ...
正在设置 python-central (0.6.16+nmu1) ...
正在设置 python-gnuplot (1.8-1.1) ...
正在处理用于 python-central (0.6.16+nmu1) 的触发器 ...
root@kali:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> ARP()
<ARP |>
>>> ARP().display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:c6:89:56
psrc= 192.168.1.110
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
════════════════════════════
Hardware type: Ethernet (1)
Protocol type: IP(0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: CadmusCo_a7:ce:cd(08:00:27:a7:ce:cd)
Sender IP address: 192.168.1.132(192.168.1.132)
Target Mac address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.1.118(192.168.1.118)
════════════════════════════
>>> arp=ARP()
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:c6:89:56
psrc= 192.168.1.110
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp.pdst="192.168.1.1"
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:c6:89:56
psrc= 192.168.1.110
hwdst= 00:00:00:00:00:00
pdst= 192.168.1.1
>> sr1(arp)
Begin emission:
*Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
<ARP hwtype=0x1 ptype=0x800 hwlen=6 plen=4 op=is-at hwsrc=f0:eb:d0:22:46:b4 psrc=192.168.1.1 hwdst=00:0c:29:c6:89:56 pdst=192.168.1.110 |<Padding load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>
>>> answer=sr1(arp)
Begin emission:
*Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>> answer.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= f0:eb:d0:22:46:b4
psrc= 192.168.1.1
hwdst= 00:0c:29:c6:89:56
pdst= 192.168.1.110
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>> arp=ARP()
>>> (ARP(pdst="192.168.1.1"))
<ARP pdst=192.168.1.1 |>
>>>> sr1(ARP(pdst="192.168.1.11"))
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished to send 1 packets.
.^C
Received 1 packets, got 0 answers, remaining 1 packets
>>> sr1(ARP(pdst="192.168.1.11"),timeout=1,verbose=1)
Begin emission:
WARNING: Mac address to reach destination not found. Using broadcast.
Finished to send 1 packets.
Received 0 packets, got 0 answers, remaining 1 packets
╭────────────────────────────────────────────╮
[arp1.py]
#!/usr/bin/python
import logging
import subprocess
logging.getLogger("scapy.runting).setLeve(logging.ERROR)
from scapy.all import *
if len(sys.argv)1=2;
print"Usage - ./arp_disc.py {interface}"
print"Example - ./arping.sh eth0"
print"Example will perform an ARP scan of the local subnet to which eth0 is assigned"
sys.exit()
interface=str(sys.argv[1])
ip=subprocess.check_output("ifconfig"+interfac.e+" | grep 'inet addr' | cut -d ':' -f 2 | cut -d ' ' -f 1",shell=True).strip() prefix=ip.split('.')[0]+ ''+ip.split('.')[1]+ '.'+ip.split('.')[2]+ '.'
for addr in range(0.254)
anser = sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0)
if answer == None;
pass
else:
print prefix+str(addr)
╰────────────────────────────────────────────╯
root@kali:~# chmod u+x arp1.py //赋予执行权限
root@kali:~# python arp1.py //这样也可以执行
root@kali:~# ./arp1.py
sage - ./arp_disc.py {interface}
Example - ./arping.sh eth0
Example will perform an ARP scan of the local subnet to which eth0 is assigned
root@kali:~# ./arp1.py eth0
192.168.1.1
╭────────────────────────────────────────────╮
arp2.py]
#!/usr/bin/python
import logging
logging.getLogger("scapy.runting).setLeve(logging.ERROR)
from scapy.all import *
if len(sys.argv)1=2;
print"Usage - ./arp_disc.py {interface}"
print"Example - ./arping.sh eth0"
print"Example will perform an ARP scan of the local subnet to which eth0 is assigned"
sys.exit()
filename = str(sys.argv[])
file = open(filename,'r')
for addr in file
anser = sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0)
if answer == None;
pass
else:
print addr.strip()
╰────────────────────────────────────────────╯
root@kali:~# chmod u+x arp2.py //赋予执行权限
root@kali:~# ./arp2.py adds