Small white diary 10:kali penetration test port scan-udp, TCP, zombie scan, covert scan

Port Scan 234 Layer discovery is only to accurately discover all live host IP, identify attack surface, port scan to discover attack point, Discover open port. The port corresponds to the Network service and application program, and the vulnerability of the service-side program is hacked through the port. "All scan results, do not fully believe that" a port is a potential communication channel, that is, an intrusion channel. A port scan of the target computer can get a lot of useful information. There are many ways to scan, either by hand or by scanning the software with the port. When scanning manually, you need to be familiar with a variety of commands. Performs an analysis of the output after the command executes. When scanning with scanning software, many scanner software has the function of analyzing data. Through the port scan, can obtain many useful information, thus discovers the system security flaw. The service results that appear in the port scan, do not believe that it is only a convention, not accurate port scanning technology detailed: http://www.cnblogs.com/wiessharling/p/4070826.html UDP port Scan "ports off: Response" The full UDP application layer request is accurate and high, but it takes a lot of time and is faster than TCP. Learn about each UDP-based application header structure and construct a protocol package that is based on the application layer, resulting in more accurate results.

Scapy

#!/usr/bin/pythonimport Logginglogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*import timeimport sysif len (sys.argv)!=4:   print "Usage-./udp_scan.py [Target.ip] [Fir St Port] [last port] "   print" Example-./udp_scan.py 1.1.1.1 1 "   print" Example would UDP Port scan ports 1 thro Ugh 1.1.1.1 "   sys.exit () ip=sys.argv[1]start=int (sys.argv[2]) end=int (sys.argv[3]) for port in range (start, End):  A=SR1 (IP (DST=IP)/udp (dport=port), timeout=5,verbose=0)  time.sleep (1)          #防止因扫描过快, resulting in false positives  if a== None:     Print Port  else:     Pass

Nmap

[Email protected]:~# nmap 192.168.1.1-su-p 53,67   #默认不加-p, scan 1000 common ports starting Nmap 7.01 (https://nmap.org) at 2016-0 9-11 11:39 cstnmap Scan report for DD-WRT (192.168.1.1) Host was up (0.0048s latency). PORT   State         service53/udp Open          domain67/udp open|filtered dhcpsmac address:1c:bd:b9:27:d5:32 (D-Link International) Nmap done:1 IP address (1 host up) scanned in 1.50 seconds

Specify address list Nmap-il iplist.txt-su-p 1-200

TCP port scan 1, full connection scan--syn, Syn+ack, ACK

Establish a full TCP three connection, the result is most accurate does not require any permissions, any user in the system has the right to use this call, and fast, but easy to detect. Scapy is difficult for full-connection scanning if the target system directly to the SYN+ACK/ACK,DST will be considered an exception packet, the response RSTTCP scan: "Operating system kernel, will be considered not to establish a complete connection, will return an RST, indicating the request disconnects" need to avoid accepting this package, Avoid confusing subsequent operations. Let RST package not produce Iptables,linux firewall, work location before kernel use policy: iptables-a output-p tcp--tcp-flags RST rst-d 192.168.20.2-j drop Run script again

#!/usr/bin/pythonimport Logginglogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*syn=ip (dst= "1.1.1.1")/tcp (doprt=80,flags= "S") print "--SENT--" Syn.display () print "\n\ n--reveied "RESPONSE=SR1 (syn,timeout=1,verbose=0) response.diplay () if int (response[tcp],flags) ==18:   print" \n\ n--SENT--"   A=ip (dst=" 192.168.1.134 ")/tcp (dport=25,flags=" A ", ack= (response[tcp].seq+1))   A.display ()   print "\n\n--RECEIVED--"   RESPONSE2=SR1 (a,timeout=1,verbose=0)   Response2.display () Else:   print " Syn-ack not returned "

Nmap #-st TCP Connection

[Email protected]:~# nmap-st 192.168.1.115-p 100-200         starting Nmap 7.01 (https://nmap.org) at 2016-09-11 10:56 CST Nmap Scan Report for PC (192.168.1.115), Host is up (0.41s latency). Not shown:99 closed Portsport State    service135/tcp Open  msrpc139/tcp open  netbios-ssnmac Address: 08:00:27:2b:32:0f (Oracle VirtualBox virtual NIC) Nmap done:1 IP address (1 host up) scanned in 5.02 seconds

"No-P will scan 1000 common ports"

Dmitry is used to query IP or domain whois information, but cannot determine the scope of the network

[Email protected]:~# Dmitry Deepmagic information gathering Tool "there be some deep magic going on" Usage:dmitry [-WINSEPF b] [-t 0-9] [-O%host.txt] host-  o Save output to%host.txt or to file specified By-o file-i  Perform a whois loo Kup on the IP address of a host-  w Perform a whois lookup on the domain name of a host-  n Retrieve netcraft.com in Formation on a host-  s Perform a search for possible subdomains-  e Perform a search for possible email addresses
    -p Perform A TCP port scan on a host           #执行TCP的端口扫描 *-F Perform A TCP port scan on a host showing output reporting Fil tered ports*-B Read in the banner received from the scanned port*-T 0-9 Set the TTL in seconds when scanning a TCP port (Default 2) *requires the-p flagged to be passed

NC

[Email protected]:~# nc-nv-w 1-z 192.168.1.115 100-200                                                                             #-nv:n means with digital content, V does not do domain name resolution-  -----use scan mode (UNKNOWN) 192.168.1.115] 139 (NETBIOS-SSN) Open (UNKNOWN) [192.168.1.115] 135 (LOC-SRV) Open

For x in $ (SEQ 20 30); Do nc-nv-w 1-z 1.1.1.1 $x; Done | grep openfor x in $ (SEQ 1 254); Do nc-nv-w 1-z 1.1.1. $x 80; Done

2. Covert scan (syn is accurate enough, except in extremely special cases)

Do not establish a complete TCP connection, not in the application layer, only some traces in the network layer can be traced 1. Only the SYN packet is sent, if the Syn+ack is received, the port is open; If you receive R+a, the port is closed

>>> A=SR1 (IP (dst= "192.168.1.1")/tcp (flags= "S"), timeout=1,verbose=0) #默认80 >>> a.display () ###[IP] # # # version= 4L ihl= 5L tos= 0x0 len= id= 0 flags= DF frag= 0L ttl= proto= tcp chksum= 0XB6FB src= 192.16 8.1.1 dst= 192.168.1.127 \options###[TCP]### sport= http dport= ftp_data seq= 3205019844 ack= 1 da  taofs= 6L reserved= 0L flags= SA #SYN +ack window= 5840 chksum= 0x8543 urgptr= 0 options= [(' MSS ', 1460)]###[Padding]### load= ' \x00\x00 ' >>> a=sr1 (IP (dst= "192.168.1.1")/tcp (flags= "S", dport=2222 2), timeout=1,verbose=0) >>> a.display () ###[IP]### version= 4L ihl= 5L tos= 0x0 len= id= 0 flags= DF fr     ag= 0L ttl= proto= tcp chksum= 0xb6ff src= 192.168.1.1 dst= 192.168.1.127 \options###[tcp]### sport= 22222 dport= ftp_data seq= 0 ack= 1 dataofs= 5L reserved= 0L <strong style= "font-family:arial, Helvetica , Sans-serif; White-space:norMal "></strong><pre name=" code "class=" plain "> flags= RA #RST +ack <strong style=" Font-family:ari Al, Helvetica, Sans-serif; "></strong><pre name=" code "class=" plain "style=" display:inline!important; " ><strong style= "font-family:arial, Helvetica, Sans-serif; White-space:normal; "></strong><pre name=" code "class=" plain "style=" display:inline!important; " ><span style= "color: #ff0000;" >windows system default 100 The following ports are not open, if the firewall is open, will only answer ra</span>

window= 0 chksum= 0xd51c urgptr= 0 options= {}###[Padding]### load= ' \x00\x00\x00\x00\x00\x00 ' >>>

Can be implemented with Python scripts

#!/usr/bin/pythonimport loggingimport Subprocesslogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*import sysif len (sys.argv)!=4:   print "Usage-./syn_scan.py [Target.ip] [startport] [En D Port] "   print" Example-./syn_scan.py 1.1.1.1 1 "   print" Example would TCP SYN scan ports 1 through on 1.1 .1.1 "   sys.exit () IP = str (sys.argv[1]) start = Int (sys.argv[2]) end = Int (sys.argv[3]) for port in range (Start,end):   A=SR1 (IP (DST=IP)/tcp (dport=port), timeout=0.1,verbose=0)   if a ==none:     pass   else:     if int (a[tcp ].flags) ==18:        Print Port     else:        Pass

If you do not or do not have the time to write scripts, you can use Nmap

2, Nmap

SYN (random-order scan)

[Email protected]:~# nmap 192.168.1.115-p100-200                   #默认-ss (SYN) starting Nmap 7.01 (https://nmap.org) at 2016-09-11 09: Cstnmap Scan Report for PC (192.168.1.115), Host is up (0.0010s latency). Not shown:99 closed Portsport State    service135/tcp Open  msrpc139/tcp open  netbios-ssnmac Address: 08:00:27:2b:32:0f (Oracle VirtualBox virtual NIC) Nmap done:1 IP address (1 host up) scanned in 1.41 seconds

[Email protected]:~# nmap 192.168.1.115-p100-200--open       <span style= "color: #ff0000;"  > #若目标主机在防火墙保护 </span>--open can filter miscellaneous starting Nmap 7.01 (https://nmap.org) at 2016-09-11 09:49 cstnmap Scan Report For PC (192.168.1.115), Host is up (0.00047s latency). Not shown:99 closed Portsport State    service135/tcp Open  msrpc139/tcp open  netbios-ssnmac Address: 08:00:27:2b:32:0f (Oracle VirtualBox virtual NIC) Nmap done:1 IP address (1 host up) scanned in 1.33 seconds

[Email protected]:~# nmap-ss 192.168.1.115-p100-200--open     #SYNStarting nmap 7.01 (https://nmap.org) at 2016-09-11 09:50 cstnmap Scan Report for PC (192.168.1.115), Host is up (0.00033s latency). Not shown:99 closed Portsport State    service135/tcp Open  msrpc139/tcp open  netbios-ssnmac Address: 08:00:27:2b:32:0f (Oracle VirtualBox virtual NIC) Nmap done:1 IP address (1 host up) scanned in 0.27 seconds

[Email protected]:~# nmap-ss 192.168.1.115-p100-200,445,3389--open  #用 "," separating the specified port starting Nmap 7.01 (https:// nmap.org) at 2016-09-11 09:50 Cstnmap scan the report for PC (192.168.1.115) Host was up (0.00021s latency). Not shown:100 closed Portsport State    service135/tcp Open  msrpc139/tcp open  netbios-ssn445/tcp open  Microsoft-dsmac address:08:00:27:2b:32:0f (Oracle VirtualBox virtual NIC) Nmap done:1 IP Address (1 host up) scanned in 1 . seconds

3, Hping (results clear)

[Email protected]:~# hping3  192.168.1.115--scan 100-200-s     #-s:syn Package scanning 192.168.1.115 (192.168.1.115), Port 100-200101 ports to scan, use-v to see all the replies+----+-----------+---------+---+-----+-----+-----+|port| Serv name |  Flags  |ttl| ID  | win | len |+----+-----------+---------+---+-----+-----+-----+  135 loc-srv    :. S.. A... 27139  8192  139 netbios-ssn:. S.. A... 8192 28163      

Source Address Spoofing

Must have permission to log on to the spoofed IP address host, view the packet back, or be able to do a mirrored port on the switch

[Email protected]:~# hping3-c 100-s--spoof 192.168.1.140-p ++1 192.168.1.1                                                        #-c Specify the number of packages,--spoof Forge ip,src,-p Specify Port   Dsthping 192.168.1.1 (eth0 192.168.1.1): S set, headers + 0 data bytes---192.168.1.1 hping statistic---packets tr ansmitted, 0 packets received, 100% packet Lossround-trip Min/avg/max = 0.0/0.0/0.0 ms

Zombie Scan

Extreme concealment, the implementation of harsh conditions, principle: can achieve address forgery (the current border firewall will be filtered), through the Zombie machine (idle system, the system using incremental pid[only early XP, 2000, 2003]) scapy

I=ip () t=tcp () rz= (i/t)                  #僵尸机rt = (i/t)                  #目标机

Rz[ip].dst=ipz            #僵尸机IPrz [tcp].dport=445         #windows系统下445都默认开放 #僵尸机需保证端口开放rz [tcp].flags= "SA"        #SYN +ack

Rt[ip].src=ipz            #伪造源地址为僵尸机IPrt [ip].dst=ipt            #目标IPrt [tcp].dport=22rt[tcp].flags= "S"         #SYN

</pre><pre name= "code" class= "plain" style= "FONT-SIZE:24PX;" >AZ1=SR1 (RZ)  /  AT=SR1 (RT)  /  AZ2=SR1 (RZ) #向僵尸发的第一包  #向目标机器发包, the return packet is sent to the zombie machine    # Az1.display ()/  az2.display () to zombie machine

Script

Namp found zombie nmap-p445 192.168.1.133--script=ipidseq.nse ##--script

[Email protected]:~# nmap-p445 192.168.1.1--script=ipidseq.nsestarting nmap 7.01 (https://nmap.org) at 2016-09-11 12:5 7 Cstnmap Scan Report for DD-WRT (192.168.1.1) Host was up (0.0037s latency). PORT    State  service445/tcp closed Microsoft-dsmac address:1c:bd:b9:27:d5:32 (D-Link International) Host script Results:|_ipidseq:all Zeros             #全为零, you can not do zombie machine #incremental为递增, then nmap done:1 IP address (1 host up) scanned in 0.61 second S

Scan target Nmap 172.16.36.135-si 172.16.36.134-pn-p 0-100 # # [DST]-si [Zome]

Little white Diary, not to be continued ...

Small white diary 10:kali penetration test port scan-udp, TCP, zombie scan, covert scan