Small white Diary Active information collection of 8:kali penetration Test (ii) three-layer discovery: Ping, traceroute, Scapy, Nmap, fping, hping

Source: Internet
Author: User


Layer three discovery three layer protocols are: IP and ICMP Protocol (Internet Management Protocol). ICMP is used to implement intenet management, path discovery, network communication, or target host status, and the ICMP protocol is used primarily in three-layer discovery. The ARP protocol belongs to the two layer protocol, which is broadcast-based and therefore not routable. While the ICMP protocol can be routed, in theory, the ICMP protocol can be used to discover the global IP, if there is no boundary firewall (ICMP detection packet) filtering, the target host will receive the corresponding response, so as to capture "there is a border firewall phenomenon is more common", However, the scanning speed of the three layer is also slower than the two layers. Note: Do not fully believe the results of the scan, because there will be false negatives, false positives, when there is a perimeter firewall, may live host does not respond, may also be down response
ICMP protocol detailed: Http://www.cnblogs.com/jingmoxukong/p/3811262.html
1. Ping command
Ping <ip> #linux与windows的ping包, there is a big difference: Windows default four, Linux by default, you can specify the number of packages with-C ping-r <ip> # You can also do a route trace ping command that does not support IP segment scanning, using shell scripting #会乱序ping
#!/bin/bashif ["$#"-ne 1];then  echo "Usage-/ping.sh [interface]"  echo "excample-./ping.sh 192.168.1.0"echo "Example would perform an ARP scan of the The local subnet to which eth0 are assigned"  exitfiprefix=$ (echo $ | cut-d '. '-f 1-3) for addr in $ (SEQ 1 254);d o   ping-c 1 $prefix. $addr | grep "bytes from" | cut-d ""-F 4 | Cut-d ":"-F 1done



2. Traceroute route Tracking


Not only can we find out if the target machine is online, but also how many hops it is routed




[email protected]:~# traceroute Www.sina.comtraceroute to Www.sina.com (121.14.1.189), hops max, byte packets 1 Dd-wrt (192.168.1.1) 1.976 ms 3.157 ms 5.440 ms #第一跳 2 10.12.66.254 (10.12.66.254) 10.196 Ms 9.98 2 ms 9.967 MS 3 * 10.12.1.54 (10.12.1.54) 11.568 ms 12.779 MS 4 172.16.254.14 (172.16.254.14) 9.570 ms 16.018 MS 1  6.016 Ms 5 10.0.3.13 (10.0.3.13) 9.559 ms 15.970 ms 15.954 ms 6 10.0.4.6 (10.0.4.6) 15.949 ms 5.061 ms 4.393 MS 7  120.236.177.1 (120.236.177.1) 5.012 ms 5.007 ms 4.999 ms 8 120.196.2.9 (120.196.2.9) 9.313 ms 9.304 MS 120.196.2.97 (120.196.2.97) 9.290 Ms 9 120.196.240.41 (120.196.240.41) 4.962 Ms 120.196.240.93 (120.196.240.93) 9.233 Ms 120.196.2 40.41 (120.196.240.41) 6.145 ms10 221.183.26.53 (221.183.26.53) 9.873 Ms 221.183.26.125 (221.183.26.125) 9.212 MS 9.2 MS11 221.176.22.182 (221.176.22.182) 9.857 Ms 221.176.18.254 (221.176.18.254) 57.810 Ms 221.176.22.130 (221.176.22.1 ) 17.121 ms12 202.97.15.13 (202.97.15.13) 16.437 Ms 221.176.22.130 (221.176.22.130) 16.386 Ms 221.176.23.62 (221.176.23.62) 16.385 MS13 20 2.97.60.138 (202.97.60.138) 16.373 ms 15.208 ms 12.096 MS14 202.97.60.138 (202.97.60.138) 13.646 Ms 113.108.208.38 (1 13.108.208.38) 13.625 Ms 13.605 MS15 113.108.209.162 (113.108.209.162) 11.998 ms 12.773 ms 12.261 MS16 58.63.232.12 2 (58.63.232.122) 13.024 Ms 9.457 Ms 113.108.209.162 (113.108.209.162) 15.283 ms17 * 121.14.1.189 (121.14.1.189) 8.79 0 Ms 8.770 ms
3, Scapy
define an IP header, define an ICMP header, and finally combine it into a ping packet
[Email protected]:~# scapywarning:no Route found for IPv6 destination:: (No default route?) Welcome to Scapy (2.3.2) >>> i=ip ()                #定义变量i继承IP包 >>> p=icmp ()              #定义变量p继承ICMP包 >>> ping= (i/p)            #把IP包与ICMP组合成ping >>> >>> ping.display ()        #查看包头结构 ###[IP]###  version= 4  ihl= None  tos= 0x0  len= None  id= 1  flags=   frag= 0  ttl= proto=  ICMP chksum=  none  src= 127.0.0.1  dst= 127.0.0.1  \options###[ICMP]###     type= echo-request code=     0     chksum= None     id= 0x0     
Ping Package Settings
>>> ping[ip].dst= "192.168.1.1" #设置目标IP为192.168.1.1>>&G T Ping.display () ###[IP]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= proto= ICMP chk     sum= None src= 192.168.1.127 #自动检测本地网卡 dst= 192.168.1.1 \options###[ICMP]### type= echo-request code= 0 chksum= None id= 0x0 seq= 0x0>>> a=sr1 (ping) #发包, accept response Pack begin EMISSION:.F inished to send 1 packets.*received 2 packets, got 1 answers, remaining 0 packets>>> a.display () ###[IP]### ver   sion= 4L ihl= 5L tos= 0x0 len= id= 23488 flags= frag= 0L ttl= proto= ICMP chksum= 0x9b50 src= 192.168.1.1 dst= 192.168.1.127 \options###[ICMP]### type= echo-reply code= 0 chksum= 0xffff id= 0x0 seq= 0x0# ##[Padding]### load= ' \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 ' >>> 
combine the above commands
>>> SR1 (IP (dst= "192.168.1.1")/icmp ())   <span style= "color: #ff0000;" >#<span style= "font-family:arial, Helvetica, Sans-serif; "></span></span><pre name=" code "class=" plain "style=" display:inline!important; " >SR1 (IP (dst= "192.168.1.1")/icmp (), timeout=1)

Begin emission:. Finished to send 1 packets.*received 2 packets, got 1 answers, remaining 0 packets<ip version=4l ihl=5l tos=0x0 len=28 id=23489 flags= frag=0l ttl=64 proto=icmp chksum=0x9b4f src=192.168.1.1 dst=192.168.1.127 options=[] |<ICMP type= Echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<padding load= ' \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ X00\x00\x00\x00\x00\x00 ' |>>>>>>
 When the destination IP does not exist in the network, Scapy waits for a response, plus timeout=1 
 
python script
#!/usr/bin/pythonimport loggingimport Subprocesslogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*if len (sys.argv)!=2:                               #minglingcanshubugou2   print "Usage-./pingger.py [/24 networ K Address] "   print" Example-./pinger.py 172.16.36.0 "   print" Example would perform an ICMP scan of the 192.168.1.0/ Range "   sys.exit () address = str (sys.argv[1]) prefix = Address.split (". ") [0] + '. ' + Address.split (".") [1] + '. ' + Address.split (".") [2] + '. ' For addr in range (0,254):   answer=sr1 (IP (dst=prefix+str (addr))/icmp (), timeout=0.1,verbose=0)   if answer = = None:     Pass;   else:     print prefix+str (addr) <span style= "Font-weight:bold;" ></span>
read from File
#!/usr/bin/pythonimport loggingimport Subprocesslogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*if len (sys.argv)!=2:                                print "Usage-./pingger.py [/24 Network Address]"   print "Exam Ple-./pinger.py 172.16.36.0 "   print" Example would perform an ICMP scan of the 192.168.1.0/24 range "   sys.exit () fil ename = str (sys.argv[1]) file=open (filename, "R") for addr in file:   answer=sr1 (IP (Dst=addr.strip ())/icmp (), timeout =0.1,verbose=0)   If answer ==none:     Pass;   else:     the print addr.strip () <strong>       #strip () method is used to remove the character specified by the tail of the string (the default is a space) </strong>


4, Nmap


#抓包分析ICMP包 #-sn can specify IP segment-il <txt>-sn
[Email protected]:~# nmap-sn 211.144.145.1Starting nmap 7.01 (https://nmap.org) at 2016-09-10 23:38 cstnmap Scan Report For 211.144.145.1Host are up (0.11s latency). Nmap done:1 IP Address (1 host up) scanned in 0.32 seconds


5, Fping


fping is similar to ping, but more powerful than Ping. The difference between fping and Ping is that fping can specify the number of hosts to ping on the command line, or you can specify a list file containing the hosts to ping.
Unlike ping to wait for a host connection to time out or send back feedback, Fping sends a packet to the next host immediately after sending the packet to a host, enabling multiple hosts to ping at the same time. If a host pings, the host is flagged and removed from the wait list, and if there is no ping, the host is not reachable, and the host remains in the waiting list for subsequent operations.
<strong>[email protected]:~# fping-g 192.168.1.100 192.168.1.200-c 1    #-g specified range, only one packet from 100-200-c </strong >
can also-G 192.168.1.0/24, available with grep extract-f <file> #指定文件扫描


6, Hping


Able to send almost any TCP/IP packet, hping is often used to detect the network and host, it is very powerful, but only one package at a time, can send a large number of custom ping packets, can do a certain degree of denial of service attacks.
[Email protected]:~# hping3 192.168.1.1--icmp-c 2HPING 192.168.1.1 (eth0 192.168.1.1): ICMP mode set, headers + 0 dat A byteslen=46 ip=192.168.1.1 ttl=64 id=27384 icmp_seq=0 rtt=36.8 mslen=46 ip=192.168.1.1 ttl=64 id=27385 icmp_seq=1 rtt=2. 4 ms---192.168.1.1 hping statistic---2 packets transmitted, 2 packets received, 0% packet Lossround-trip Min/avg/max = 2 .4/19.6/36.8 ms
Loops can be implemented with scripts or combined rows
For addr in $ (SEQ 1 254); Do hping3 1.1.1. $addr--icmp-c 1 >> handle.txt & done<strong> #结果输出到文本文件使结果清晰 </strong>
Cat Handletxt | grep ^len #筛选活着的IP


Little white Diary, not to be continued ...




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.