Small white Diary Active information collection of 9:kali penetration Test (ii) Four layer discovery: TCP, UDP, Nmap, hping, scapy

Four layers found that the purpose of four layer discovery is to scan out the possible IP address, four layer discovery, although involving port scanning, but does not accurately judge the status of the port, its essence is to use some of the four layer protocol communication to identify the existence of host IP. Four-layer Discovery benefits:

1, can be routed and reliable results;

2, is not likely to be filtered by the firewall, and even can find all the ports are filtered host. [Some of the more stringent firewalls will still be filtered out]

Disadvantage: A firewall based on stateful filtering may filter the scan; full port (Udp+tcp a hundred thousand of ports) scanning is slow.

First, TCP detection "based on characteristics"

A TCP connection is a communication process established by a three-time handshake.

1. The unsolicited ack[directly sends an ACK], the surviving master is given the opportunity to return to an RST package; The downtime host does not return the package

2. Send a SYN packet directly, live the main opportunity back to a syn/ack package [then port Open], back to rst[Port closed];

Scapy (return rst, then online, otherwise not online)

[email protected]:~# scapywarning:no Route found for IPv6 destination:: (No default route?) Welcome to Scapy (2.3.2) >>> >>> i=ip () >>> t=tcp () >>> r= (i/t) >>> >> > R.display () ###[IP]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= proto= TCP ch ksum= None src= 127.0.0.1 dst= 127.0.0.1 \options###[TCP]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None reserved= 0 flags= S window= 8192 chksum= None urgptr= 0 options= {}&GT;&GT;&G T >>> r[ip].dst= "192.168.1.1" >>> r[tcp].flags= "A" #构造ARP包 >>> r.display () ###[IP]# # # version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= proto= tcp chksum= None src= 192.168.1     .127 dst= 192.168.1.1 \options###[TCP]### sport= ftp_data dport= http seq= 0 ack= 0 dataofs= None     reserved= 0 flags= A window= 8192chksum= None urgptr= 0 options= {}>>> a=sr1 (R) Begin emission:. Finished to send 1 packets.*received 2 packets, <span style= "color: #ff0000;" >got 1 Answers</span&gt, remaining 0 packets<strong>>>> </strong>

Note: You can specify any parameter in the package to construct a different package. Example: fake IP address; Special case: Live host, no response package, ping detection available
Long combined statements

>>> a = SR1 (IP (dst= "1.1.1.1")/tcp (dport=80,flags= ' a '), timeout=1) Begin emission:. Finished to send 1 packets.*received 2 packets, got 1 answers, remaining 0 packets>>> a<ip version=4l  ihl= 5L tos=0x0 len=40 id=56576 flags= frag=0l ttl=60 proto=tcp chksum=0xdda6 src=1.1.1.1 dst=192.168.1.127 options=[] |<TCP  sport=http dport=ftp_data seq=0 ack=0 dataofs=5l reserved=0l flags=r window=0 chksum=0xeb53 urgptr=0 |<Padding< C2/>load= ' \x00\x00\x00\x00\x00\x00 ' |>>>>>> <strong></strong>

Scapy script (with minor errors)

#!/usr/bin/pythonimport loggingimport Subprocesslogging.getlogger ("Scapy.runtime"). SetLevel (Logging. ERROR) from Scapy.all import*if len (sys.argv)!=2:                               #minglingcanshubugou2   print "Usage-./ack_ping.py [/24 Netwo RK Address] "   print" Example-./ack_ping.py 172.16.36.0 "   print" Example would perform an ACK Ping scan of the 192.1 68.1.0/24 Range "   sys.exit () address = str (sys.argv[1]) prefix = Address.split (". ") [0] + '. ' + Address.split (".") [1] + '. ' + Address.split (".") [2] + '. ' For addr in range (1,254):   response=sr1 (ip[dst=prefix+str (addr)]/tcp (dport=80,flags= ' A '), timeout=1)   try:    if IMT (Response[tcp].<span style= "color: #ff0000;" >flags) ==4:</span>     print prefix+str (addr)   except:     Pass

Second, UDP detection "based on characteristics"

A non-connected unreliable transport protocol that will try to transfer the packet

If the target host is not in the line, does not return the package, if the target port is turned on, it may not return the package [if the DNS query instruction content responds, unless the full UDP packet is constructed, but not the line]; When the host is online, the packet is contracted to its open port, and the ICMP port is unreachable, indicating its host online

<span style= "FONT-SIZE:18PX;" >[email protected]:~# scapywarning:no Route found for IPv6 destination:: (No default route?) Welcome to Scapy (2.3.2) >>> i=ip () >>> u=udp () >>> >>> r= (i/u) >>> >> > R.display () ###[IP]### version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= proto= UDP ch ksum= None src= 127.0.0.1 dst= 127.0.0.1 \options###[UDP]### sport= domain dport= domain len= None ch  ksum= none>>> r[ip].dst= "192.168.1.1" >>> r[udp].dport=7345>>> r.display () ###[IP]###   version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= proto= UDP chksum= None src= 192.168.1.127 dst= 192.168.1.1 \options###[UDP]### sport= domain dport= 7345 len= None chksum= none>>> a=s R1 (R) Begin emission:. Finished to send 1 packets.*received 2 packets, <span style= "color: #ff0000;" >got 1 answers</span>, remaining 0 PACKets>>> a.display () ###[IP]### version= 4L ihl= 5L tos= 0xc0 len= id= 61178 flags= frag= 0L ttl= 64  proto= ICMP chksum= 0x73a src= 192.168.1.1 dst= 192.168.1.127 \options###[ICMP]### type= dest-unreach code= port-unreachable chksum= 0x80e7 reserved= 0 length= 0 nexthopmtu= 0###[IP in ICMP]### version= 4 L ihl= 5L tos= 0x0 len= id= 1 flags= frag= 0L ttl=. proto= u           DP chksum= 0xf6ff src= 192.168.1.127 dst= 192.168.1.1 \options###[UDP in ICMP]### sport= domain dport= 7345 len= 8 chksum= 0x5f27>>> </span>

UDP script

Nmap (Fast, but limited by a few conditions, in short, suitable for most)

Three or four-layer scan, in invincible condition

UDP Scan: nmap 1.1.1.1-254-pu53-sn #-p u:udp Port

ACK Scan: Nmap 1.1.1.1-254-pa80-sn #ACK

Specify address list: Nmap-il IPLIST.TXT-PA80-SN

-pe/pp/pm/po ...

Hping3 (TCP ping by default)

UDP detection

<span style= "FONT-SIZE:18PX;" >[email protected]:~# hping3--udp 192.168.1.1-c 1HPING 192.168.1.1 (eth0 192.168.1.1): UDP mode set, headers + 0 D ATA bytesicmp Port unreachable from ip=192.168.1.1 name=dd-wrt    status=0 port=1788 seq=0---192.168.1.1 hping statisti c---1 packets transmitted, 1 packets received, 0% packet lossround-trip Min/avg/max = 68.2/68.2/68.2 ms</span>

udphing Script

For addr in $ (SEQ 1 254); Do HPING3–UDP 1.1.1. $ADDR-C 1 >> r.txt; Done

grep Unreachable R.txt | Cut-d ""-F 5 | Cut-d "="-F 2

TCP Detection

[Email protected]:~# hping3 196.168.1.1-c 1HPING 196.168.1.1 (eth0 196.168.1.1): NO FLAGS is set, + headers + 0 data by TES---196.168.1.1 hping statistic---1 packets transmitted, 0 packets received, 100% packet Lossround-trip Min/avg/max = 0.0/0.0/0.0 ms

Little white Diary, not to be continued ...

Small white Diary Active information collection of 9:kali penetration Test (ii) Four layer discovery: TCP, UDP, Nmap, hping, scapy