Shulou(Shulou.com)06/01 Report--

Environment:

Target aircraft: 10.10.10.11

Target: 10.10.10.14 or 10.10.10.12

1. Scapy to achieve port scanning 1. Semi-connected scan

Principle: the target machine sends a SYN request to the target host, and determines whether the port is alive by the reply of the target host. If the port is closed, it will reply RST, and if it is not closed, it will reply SYN/ACK.

1.1 scapy scan

Port opening condition

> sr1 (IP (dst='10.10.10.14') / TCP (flags='S',dport=80)) # send SYNBegin emission:....*Finished to send 1 packets.Received 5 packets, got 1 answers, remaining 0 packets # to get a reply from SA. The destination port is not closed.

The port is not open:

> sr1 (IP (dst='10.10.10.14') / TCP (flags='S',dport=8080)) # send RA (RST/ACK) of SYNBegin emission:....Finished to send 1 packets.*Received 5 packets, got 1 answers, remaining 0 packets reply

Based on the above description, you can do a simple python port semi-connection scan script:

#! / usr/bin/python#encoding=utf-8from scapy.all import * def syn (ip,start,end): for port in range (start,end): reply = sr1 (IP (dst=ip) / TCP (dport=port,flags='S'), timeout=2,verbose=0) if (reply [dst=ip] .flags = = 18): print portdef main (): ip=raw_input ('Input IP:') Start=int (raw_input ('Input start port:') end=int (raw_input ('Input end port:')) syn (ip,start End) main () 1.2 nmap semi-connection scan kali@kal:~/review$ nmap-sS 10.10.10.14-p20-30 # specified range kali@kal:~/review$ nmap-sS 10.10.10.14-p 80 Magazine 22 # designated port scan kali@kal:~/review$ nmap-sS 10.10.14-p 80 Magi 22 #-- open # shows only open ports

The scanning and capturing of packets is as follows:

1.3 hping3 semi-connection scan specified ip range scan kali@kal:/$ sudo hping3 10.10.10.14-- scan 20-30-S designated port scan kali@kal:/$ sudo hping3 10.10.10.14-- scan 20 Magic 22Ling 25Ling 30-S forged IP for 192.168.10.10 SYN scanning kali@kal:/$ sudo hping3 10.10.10.14-- spoof 192.168.10.10-- scan 20-30-S2. Full connection scan

Principle: first send the SYN packet to the target host, then the target host replies to SYN/ACK, and then send the ACK packet to the target host again to establish a three-way handshake. The successful establishment of the three-way handshake indicates that the port is open

2.1scapy full connection scan

To scan a fully connected port with scapy, you need to turn off the RST sent by the kernel.

Kali@kal:/$ sudo iptables-An OUTPUT-p tcp--tcp-flags RST RST-j DROPkali@kal:/$ sudo iptables-LChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp--anywhere Anywhere tcp flags:RST/RST

The main code for establishing a full connection is as follows:

Port can be modified at will

R1 = sr1 (IP (dst='10.10.10.14') / TCP (flags='S',dport=22)) R2 = sr1 (IP (dst='10.10.10.14') / TCP (flags='A',dport=22,ack= R1 [dst='10.10.10.14'] .seq + 1) 2.2 nmap full connection scan

Specified port range scan

Kali@kal:/$ sudo nmap-sT 10.10.10.14-p1-100

Designated port scan

Kali@kal:/$ sudo nmap-sT 10.10.10.14-p 22pm 25888 Jet 23

2.3 dmitry full connection scan

Scan 1000 commonly used ports by default

Kali@kal:/$ dmitry-p 10.10.10.143. Zombie scanning

Principle:

Port opening:

First send syn/ack to zombie via scanner, because scanner sends syn instead of a complete three-way handshake, but sends syn/sck directly, so zombie replies to rst, and at this point zombie's ipid=x Scanner forges the source ip address, sets the source ip address to the ip address of zombie and sends syn to the scanned host, and the scanned host will reply a syn/ack to the source ip, but the source ip is currently set to zombie, so the destination host incorrectly replies to zombie with a syn/ack, but zombie receives syn/ack directly without sending syn, so zombie replies to RST at this time zombie ipid=x+1. Scanner sends syn/ack to zombie again and receives a reply from RST. At this time, zombie's ipid=x+2

Through the above three steps, we know that the IPID sequence increases by 2, and we can know that the target port is open.

The port is not open: first send syn/ack to zombie through scanner, because scanner does not send syn first with a complete three-way handshake, but sends syn/sck directly, so zombie replies to rst, and then zombie's ipid=x Scanner forges the source ip address and sets the source ip address to the ip address of zombie to send syn to the scanned host. If the scanned host port is not alive, it will reply a RST to the source ip, but the source ip is currently set to zombie, so the destination host incorrectly replies to zombie with a RST, and the destination host will not reply, so IPID is still x. Scanner sends syn/ack to zombie again and receives a reply from RST. At this time, zombie's ipid=x+1

Through the above three steps, knowing that the IPID sequence has increased by 2, you can know that the target port is down.

3.1scapy module zombie scan 1. First construct the packet and send ACK to the zombie machine, where the port is the port of the zombie host. S1 = IP (dst='10.10.10.12') / TCP (flags='A',dport=445) 2. Then construct the packet, fake the source address, set the source address to the IP of the zombie host, and the destination address to the target host, where the port is the port of the target host. S2 = IP (dst='10.10.10.14',src='10.10.10.12') / TCP (flags='S',dport=22) 3. Finally, the packet is constructed and the ACK is sent to the zombie host. > S3 = IP (dst='10.10.10.12') / TCP (flags='A',dport=445) sends the packets constructed above and sends them sequentially. > R1 = sr1 (s1Magne verbose0) > R2 = sr1 (s2pjenceverbose0) > > r3 = sr1 (s3 = verbose 0) to see the IPID > R1 [IP] .id9644 > r3 [IP] .id9646 increased to 2, indicating that the target port is open. If the increase is 1, the target port is closed, and if the increase is not 1 or 2, it is not possible to determine whether the target host port is open, so the target host ipid is required to be incremental and sufficiently idle. I won't continue to write scripts here. 3.2 implement zombie scanning with nmap

Determine whether 10.10.10.12 can be used as a zombie host.

Kali@kal:/$ sudo nmap 10.10.10.12-p445-script=ipidseq.nse

Randomly find zombie hosts in the network

Kali@kal:/$ sudo nmap-iR 100-p 80-- script=ipidseq.nse

Using the zombie host scans found

Kali@kal:/$ sudo nmap 10.10.10.14-sI 10.10.10.12-P1-100WARNING: Many people use-Pn w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.Starting Nmap 7.70 (https://nmap.org) at 2018-06-21 18:02 CSTIdle scan using zombie 10.10.10.12 (10.10.10.12) Class: IncrementalNmap scan report for 10.10.10.14Host is up (0.044s latency). Not shown: 94 closed | filtered portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp53/tcp open domain80/tcp open httpMAC Address: 00:0C:29:FA:DD:2A (VMware) Nmap done: 1 IP address (1 host up) scanned in 4.83 seconds

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.