Shulou(Shulou.com)06/01 Report--

Layer 1 and layer 2 host discovery

Objective: to realize host scanning in local area network.

1.arping command to scan the host

When using kali to scan local area network hosts, the arping command can only scan one by one ip. Here is a simple script to realize batch scanning.

Root@kal:~/scan# vim arping.sh

#! Bin/bashif [$#-ne 1]; then echo "Tips Example:. / arping 10.10.10" exitfiprefix=$1for I in $(seq 1254); do {ip=$prefix.$i arping $ip-c 1 | grep "reply from" | awk-F ""'{print $4}'} & # here is the implementation of multi-process scanning, the time is very short, you can try not to add the & symbol, no comparison, no harm! done

Cons: cannot be routed

2. Netdiscover scan

1) root@kal:~# netdiscover-p

Hidden scanning, that is, by sniffing the data sent by the host in the local area network to determine whether the host is alive, the concealment is better, but if the host survives and there is no data interaction, then this command cannot be scanned.

2) root@kal:~/scan# netdiscover-I eth0-r 10.10.10.Universe 24

Active scanning,-I sets the network card,-r sets the scanning range

3.arp construct packet request to scan LAN surviving hosts

I have already written it. If you are interested, you can check the https://blog.51cto.com/13155409/2129980 here.

4.nmap scanning

Root@kal:~/scan# nmap-sn 10.10.10. Universe 24

Batch scanning can be realized directly. -sn means port is not scanned

Layer 2 and layer 3 hosts found 1. Ping command

Root@kal:~/scan# ping 10.10.10.12

Also can only be scanned by a single host

Write a script to implement multiple ip scans

#! / bin/bash

If [$#-eq 0]; then

Echo "useage. / pinger [/ 24 network address]"

Echo "Example. / pinger.sh 172.16.15"

Exit

Fi

Prefix=$1

For addr in $(seq 1 254)

Do

Ping $prefix.$addr-c 1 | grep "bytes from" | awk-F "'{print $4}'| cut-d": "- f 1

Done

# # layer 3 and 4 Host Discovery # #

Advantages:

Routable and reliable results

Unlikely to be filtered by the firewall

You can even find hosts where all ports are filtered.

Disadvantages:

Firewall based on stateful filtering may filter scan

Slow speed of full port scanning

TCP:

Unrequested ACK--RST

SYN--SYN/ACK 、 RST

UDP:

The ICMP port is unreachable, gone forever

ACK scan of 1.TCP

Scanning principle: when there is no direct connection with the target host three times, send ACK packet directly, then the target host will return a RST, in this way to determine the survival of the host. However, this is not entirely true, and there are exceptions where the host exists, but the RST package is not returned.

> IP (). Show () # parameters for viewing IP need to be set # [IP] # version= 4 ihl= None tos= 0x0 len= None id= 1 flags= frag= 0 ttl= 64 proto= hopopt chksum= None src= 127.0.0.1 dst= 127.0.0.1\ options\ > TCP (). Show () # Interface View parameters required for TCP # [TCP] # Sport= ftp_data dport= http # set the destination port (when judging the survival of the host You can set it at will, regardless of whether the destination port exists or not, it will return a RST) seq= 0 ack= 0 dataofs= None reserved= 0 flags= S # set this to A, which means to send the ACK packet window= 8192 chksum= None urgptr= 0 options= {}

Send a surviving host, but the port does not survive

A1 = sr1 (IP (dst='10.10.10.13') / TCP (dport=1111,flags='A'), timeout=1,verbose=0)

A1.show ()

# [IP] #

Version= 4L

.

\ options\

# [TCP] #

Sport= 1111 # if the port survives, the corresponding service name will be returned

Dport= ftp_data

.

Urgptr= 0

Options= {}

# [Padding] #

Load='\ x00\ x00'

Send a surviving host, and the port will survive.

A1 = sr1 (IP (dst='10.10.10.13') / TCP (dport=111,flags='A'), timeout=1,verbose=0)

A1.show ()

# [IP] #

Version= 4L

.

Src= 10.10.10.13

Dst= 10.10.10.11

\ options\

# [TCP] #

If the sport= sunrpc # port survives, the service name will be returned

Dport= ftp_data

.

Urgptr= 0

Options= {}

# [Padding] #

Load='\ x00\ x00'

Send it to a non-viable host

A1 = sr1 (IP (dst='10.10.10.133') / TCP (dport=1111,flags='A'), timeout=1,verbose=0)

WARNING: Mac address to reach destination not found. Using broadcast.

There will be no response.

-

The scan of ACK using script is as follows:

#! / usrbinbinAccording to pythonspur binding encodingcombination utf 8 from scapy.all import * import sysimport timedef scanf (ip): response = sr1 (IP (dst=ip) / TCP (flags='A',dport=80), timeout=0.1,verbose=0) # combination of three and four layers Construct the package if (response): print ipdef ip_range (prefix): try: for addr in range (20): ip = prefix +'.'+ str (addr) scanf (ip) except KeyboardInterrupt: print exitdef main (): Try: prefix = raw_input ('Please enter ip segment:') prefix = prefix.split ('.') [0:3] ip = prefix [0] +'.'+ prefix [1] +'.'. + prefix [2] ip_range (ip) except KeyboardInterrupt: print "\ nq1. Re-enter "print" * 2. Exit\ n "choice = int (raw_input ('* Please enter your choice:') if choice = = 1 | choice! = 2: print"\ n "main () else: exit () if _ _ name__ = "_ _ main__": main () 2.UDP scan

Scanning principle: using the packets sent to the host, if the host survives and the target port does not survive, an ICMP will be returned unreachable, otherwise the sent UDP will be gone forever (for example, the target host does not exist, the target host exists and the port is open).

[the target host exists but the port is not alive]

A1 = sr1 (IP (dst='10.10.10.12') / UDP (dport=12345), timeout=1)

Begin emission:

... Finished to send 1 packets.

*

Received 4 packets, got 1 answers, remaining 0 packets # received 1 reply

[target host exists and port survives]

A1 = sr1 (IP (dst='10.10.10.12') / UDP (dport=445), timeout=1)

Begin emission:

.Finished to send 1 packets.

.

Received 10 packets, got 0 answers, remaining 1 packets # received 0 responses

[target host does not exist]

A1 = sr1 (IP (dst='10.10.10.123') / UDP (dport=445), timeout=1)

Begin emission:

.WARNING: Mac address to reach destination not found. Using broadcast.

Finished to send 1 packets.

.

Received 21 packets, got 0 answers, remaining 1 packets # received 0 responses

The implementation script can be implemented by modifying the script above.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.