【KALI使用】15 主动信息收集——二层发现（arping、Nmap、Netdiscover）

• 一、主动信息收集
• 二、发现——分层
• • 二层发现
  • • arping
    • • • 使用shell脚本
    • Nmap
    • Netdiscover
    • Scapy
    • • • 使用python脚本

• 直接与目标系统交互通信
• 无法避免留下访问的痕迹
• 使用受控的第三方电脑进行探测
• 使用代理或已经被控制的主机，做好被封杀的准备
• 使用噪声迷惑目标,淹没真实的探测流量·扫描
• 扫描：发送不同的探测，根据返回结果判断目标状态

数据链路层

• Arp协议
• 抓包
• 速度快
• 可靠
• 不可路由

arping --help    
arping 1.1.1.1 -c 1
arping 1.1.1.1 -d
arping -c 1 1.1.1.1 | grep “bytes from” | cut -d” “-f 5 | cut -d “(” -f 2 | cut -d”)” -f 1
# 脚本
arping1.sh eth0 > addrs
arping2.sh addrs

$ arping --help                                                                                               
ARPing 2.21, by Thomas Habets 
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w  ] [ -W  ] [ -S  ]
              [ -T  ] [ -t  ] [ -c  ]
              [ -C  ] [ -i  ] [ -m  ] [ -g  ]
              [ -V  ] [ -Q  ] 

Options:

    -0     Use this option to ping with source IP address 0.0.0.0. Use this
           when you haven't configured your interface yet.  Note that  this
           may  get  the  MAC-ping  unanswered.   This  is  an alias for -S
           0.0.0.0.
    -a     Audiable ping.
    -A     only count addresses matching  requested  address  (This  *WILL*
           break  most things you do. only useful if you are arpinging many
           hosts at once. See arping-scan-net.sh for an example).
    -b     Like -0 but source broadcast source  address  (255.255.255.255).
           Note that this may get the arping unanswered since it's not nor-
           mal behavior for a host.
    -B     Use instead of host if you want to address 255.255.255.255.
    -c count
           only send count requests.
    -C count
           only wait for this many replies, regardless of -c and -w.
    -d     Find duplicate replies. Exit with 1 if there are answers from
           two different MAC addresses //发现重复的ip地址
    -D     Display answers as exclamation points and missing packets as dots.
    -e     Like -a but beep when there is no reply.
    -F     Don't try to be smart about the interface name.  (even  if  this
           switch is not given, -i overrides smartness)
    -g group
           setgid() to this group instead of the nobody group.
    -h     Displays a help message and exits.
    -i interface
           Use the specified interface.
    -m type
           Type of timestamp to use for incoming packets. Use -vv when
           pinging to list available ones.
    -q     Does not display messages, except error messages.
    -Q pri 802.1p priority to set. Should be used with 802.1Q (-V).
           Defaults to 0.
    -r     Raw output: only the MAC/IP address is displayed for each reply.
    -R     Raw output: Like -r but shows "the other one", can  be  combined
           with -r.
    -s MAC Set source MAC address. You may need to use -p with this.
    -S IP  Like  -b and -0 but with set source address.  Note that this may
           get the arping unanswered if the target does not have routing to
           the  IP.  If you don't own the IP you are using, you may need to
           turn on promiscious mode on the interface (with -p).  With  this
           switch  you can find out what IP-address a host has without tak-
           ing an IP-address yourself.
    -t MAC Set target MAC address to use when pinging IP address.
    -T IP  Use -T as target address when pinging MACs that won't respond to
           a broadcast ping but perhaps to a directed broadcast.
           Example:
           To check the address of MAC-A, use knowledge of MAC-B and  IP-B.
           $ arping -S  -s  -p 
    -p     Turn  on  promiscious  mode  on interface, use this if you don't
           "own" the MAC address you are using.
    -P     Send ARP replies instead of requests. Useful with -U.
    -u     Show index=received/sent instead  of  just  index=received  when
           pinging MACs.
    -U     Send unsolicited ARP.
    -v     Verbose output. Use twice for more messages.
    -V num 802.1Q tag to add. Defaults to no VLAN tag.
    -w sec Specify a timeout before ping exits regardless of how many
packets have been sent or received.
    -W sec Time to wait between pings.
Report bugs to: thomas@habets.se
Arping home page: 
Development repo: http://github.com/ThomasHabets/arping
                                                                                                 

#!/bin/bash
if["$#"-ne 1]:then    # $# 接变量 -ne 不是
    echo"Usage - _arping.sh [interface]"
    echo"Example - _/arping.sh eth0"
    echo "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
    exit

fi
interface=$1   # 第一个变量赋值给interface
# 取前缀，网络地址
prefix=$(ifconfig $interface | grep "inet addr" | cut -d ":" -f 2 | cut -d "" -f 1 | cut -d "_" -f 1-3)
for addr in $(seq 1 254 ): do
    arping -c 1 $prefix.$addr |grep "bytes from"|cut -d "" -f 5 |cut -d "["  -f 2 | cut -d "]" -f 1
done

不知道以上代码到底哪里错了，太菜了

改为这个

#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机  
 
ETH=$(ifconfig | head -1 |awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' |awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
	arping -c 1 $PREFIX.$addr | grep "reply from"|cut -d" " -f 4
done

wireshark抓包可以看到挨个扫描，不过我这个网段好像没有活主机 arping2.sh #针对文件中的IP列表，进行扫描

#!/bin/bash 
#该脚本主要用户实现扫描文件中的IP地址列表
FILE=$1
for addr in $(cat  $FILE)  # 每读取一次，都赋值给addr
do
	arping -c 1 $addr | grep  "reply from" | cut -d" " -f 4
done

addr

192.168.98.1
192.168.98.29
192.168.98.161
192.168.98.194

nmap相比arping，可以扫描整个网段，扫描速度快，内容多

nmap -sn xxx.xxx.xxx.xxx  # 主机发现，不进行端口扫描
nmap -sn 192.168.37.0/24        #支持扫描整个网段
nmap -iL IP.txt -sn           #扫描指定的IP列表

$ nmap -sn 10.133.29.1/24   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-28 07:54 EDT
Nmap scan report for 10.133.29.109
Host is up (0.044s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 15.75 seconds

• 专用于二层发现；
• 可用于无线和交换网络环境；
• 主动和被动探测；

1> 主动发现: 容易被发现

netdiscover -i eth0 -r 10.133.29.1/24 
#netdiscover  -i  指定网卡  -r   网段
netdiscover -l IP.txt                                    #netdiscover -l 指定IP列表

同一网段的两台kali

2> 被动发现

主动ARP容易触发报警，所以也可以采用被动发现的方式发现网络中存活的主机；

netdiscover -p  # 本网卡置入混杂模式

• 作为python库进行调用；
• 也可作为单独的工具使用；
• 抓包，分析，创建，修改，注入网络流量
• 调用！！！

apt-get install python-gnuplot
# scapy                                                                                                                                              127 ⨯
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
                                      
                     aSPY//YASa       
             apyyyyCY//YCa       |
            sY//YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.4
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyPC   | Have fun!
              p///Ac            sC///a   |
              PYCpc           A//A   | To craft a packet, you have to be a
       scccccp///pSP///p          p//Y   | packet, and learn how to swim in
      sY/y  caa           S//P   | the wires and in the waves.
       cayCyayP//Ya              pY/Ya   |        -- Jean-Claude Van Damme
        sY/PsYYCc          aC//Yp    |
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//YPSps    
                       ccaacs         
                                       using IPython 7.20.0
 
>>>> ARP().display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:55:65:7e
  psrc= 192.168.98.161 # 源IP
  hwdst= 00:00:00:00:00:00# 目的IP
  pdst= 0.0.0.0

>>> 

定义一个arp，继承了ARP函数
对arp赋值

>>> arp=ARP()
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:55:65:7e
  psrc= 192.168.98.161
  hwdst= 00:00:00:00:00:00
  pdst= 0.0.0.0
 
>>> arp.pdst="192.168.98.164"
>>> arp.display()
###[ ARP ]### 
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= who-has
  hwsrc= 00:0c:29:55:65:7e
  psrc= 192.168.98.161
  hwdst= 00:00:00:00:00:00
  pdst= 192.168.98.164

>>> 

发包、回包，看到响应内容

>>> sr1(arp)
Begin emission:
Finished sending 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>                                                                                
>>> 

#! usr /bin/ python
import logging
import subprocess
logging.getLogger（ “scapy .runtine ).setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
    print "Usage- ./arp disc.py [interface] "
    print "Example - .f arp disc.py  eth0"
    print "Example will perform an ARP scan of the local subnet to which eth0 is assigned"
    sys.exit()
interface = str(sys.argv[1])
ip = subprocess.check_output(* ifconfig " +interface + " [ grep 'inet addr ' | cut -d -f 2 [cut -d '· -f 1",shell=True).strip(o
prefix =ip.split('.')[0]+ ip.split('.')[1]+'.'+ip.split('.')[2]+'.'
for addr in range(0,254):
    answer = sr1(ARP(pdst=prefix+str(addr)),timeout=0.1,verbose=0)
    if answer == None:
        pass
    else:
        print prefix+str(addr)