Kali Linux渗透测试之端口扫描(一)——UDP、TCP、隐蔽端口扫描、全连接端口扫描
端口扫描
二、三、四层发现的目的就是发现存活的IP,在存活的IP上面,展开进一步的扫描,及端口扫描,发现存活主机上存在着哪些开放的端口,端口后面就对应着各种各样的应用程序,应用程序的漏洞都是通过端口体现出来的,所以,扫描端口为我们后续的攻击提供更大的攻击面。
- 端口对应网络服务及应用端程序;
- 服务端程序的漏洞通过端口攻入;
- 发现开放的端口;
- 更具体的攻击面;
1. UDP端口扫描
基于端口的扫描,都是针对存活的主机而言的,使用UDP端口扫描时,如果端口开放,则目标系统不响应(可能产生误判),如果端口不开放,则目标系统会响应端口不可达,代表该端口没有开放;
(1)scapy
- 端口关闭:ICMP port-unreachable;
- 端口开放:没有回包;
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> a=sr1(IP(dst="192.168.37.128")/UDP(dport=53),timeout=1,verbose=0)
>>> a.display() #报错是因为端口开放,没有回包
Traceback (most recent call last):File "<console>", line 1, in <module>
AttributeError: 'NoneType' object has no attribute 'display'
>>> a=sr1(IP(dst="192.168.37.128")/UDP(dport=90),timeout=1,verbose=0)
>>> a.display() #目标主机的该端口没有开放
###[ IP ]### version= 4Lihl= 5Ltos= 0x0len= 56id= 3342flags= frag= 0Lttl= 128proto= icmpchksum= 0x6163src= 192.168.37.128dst= 192.168.37.131\options\
###[ ICMP ]### type= dest-unreachcode= port-unreachablechksum= 0xc96areserved= 0length= 0nexthopmtu= 0
###[ IP in ICMP ]### version= 4Lihl= 5Ltos= 0x0len= 28id= 1flags= frag= 0Lttl= 64proto= udpchksum= 0xae7csrc= 192.168.37.131dst= 192.168.37.128\options\
###[ UDP in ICMP ]### sport= domaindport= 90len= 8chksum= 0x32fb
通过抓包查看发的两个包的过程:
使用脚本的方式实现扫描多个端口:UDP_scapy.py
#!/usr/bin/python
#Author:橘子女侠
#该脚本用于实现扫描多个端口from scapy.all import*
import time
import sys
if len( sys.argv ) !=4: print "Example - ./udp_scan.py 1.1.1.1 1 100" sys.exit() ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])
for port in range(start,end+1): a=sr1(IP(dst=ip)/UDP(dport=port),timeout=5,verbose=0) time.sleep(1) #防止因扫描过快,造成误判if a==None: print(port)else: pass
结果如下:并使用Wireshark抓包查看
root@root:~# ./UDP_scapy.py 192.168.37.128 1 150
53
88
123
137
138
(2)Nmap
root@root:~# nmap -sU 192.168.7.128
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 18:30 CST
Nmap scan report for bogon (192.168.7.128)
Host is up (0.00075s latency).
All 1000 scanned ports on bogon (192.168.7.128) are open|filteredNmap done: 1 IP address (1 host up) scanned in 4.90 seconds
root@root:~# nmap -sU 192.168.7.128 -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 18:31 CST
Nmap scan report for bogon (192.168.7.128)
Host is up (0.00085s latency).PORT STATE SERVICE
53/udp open|filtered domainNmap done: 1 IP address (1 host up) scanned in 0.32 seconds
root@root:~# nmap -iL IP.txt -sU -p 1-100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 18:32 CST
Nmap scan report for bogon (192.168.37.2)
Host is up (0.000082s latency).
Not shown: 99 open|filtered ports
PORT STATE SERVICE
53/udp open domain
MAC Address: 00:50:56:E8:E0:56 (VMware)Nmap scan report for bogon (192.168.37.128)
Host is up (0.0035s latency).
Not shown: 98 closed ports
PORT STATE SERVICE
53/udp open domain
88/udp open|filtered kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap scan report for bogon (192.168.37.131)
Host is up (0.0000050s latency).
Not shown: 99 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpcNmap done: 5 IP addresses (3 hosts up) scanned in 8.34 seconds
2. TCP端口扫描
- TCP是基于连接的协议;
- TCP扫描可以分为隐蔽扫描、僵尸扫描、全连接扫描;
- 所有的TCP扫描方式都是基于三次握手的变化来判断目标端口的状态;
隐蔽端口扫描
(1) 隐蔽端口扫描——scapy
1.1> SYN——SYN/ACK——ACK #目标端口开放
SYN——RST/ACK #目标端口不开放
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> a=sr1(IP(dst="192.168.37.128")/TCP(dport=80),timeout=1,verbose=0)
>>> a.display()
###[ IP ]### version= 4Lihl= 5Ltos= 0x0len= 44id= 3882flags= DFfrag= 0Lttl= 128proto= tcpchksum= 0x1f4esrc= 192.168.37.128dst= 192.168.37.131\options\
###[ TCP ]### sport= httpdport= ftp_dataseq= 3859315704ack= 1dataofs= 6Lreserved= 0Lflags= SAwindow= 8192chksum= 0x495curgptr= 0options= [('MSS', 1460)]
###[ Padding ]### load= '\x00\x00'>>> a=sr1(IP(dst="192.168.37.128")/TCP(dport=90),timeout=1,verbose=0)
>>> a.display()
###[ IP ]### version= 4Lihl= 5Ltos= 0x0len= 40id= 3956flags= DFfrag= 0Lttl= 128proto= tcpchksum= 0x1f08src= 192.168.37.128dst= 192.168.37.131\options\
###[ TCP ]### sport= 90dport= ftp_dataseq= 0ack= 1dataofs= 5Lreserved= 0Lflags= RAwindow= 0chksum= 0xe30durgptr= 0options= {}
###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00'
使用Wireshark抓包查看:
1.2>使用脚本实现 :syn_scan.py
#!/usr/bin/python
#Author:橘子女侠
#该脚本用户实现扫描目标主机中开放的TCP端口
from scapy.all import*
import sysif len( sys.argv ) !=4:print "Example - ./syn_scan.py 1.1.1.1 1 100"sys.exit()ip = str(sys.argv[1])
start = int(sys.argv[2])
end = int(sys.argv[3])for port in range(start,end+1):a=sr1(IP(dst=ip)/TCP(dport=port),timeout=0.1,verbose=0)if a ==None:passelse:if int(a[TCP].flags)==18: #SYN+ACK值为18print (port)else:pass
结果如下:并使用Wireshark抓包查看
root@root:~# chmod +x syn_scan.py
root@root:~# ./syn_scan.py 192.168.37.128 1 150
25
53
80
88
110
135
139
143
针对脚本中为什么int(a[TCP].flags)==18,是因为SYN——>2,ACK——>16;
Transmission Control Protocol, Src Port: 25, Dst Port: 20, Seq: 0, Ack: 1, Len: 0Source Port: 25Destination Port: 20[Stream index: 24][TCP Segment Len: 0]Sequence number: 0 (relative sequence number)Acknowledgment number: 1 (relative ack number)0110 .... = Header Length: 24 bytes (6)Flags: 0x012 (SYN, ACK)000. .... .... = Reserved: Not set...0 .... .... = Nonce: Not set.... 0... .... = Congestion Window Reduced (CWR): Not set.... .0.. .... = ECN-Echo: Not set.... ..0. .... = Urgent: Not set.... ...1 .... = Acknowledgment: Set #2^4=16.... .... 0... = Push: Not set.... .... .0.. = Reset: Not set.... .... ..1. = Syn: Set #2^1=2.... .... ...0 = Fin: Not set #2^0=1[TCP Flags: ·······A··S·]Window size value: 8192[Calculated window size: 8192]Checksum: 0xfd4f [unverified][Checksum Status: Unverified]Urgent pointer: 0Options: (4 bytes), Maximum segment sizeTCP Option - Maximum segment size: 1460 bytesKind: Maximum Segment Size (2)Length: 4MSS Value: 1460[SEQ/ACK analysis][This is an ACK to the segment in frame: 55][The RTT to ACK the segment was: 0.000445714 seconds]
(2)隐蔽端口扫描——nmap
root@root:~# nmap 192.168.37.128 -p1-100 #扫描1-100端口,默认-sS
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 15:34 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.014s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds
root@root:~# nmap -sS 192.168.37.128 -p1-100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 15:37 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00027s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
root@root:~# nmap -sS 192.168.37.128 -p 80,88,53,22,25 #扫描指定的端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 15:37 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00022s latency).PORT STATE SERVICE
22/tcp closed ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
root@root:~# nmap -sS -iL IP.txt -p 80,88,53,22 #扫描指定的IP地址列表和端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 15:40 CST
Nmap scan report for bogon (192.168.37.2)
Host is up (0.0015s latency).PORT STATE SERVICE
22/tcp closed ssh
53/tcp open domain
80/tcp closed http
88/tcp closed kerberos-sec
MAC Address: 00:50:56:E8:E0:56 (VMware)Nmap scan report for bogon (192.168.37.128)
Host is up (0.00034s latency).PORT STATE SERVICE
22/tcp closed ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap scan report for bogon (192.168.37.131)
Host is up (0.000029s latency).PORT STATE SERVICE
22/tcp closed ssh
53/tcp closed domain
80/tcp closed http
88/tcp closed kerberos-secNmap done: 5 IP addresses (3 hosts up) scanned in 1.61 seconds
(3)隐蔽端口扫描——hping3
root@root:~# hping3 192.168.37.128 --scan 1-100 -S #-S:SYN包
Scanning 192.168.37.128 (192.168.37.128), port 1-100
100 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+25 smtp : .S..A... 128 49411 8192 4653 domain : .S..A... 128 56579 8192 4680 http : .S..A... 128 63491 8192 4688 kerberos : .S..A... 128 4 8192 46
All replies received. Done.
Not responding ports:
root@root:~# hping3 192.168.37.128 --scan 22,25,80 -S
Scanning 192.168.37.128 (192.168.37.128), port 22,25,80
3 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+80 http : .S..A... 128 12548 8192 4625 smtp : .S..A... 128 13060 8192 46
All replies received. Done.
Not responding ports:
#源地址欺骗,但是不知道扫描后的结果
root@root:~# hping3 -c 100 -S --spoof 192.168.37.130 -p ++1 192.168.37.128
HPING 192.168.37.128 (eth0 192.168.37.128): S set, 40 headers + 0 data bytes--- 192.168.37.128 hping statistic ---
100 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
全连接端口扫描
(1)全连接端口扫描(SYN、SYN+ACK、ACK)——scapy
scapy对全连接扫描比较困难,如果直接给目标系统发SYN,目标系统会回应一个SYN/ACK,这时候,操作系统内核会认为没建立完整的连接,会返回一个RST,断开TCP连接,此时,如果在向目标系统发送一个ACK,目标系统会回应RST;
若需要让操作系统不产生RST包,影响后续的操作,就需要添加一定的防火墙策略,讲操作系统系统内核产生的RST包drop掉;
使用策略:iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.37.128 -j DROP
脚本:tcp_scan.py
#!/usr/bin/python
#Author:橘子女侠
#Time:2019/4/14
#该脚本用于与目标主机建立全连接的端口扫描from scapy.all import *
SYN=IP(dst="192.168.37.128")/TCP(dport=80,flags="S")
print("-- SENT --" )
SYN.display() print("\n\n-- REVEIED" )
response=sr1(SYN,timeout=1,verbose=0)
response.display() if int(response[TCP].flags)==18: print ("\n\n-- SENT --" )A=IP(dst="192.168.37.128")/TCP(dport=80,flags="A",ack=(response[TCP].seq+1)) A.display() response2=sr1(A,timeout=1,verbose=0)
else: print ("SYN-ACK not returned")
结果如下:并使用Wireshark抓包查看
root@root:~# ./tcp_scan.py
-- SENT --
###[ IP ]### version = 4ihl = Nonetos = 0x0len = Noneid = 1flags = frag = 0ttl = 64proto = tcpchksum = Nonesrc = 192.168.37.131dst = 192.168.37.128\options \
###[ TCP ]### sport = ftp_datadport = httpseq = 0ack = 0dataofs = Nonereserved = 0flags = Swindow = 8192chksum = Noneurgptr = 0options = {}-- REVEIED
###[ IP ]### version = 4Lihl = 5Ltos = 0x0len = 44id = 7450flags = DFfrag = 0Lttl = 128proto = tcpchksum = 0x115esrc = 192.168.37.128dst = 192.168.37.131\options \
###[ TCP ]### sport = httpdport = ftp_dataseq = 3575793390ack = 1dataofs = 6Lreserved = 0Lflags = SAwindow = 8192chksum = 0x8f4curgptr = 0options = [('MSS', 1460)]
###[ Padding ]### load = '\x00\x00'-- SENT --
###[ IP ]### version = 4ihl = Nonetos = 0x0len = Noneid = 1flags = frag = 0ttl = 64proto = tcpchksum = Nonesrc = 192.168.37.131dst = 192.168.37.128\options \
###[ TCP ]### sport = ftp_datadport = httpseq = 0ack = 3575793391dataofs = Nonereserved = 0flags = Awindow = 8192chksum = Noneurgptr = 0options = {}
(2)全连接端口扫描——nmap
root@root:~# nmap -sT 192.168.37.128 -p 1-100 #扫描1-100端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 16:21 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00080s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds
root@root:~# nmap -sT 192.168.37.128 -p 22,25,28,80 #扫描指定的端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 16:22 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00053s latency).PORT STATE SERVICE
22/tcp closed ssh
25/tcp open smtp
28/tcp closed unknown
80/tcp open http
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
root@root:~# nmap -sT 192.168.37.128 #扫描1000个常见端口
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-13 16:23 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00036s latency).
Not shown: 973 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
465/tcp open smtps
593/tcp open http-rpc-epmap
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3306/tcp open mysql
6000/tcp open X11
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49167/tcp open unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
(3)全连接端口扫描——dmitry
- 功能简单,使用简便;
- 默认150个最常用的端口;
root@root:~# dmitry -p 192.168.37.128
Deepmagic Information Gathering Tool
"There be some deep magic going on"HostIP:192.168.37.128
HostName:bogonGathered TCP Port information for 192.168.37.128
---------------------------------Port State25/tcp open
53/tcp open
80/tcp open
88/tcp open
110/tcp open
135/tcp open
139/tcp open
143/tcp openPortscan Finished: Scanned 150 ports, 141 ports were in state closedAll scans completed, exiting
(4)全连接端口扫描——nc
root@root:~# nc -nv -w 1 -z 192.168.37.128 1-100
(UNKNOWN) [192.168.37.128] 88 (kerberos) open
(UNKNOWN) [192.168.37.128] 80 (http) open
(UNKNOWN) [192.168.37.128] 53 (domain) open
(UNKNOWN) [192.168.37.128] 25 (smtp) open
Kali Linux渗透测试之端口扫描(一)——UDP、TCP、隐蔽端口扫描、全连接端口扫描相关推荐
- kali linux渗透测试之漏洞扫描
主题内容就是进行漏洞扫描 文章目录 前言 一.Nikto 1.Nikto漏洞扫描介绍 2.Nikto使用 二.Nessus 1.Nessus介绍 2.安装nessus 3.nessus的简单使用 3. ...
- Kali Linux渗透测试之被动信息收集(一)——nslookup、dig、DNS区域传输,DNS字典爆破,DNS注册信息
一.被动信息收集 1.被动信息搜集 公开渠道可获得信息: 与目标系统不产生直接交互: 尽量避免留下痕迹: 2.搜集的内容 IP地址段,域名信息,邮件地址,文档图片数据,公司地址,公司组织架构.联系电话 ...
- Kali Linux渗透测试之提权(二)——WCE、Fgdump、Mimikatz
1. Windows身份认证的过程 在登录目标系统时,会将输入的密码进行lmhash和nthash加密: 然后将加密后的密码与SAM账户数据库进行比对,如果比对匹配,则成功登录操作系统: 如果是远端的 ...
- Kali Linux 渗透测试之被动信息收集(三)——Recon-NG框架
Recon-NG框架 (1)Recon-NG框架简介 Recon-NG是由python编写的一个开源的Web侦查(信息收集)框架,命令格式与msf一致: Recon-NG框架是一个全特性的工具,使用它 ...
- Kali Linux渗透测试之被动信息收集(一)——nslookup、dig、DNS区域传输、DNS字典爆破、DNS注册信息
1. 被动信息搜集 (1)被动信息搜集 公开渠道可获得的信息: 与目标系统不产生直接交互: 尽量避免留下痕迹: (2)搜集的内容 IP地址段.域名信息.邮件地址.文档图片数据.公司地址.公司组织架构. ...
- Kali Linux渗透测试 073 扫描工具-Vega
本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的<Kali Linux 渗透测试>课程 vega 简介 使用基本流程 扫描的基本使用 使用截 ...
- Kali Linux渗透测试——漏洞扫描
笔记内容参考安全牛课堂苑房弘老师的Kali Linux渗透测试教程 由于漏洞扫描中基于服务扫描结果速度太慢,搜索已公开漏洞数据库数量过于庞大,所以一般使用漏洞扫描器实现.扫描器的功能包括发现IP,识别 ...
- Kali Linux渗透基础知识整理(四):维持访问
Kali Linux渗透基础知识整理系列文章回顾 维持访问 在获得了目标系统的访问权之后,攻击者需要进一步维持这一访问权限.使用木马程序.后门程序和rootkit来达到这一目的.维持访问是一种艺术形式 ...
- KALI LINUX渗透测试学习笔记
KALI LINUX渗透测试学习笔记 (苑房弘主讲) 第1章 课程介绍 任务1:Kali Linux渗透测试介绍.exe 安全问题的根源: 分层思想 只求功能实现 最大的威胁是人 渗透测试: 尝试挫败 ...
最新文章
- JAVA Static方法与单例模式的理解
- 破纪录了!用 Python 实现自动扫雷!
- java 动态获取类实例化_Java:使用反射动态实例化类
- java课堂作业,求多参数的和
- 请收拾起忧伤,难过,不快,好好过日子。
- 关于函数形参的一些讨论
- Qualcomm式创新融入中国 有何深层逻辑?
- ViewPager 详解(五)-----使用Fragment实现ViewPager滑动
- 程序员30岁后,9分钟跑完1600米
- C++实现一个栈(使用类模板)
- spring aop 中@annotation()和自定义注解的使用
- 漫步数学分析二十六——积分方程与不动点
- oracle 的“+”和“,”连接表的方式
- 盛大“传奇”的网游启示录
- (每日一题 day 003 - 二维前缀和+动态规划) 1314. 矩阵区域和
- PCB中 D-Subminiature(DB接口) 连接器系列分类及带有3D封装绘制
- torchdiffeq中odeint函数的输入输出参数分析
- QQ群发消息怎么发?最全攻略分享
- android实现自定义图标,Android开发中用Drawable 实现自定义电池图标
- 「TCG 规范解读」初识嵌入式和工业工作组