# 主动信息收集的原理
# 主动信息手机的特点
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测,使用代理或已经被控制的机器
- 扫描发送不同的探测,根据返回结果判断目标状态
# 发现目标主机的过程
- 识别存活主机,发现潜在的被攻击目标
- 输出一个 IP 地址列表比如 IP 地址段 IP 地址范围
- 使用二,三,四层进行探测发现
# OSI 七层模型与 TCP/IP 协议对应关系
![]()
# 二层发现:arping,netdiscover
# arping
arping
命令用于向目标主机发送 ARP 请求,查看目标主机的 MAC 地址以及 IP 占用情况。(功能与 ping 相似)
# 用法
# 常用选项:
-c count
: 发送指定数量的 ARP 包。
| ┌──(root㉿kali)-[~] |
| └─ |
| ARPING 192.168.1.6 |
| 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=0 time=372.832 msec |
| 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=1 time=401.824 msec |
| 42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=2 time=423.266 msec |
| |
| --- 192.168.1.6 statistics --- |
| 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) |
| rtt min/avg/max/std-dev = 372.832/399.308/423.266/20.666 ms |
-d
: 当有相同 IP 的不同 MAC 地址 reply 的时候,arping 退出。-r
: 输出时只打印 MAC 地址。
| ┌──(root㉿kali)-[~] |
| └─ |
| 34:79:16:e5:e8:e4 |
| 34:79:16:e5:e8:e4 |
| 34:79:16:e5:e8:e4 |
| 34:79:16:e5:e8:e4 |
| 34:79:16:e5:e8:e4 |
| ^C |
| ┌──(root㉿kali)-[~] |
| └─ |
-R
: 输出时只打印 IP。
| ┌──(root㉿kali)-[~] |
| └─ |
| 192.168.1.6 |
| 192.168.1.6 |
| 192.168.1.6 |
| 192.168.1.6 |
| 192.168.1.6 |
| 192.168.1.6 |
| ^C |
| ┌──(root㉿kali)-[~] |
| └─ |
-W sec
: 指定两次 ping 之间的间隔时间-w sec
: 设置超时时间,如果超过指定时间未收到响应就退出。
# netdiscover
netdiscover 拥有主动扫描和被动嗅探两种模式,可以快速扫描局域网中存活的设备。
# 用法
# 常用选项
-i device
: 指定网卡。-r range
: 指定扫描范围 (/8./16,/24)。-p
: 被动模式,不发送任何报文,仅嗅探。-s time
: 指定每个 ARP 请求间的休眠时间 (ms)-c count
: 指定每个 ARP 请求发送的次数,默认一次。
| ┌──(root㉿kali)-[~] |
| └─ |
| |
| Currently scanning: Finished! | Screen View: Unique Hosts |
| |
| 33 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1386 |
| _____________________________________________________________________________ |
| IP At MAC Address Count Len MAC Vendor / Hostname |
| ----------------------------------------------------------------------------- |
| 192.168.1.1 8c:8f:8b:a4:0e:38 29 1218 China Mobile Chongqing branch |
| 192.168.1.8 40:23:43:a8:7f:17 2 84 CHONGQING FUGUI ELECTRONICS CO.,LTD. |
| 192.168.1.2 2c:1f:23:d0:e3:86 1 42 Apple, Inc. |
| 192.168.1.6 34:79:16:e5:e8:e4 1 42 HUAWEI TECHNOLOGIES CO.,LTD |
# 三层发现:ping,traceroute
# ping
ping 命令用于检测本机与目标主机是否联通,以及检测连接的速度与稳定性。(ping 使用 ICMP 协议)
# 用法
# 常用选项
-c count
: 指定 ping 的次数
| ┌──(root㉿kali)-[~] |
| └─ |
| PING www.baidu.com (39.156.66.18) 56(84) bytes of data. |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=31.9 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.4 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.9 ms |
| |
| --- www.baidu.com ping statistics --- |
| 4 packets transmitted, 4 received, 0% packet loss, time 3004ms |
| rtt min/avg/max/mdev = 31.867/32.107/32.375/0.209 ms |
-f
: 多次快速 ping 一台主机,速度可达 100 次每秒。
| ┌──(root㉿kali)-[~] |
| └─ |
| PING www.baidu.com (39.156.66.18) 56(84) bytes of data. |
| .............................................^C |
| --- www.baidu.com ping statistics --- |
| 1410 packets transmitted, 1365 received, 3.19149% packet loss, time 21815ms |
| rtt min/avg/max/mdev = 30.895/33.664/203.372/10.158 ms, pipe 12, ipg/ewma 15.482/32.027 ms |
-i interval
: 指定每次 ping 的时间间隔,默认一秒一次。
| ┌──(root㉿kali)-[~] |
| └─ |
| PING www.baidu.com (39.156.66.18) 56(84) bytes of data. |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=43.8 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=792 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=107 ms |
| 64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.8 ms |
| ^C |
| --- www.baidu.com ping statistics --- |
| 4 packets transmitted, 4 received, 0% packet loss, time 15012ms |
| rtt min/avg/max/mdev = 31.830/243.720/791.816/317.747 ms |
-s size
: 指定每次 ping 发送的数据字节数。(默认是 56 字节 + 28 字节的 ICMP 头)
| ┌──(root㉿kali)-[~] |
| └─ |
| PING www.baidu.com (39.156.66.18) 100(128) bytes of data. |
| 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=33.4 ms |
| 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms |
| 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.7 ms |
| 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=32.8 ms |
| 108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=5 ttl=51 time=32.1 ms |
| ^C |
| --- www.baidu.com ping statistics --- |
| 5 packets transmitted, 5 received, 0% packet loss, time 4002ms |
| rtt min/avg/max/mdev = 32.095/32.647/33.431/0.475 ms |
-t ttl
: 指定发送包的生存时间 (Time To Live)
| ┌──(root㉿kali)-[~] |
| └─ |
| PING baidu.com (39.156.66.10) 56(84) bytes of data. |
| From 39.156.67.33 (39.156.67.33) icmp_seq=1 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=2 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=3 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=4 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=5 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=6 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=7 Time to live exceeded |
| From 39.156.67.33 (39.156.67.33) icmp_seq=8 Time to live exceeded |
| ^C |
| --- baidu.com ping statistics --- |
| 8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 7012ms |
PS: 这里是因为我设置的 TTL 太小数据包无法到达目标主机所以返回了 Time to live exceeded
-W timeout
: 设置每次等待响应的超时时间。
# fping
fing 与 ping 类似,这里不做过多赘述。fping 的优点是可以一次 ping 多个主机,速度快。
| ┌──(root㉿kali)-[~] |
| └─ |
| 192.168.1.113: error while sending ping: No buffer space available |
| 192.168.1.16: error while sending ping: No buffer space available |
| ... |
| ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.254 |
| ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253 |
| ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253 |
| |
| ┌──(root㉿kali)-[~] |
| └─ |
| 192.168.1.1 is alive |
| 192.168.1.5 is alive |
| 192.168.1.6 is alive |
| 192.168.1.2 is unreachable |
| 192.168.1.3 is unreachable |
| ... |
| 192.168.1.252 is unreachable |
| 192.168.1.253 is unreachable |
| 192.168.1.254 is unreachable |
# traceroute
通过 traceroute 可以显示出到达目的地的数据包路由。
| ┌──(root㉿kali)-[~] |
| └─ |
| traceroute to baidu.com (110.242.68.66), 30 hops max, 60 byte packets |
| 1 192.168.1.1 (192.168.1.1) 1.116 ms 1.277 ms 1.634 ms |
| 2 10.173.0.1 (10.173.0.1) 7.903 ms 9.271 ms 9.383 ms |
| 3 117.157.95.177 (117.157.95.177) 24.544 ms 117.157.95.181 (117.157.95.181) 10.895 ms 117.157.95.177 (117.157.95.177) 10.865 ms |
| 4 * * * |
| 5 117.157.95.93 (117.157.95.93) 14.162 ms 117.157.95.89 (117.157.95.89) 14.102 ms 14.088 ms |
| 6 * * * |
| 7 * * * |
| 8 221.183.40.41 (221.183.40.41) 27.134 ms 221.183.37.213 (221.183.37.213) 33.591 ms 33.556 ms |
| 9 221.183.94.38 (221.183.94.38) 33.515 ms 221.183.94.42 (221.183.94.42) 31.676 ms 221.183.94.38 (221.183.94.38) 33.413 ms |
| 10 221.183.95.62 (221.183.95.62) 41.847 ms 221.183.123.14 (221.183.123.14) 41.135 ms 221.183.68.194 (221.183.68.194) 46.689 ms |
| 11 219.158.3.65 (219.158.3.65) 42.812 ms 43.617 ms 44.816 ms |
| 12 219.158.11.94 (219.158.11.94) 52.969 ms 219.158.9.174 (219.158.9.174) 42.867 ms 219.158.11.74 (219.158.11.74) 42.658 ms |
| 13 110.242.66.174 (110.242.66.174) 49.035 ms 110.242.66.162 (110.242.66.162) 44.764 ms 44.715 ms |
| 14 * 221.194.45.134 (221.194.45.134) 46.658 ms 47.579 ms |
| 15 * * * |
| 16 * * * |
| 17 * * * |
| 18 * * * |
| 19 * * * |
| 20 * * * |
| 21 * * * |
| 22 * * * |
| 23 * * * |
| 24 * * * |
| 25 * * * |
| 26 * * * |
| 27 * * * |
| 28 * * * |
| 29 * * * |
| 30 * * * |
通过 -m
参数可以设置数据包 TTL 的大小
| ┌──(root㉿kali)-[~] |
| └─ |
| traceroute to baidu.com (110.242.68.66), 5 hops max, 60 byte packets |
| 1 192.168.1.1 (192.168.1.1) 1.514 ms 1.471 ms 1.876 ms |
| 2 10.173.0.1 (10.173.0.1) 6.051 ms 6.019 ms 6.144 ms |
| 3 117.157.95.177 (117.157.95.177) 5.703 ms 117.157.95.181 (117.157.95.181) 6.558 ms 6.520 ms |
| 4 * * * |
| 5 117.157.95.93 (117.157.95.93) 7.324 ms 8.665 ms 117.157.95.89 (117.157.95.89) 6.848 ms |
# 四层发现:Nmap
Nmap 是一个网络连接端扫描软件,用来扫描网络中电脑开放的连接端,同是也能检测目标主机的操作系统等信息,这里只写最基本的用法后面大概可能会写一个详细的介绍
# 用法
# 常用选项
- 直接扫描单个 IP
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:29 CST |
| Nmap scan report for 111.13.149.108 |
| Host is up (0.079s latency). |
| Not shown: 993 filtered tcp ports (no-response) |
| PORT STATE SERVICE |
| 80/tcp open http |
| 443/tcp open https |
| 2000/tcp closed cisco-sccp |
| 2001/tcp closed dc |
| 2002/tcp closed globe |
| 2003/tcp closed finger |
| 2004/tcp closed mailbox |
| |
| Nmap done: 1 IP address (1 host up) scanned in 25.21 seconds |
- 扫描多个 IP:
nmap IP1 IP2
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:32 CST |
| Nmap scan report for 111.13.149.108 |
| Host is up (0.033s latency). |
| Not shown: 993 filtered tcp ports (no-response) |
| PORT STATE SERVICE |
| 80/tcp open http |
| 443/tcp open https |
| 2000/tcp closed cisco-sccp |
| 2001/tcp closed dc |
| 2002/tcp closed globe |
| 2003/tcp closed finger |
| 2004/tcp closed mailbox |
| |
| Nmap scan report for 140.205.220.96 |
| Host is up (0.043s latency). |
| Not shown: 998 filtered tcp ports (no-response) |
| PORT STATE SERVICE |
| 80/tcp open http |
| 443/tcp open https |
| |
| Nmap done: 2 IP addresses (2 hosts up) scanned in 7.22 seconds |
- 扫描目标地址所在网段:
nmap xxx.xxx.xxx.xxx/xx
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:36 CST |
| Nmap scan report for 192.168.1.1 |
| Host is up (0.0042s latency). |
| Not shown: 995 closed tcp ports (reset) |
| PORT STATE SERVICE |
| 53/tcp open domain |
| 80/tcp open http |
| 5080/tcp open onscreen |
| 5555/tcp open freeciv |
| 8080/tcp open http-proxy |
| MAC Address: 8C:8F:8B:A4:0E:38 (China Mobile Chongqing branch) |
| |
| Nmap scan report for 192.168.1.4 |
| Host is up (0.037s latency). |
| All 1000 scanned ports on 192.168.1.4 are in ignored states. |
| Not shown: 1000 filtered tcp ports (no-response) |
| MAC Address: 20:FF:36:1F:32:DF (Iflytek) |
| |
| Nmap scan report for 192.168.1.8 |
| Host is up (0.033s latency). |
| All 1000 scanned ports on 192.168.1.8 are in ignored states. |
| Not shown: 1000 filtered tcp ports (no-response) |
| MAC Address: 40:23:43:A8:7F:17 (Chongqing Fugui Electronics) |
| |
| Nmap scan report for 192.168.1.5 |
| Host is up (0.0000060s latency). |
| All 1000 scanned ports on 192.168.1.5 are in ignored states. |
| Not shown: 1000 closed tcp ports (reset) |
| |
| Nmap done: 256 IP addresses (4 hosts up) scanned in 47.08 seconds |
- 指定端口进行扫描:
nmap IP -p 端口号
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:39 CST |
| Nmap scan report for 111.13.149.108 |
| Host is up (0.070s latency). |
| |
| PORT STATE SERVICE |
| 80/tcp open http |
| |
| Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds |
- 检测目标主机的操作系统:
nmap -O IP
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:47 CST |
| Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan |
| SYN Stealth Scan Timing: About 86.63% done; ETC: 14:47 (0:00:02 remaining) |
| Nmap scan report for 111.13.149.108 |
| Host is up (0.037s latency). |
| Not shown: 993 filtered tcp ports (no-response) |
| PORT STATE SERVICE |
| 80/tcp open http |
| 443/tcp open https |
| 2000/tcp closed cisco-sccp |
| 2001/tcp closed dc |
| 2002/tcp closed globe |
| 2003/tcp closed finger |
| 2004/tcp closed mailbox |
| Device type: general purpose|specialized |
| Running (JUST GUESSING): Linux 3.X|4.X (89%), AVtech embedded (88%) |
| OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.9 |
| Aggressive OS guesses: Linux 3.18 (89%), AVtech Room Alert 26W environmental monitor (88%), Linux 4.9 (85%) |
| No exact OS matches for host (test conditions non-ideal). |
| |
| OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . |
| Nmap done: 1 IP address (1 host up) scanned in 26.79 seconds |
- 对目标地址进行路由跟踪:
nmap --traceroute IP
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:53 CST |
| Nmap scan report for 140.205.220.96 |
| Host is up (0.088s latency). |
| Not shown: 998 filtered tcp ports (no-response) |
| PORT STATE SERVICE |
| 80/tcp open http |
| 443/tcp open https |
| |
| TRACEROUTE (using port 443/tcp) |
| HOP RTT ADDRESS |
| 1 2.23 ms 192.168.1.1 |
| 2 6.71 ms 10.173.0.1 |
| 3 115.40 ms 117.157.95.177 |
| 4 ... |
| 5 7.16 ms 117.157.95.93 |
| 6 ... 7 |
| 8 40.94 ms 221.183.39.130 |
| 9 47.57 ms 120.204.35.238 |
| 10 ... 11 |
| 12 47.12 ms 116.251.106.194 |
| 13 ... 14 |
| 15 108.64 ms 140.205.220.96 |
| |
| Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds |
- 扫描目标主机开放的端口服务版本:
nmap -sV IP
| ┌──(root㉿kali)-[~] |
| └─ |
| Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:55 CST |
| Nmap scan report for 140.205.220.96 |
| Host is up (0.080s latency). |
| Not shown: 998 filtered tcp ports (no-response) |
| PORT STATE SERVICE VERSION |
| 80/tcp open http Tengine httpd |
| 443/tcp open ssl/http Tengine httpd |
| |
| Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . |
| Nmap done: 1 IP address (1 host up) scanned in 32.28 seconds |
- 探测防火墙:
nmap -sF -T4 IP
- 绕过防火墙进行全面扫描:
nmap -Pn -A IP