# 主动信息收集的原理

# 主动信息手机的特点

直接与目标系统交互通信
无法避免留下访问的痕迹
使用受控的第三方电脑进行探测，使用代理或已经被控制的机器
扫描发送不同的探测，根据返回结果判断目标状态

# 发现目标主机的过程

识别存活主机，发现潜在的被攻击目标
输出一个 IP 地址列表比如 IP 地址段 IP 地址范围
使用二，三，四层进行探测发现

# OSI 七层模型与 TCP/IP 协议对应关系

# 二层发现：arping,netdiscover

# arping

arping 命令用于向目标主机发送 ARP 请求，查看目标主机的 MAC 地址以及 IP 占用情况。(功能与 ping 相似)

# 用法

arping 选项 目标主机IP

# 常用选项：

-c count : 发送指定数量的 ARP 包。

	┌──(root㉿kali)-[~]
	└─# arping -c 3 192.168.1.6
	ARPING 192.168.1.6
	42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=0 time=372.832 msec
	42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=1 time=401.824 msec
	42 bytes from 34:79:16:e5:e8:e4 (192.168.1.6): index=2 time=423.266 msec

	--- 192.168.1.6 statistics ---
	3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
	rtt min/avg/max/std-dev = 372.832/399.308/423.266/20.666 ms

-d : 当有相同 IP 的不同 MAC 地址 reply 的时候，arping 退出。
-r ：输出时只打印 MAC 地址。

	┌──(root㉿kali)-[~]
	└─# arping -r 192.168.1.6
	34:79:16:e5:e8:e4
	34:79:16:e5:e8:e4
	34:79:16:e5:e8:e4
	34:79:16:e5:e8:e4
	34:79:16:e5:e8:e4
	^C
	┌──(root㉿kali)-[~]
	└─#

-R : 输出时只打印 IP。

	┌──(root㉿kali)-[~]
	└─# arping -R 192.168.1.6
	192.168.1.6
	192.168.1.6
	192.168.1.6
	192.168.1.6
	192.168.1.6
	192.168.1.6
	^C
	┌──(root㉿kali)-[~]
	└─#

-W sec : 指定两次 ping 之间的间隔时间
-w sec : 设置超时时间，如果超过指定时间未收到响应就退出。

# netdiscover

netdiscover 拥有主动扫描和被动嗅探两种模式，可以快速扫描局域网中存活的设备。

# 用法

netdiscover 选项 参数

# 常用选项

-i device : 指定网卡。
-r range : 指定扫描范围 (/8./16,/24)。
-p : 被动模式，不发送任何报文，仅嗅探。
-s time : 指定每个 ARP 请求间的休眠时间 (ms)
-c count : 指定每个 ARP 请求发送的次数，默认一次。

	┌──(root㉿kali)-[~]
	└─# netdiscover -i wlan0 -r 192.168.1.0/24

	Currently scanning: Finished! \| Screen View: Unique Hosts

	33 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1386
	_____________________________________________________________________________
	IP At MAC Address Count Len MAC Vendor / Hostname
	-----------------------------------------------------------------------------
	192.168.1.1 8c:8f:8b:a4:0e:38 29 1218 China Mobile Chongqing branch
	192.168.1.8 40:23:43:a8:7f:17 2 84 CHONGQING FUGUI ELECTRONICS CO.,LTD.
	192.168.1.2 2c:1f:23:d0:e3:86 1 42 Apple, Inc.
	192.168.1.6 34:79:16:e5:e8:e4 1 42 HUAWEI TECHNOLOGIES CO.,LTD

# 三层发现：ping，traceroute

# ping

ping 命令用于检测本机与目标主机是否联通，以及检测连接的速度与稳定性。(ping 使用 ICMP 协议)

# 用法

ping 选项 目标主机(支持域名与IP)

# 常用选项

-c count : 指定 ping 的次数

	┌──(root㉿kali)-[~]
	└─# ping -c 4 www.baidu.com
	PING www.baidu.com (39.156.66.18) 56(84) bytes of data.
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=31.9 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.4 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.9 ms

	--- www.baidu.com ping statistics ---
	4 packets transmitted, 4 received, 0% packet loss, time 3004ms
	rtt min/avg/max/mdev = 31.867/32.107/32.375/0.209 ms

-f : 多次快速 ping 一台主机，速度可达 100 次每秒。

	┌──(root㉿kali)-[~]
	└─# ping -f www.baidu.com
	PING www.baidu.com (39.156.66.18) 56(84) bytes of data.
	.............................................^C
	--- www.baidu.com ping statistics ---
	1410 packets transmitted, 1365 received, 3.19149% packet loss, time 21815ms
	rtt min/avg/max/mdev = 30.895/33.664/203.372/10.158 ms, pipe 12, ipg/ewma 15.482/32.027 ms

-i interval : 指定每次 ping 的时间间隔，默认一秒一次。

	┌──(root㉿kali)-[~]
	└─# ping -i 5 www.baidu.com
	PING www.baidu.com (39.156.66.18) 56(84) bytes of data.
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=43.8 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=792 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=107 ms
	64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=31.8 ms
	^C
	--- www.baidu.com ping statistics ---
	4 packets transmitted, 4 received, 0% packet loss, time 15012ms
	rtt min/avg/max/mdev = 31.830/243.720/791.816/317.747 ms

-s size : 指定每次 ping 发送的数据字节数。(默认是 56 字节 + 28 字节的 ICMP 头)

	┌──(root㉿kali)-[~]
	└─# ping -s 100 www.baidu.com
	PING www.baidu.com (39.156.66.18) 100(128) bytes of data.
	108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=33.4 ms
	108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=32.2 ms
	108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=32.7 ms
	108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=32.8 ms
	108 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=5 ttl=51 time=32.1 ms
	^C
	--- www.baidu.com ping statistics ---
	5 packets transmitted, 5 received, 0% packet loss, time 4002ms
	rtt min/avg/max/mdev = 32.095/32.647/33.431/0.475 ms

-t ttl : 指定发送包的生存时间 (Time To Live)

	┌──(root㉿kali)-[~]
	└─# ping -t 10 baidu.com
	PING baidu.com (39.156.66.10) 56(84) bytes of data.
	From 39.156.67.33 (39.156.67.33) icmp_seq=1 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=2 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=3 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=4 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=5 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=6 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=7 Time to live exceeded
	From 39.156.67.33 (39.156.67.33) icmp_seq=8 Time to live exceeded
	^C
	--- baidu.com ping statistics ---
	8 packets transmitted, 0 received, +8 errors, 100% packet loss, time 7012ms

PS: 这里是因为我设置的 TTL 太小数据包无法到达目标主机所以返回了 Time to live exceeded

-W timeout : 设置每次等待响应的超时时间。

# fping

fing 与 ping 类似，这里不做过多赘述。fping 的优点是可以一次 ping 多个主机，速度快。

	┌──(root㉿kali)-[~]
	└─# fping -g 192.168.1.0/24 > 1.txt
	192.168.1.113: error while sending ping: No buffer space available
	192.168.1.16: error while sending ping: No buffer space available
	...
	ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.254
	ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253
	ICMP Host Unreachable from 192.168.1.5 for ICMP Echo sent to 192.168.1.253

	┌──(root㉿kali)-[~]
	└─# cat 1.txt
	192.168.1.1 is alive
	192.168.1.5 is alive
	192.168.1.6 is alive
	192.168.1.2 is unreachable
	192.168.1.3 is unreachable
	...
	192.168.1.252 is unreachable
	192.168.1.253 is unreachable
	192.168.1.254 is unreachable

# traceroute

通过 traceroute 可以显示出到达目的地的数据包路由。

	┌──(root㉿kali)-[~]
	└─# traceroute baidu.com
	traceroute to baidu.com (110.242.68.66), 30 hops max, 60 byte packets
	1 192.168.1.1 (192.168.1.1) 1.116 ms 1.277 ms 1.634 ms
	2 10.173.0.1 (10.173.0.1) 7.903 ms 9.271 ms 9.383 ms
	3 117.157.95.177 (117.157.95.177) 24.544 ms 117.157.95.181 (117.157.95.181) 10.895 ms 117.157.95.177 (117.157.95.177) 10.865 ms
	4 * * *
	5 117.157.95.93 (117.157.95.93) 14.162 ms 117.157.95.89 (117.157.95.89) 14.102 ms 14.088 ms
	6 * * *
	7 * * *
	8 221.183.40.41 (221.183.40.41) 27.134 ms 221.183.37.213 (221.183.37.213) 33.591 ms 33.556 ms
	9 221.183.94.38 (221.183.94.38) 33.515 ms 221.183.94.42 (221.183.94.42) 31.676 ms 221.183.94.38 (221.183.94.38) 33.413 ms
	10 221.183.95.62 (221.183.95.62) 41.847 ms 221.183.123.14 (221.183.123.14) 41.135 ms 221.183.68.194 (221.183.68.194) 46.689 ms
	11 219.158.3.65 (219.158.3.65) 42.812 ms 43.617 ms 44.816 ms
	12 219.158.11.94 (219.158.11.94) 52.969 ms 219.158.9.174 (219.158.9.174) 42.867 ms 219.158.11.74 (219.158.11.74) 42.658 ms
	13 110.242.66.174 (110.242.66.174) 49.035 ms 110.242.66.162 (110.242.66.162) 44.764 ms 44.715 ms
	14 * 221.194.45.134 (221.194.45.134) 46.658 ms 47.579 ms
	15 * * *
	16 * * *
	17 * * *
	18 * * *
	19 * * *
	20 * * *
	21 * * *
	22 * * *
	23 * * *
	24 * * *
	25 * * *
	26 * * *
	27 * * *
	28 * * *
	29 * * *
	30 * * *

通过 -m 参数可以设置数据包 TTL 的大小

	┌──(root㉿kali)-[~]
	└─# traceroute -m 5 baidu.com
	traceroute to baidu.com (110.242.68.66), 5 hops max, 60 byte packets
	1 192.168.1.1 (192.168.1.1) 1.514 ms 1.471 ms 1.876 ms
	2 10.173.0.1 (10.173.0.1) 6.051 ms 6.019 ms 6.144 ms
	3 117.157.95.177 (117.157.95.177) 5.703 ms 117.157.95.181 (117.157.95.181) 6.558 ms 6.520 ms
	4 * * *
	5 117.157.95.93 (117.157.95.93) 7.324 ms 8.665 ms 117.157.95.89 (117.157.95.89) 6.848 ms

# 四层发现：Nmap

Nmap 是一个网络连接端扫描软件，用来扫描网络中电脑开放的连接端，同是也能检测目标主机的操作系统等信息，这里只写最基本的用法后面大概可能会写一个详细的介绍

# 用法

nmap 选项 IP

# 常用选项

直接扫描单个 IP

	┌──(root㉿kali)-[~]
	└─# nmap 111.13.149.108
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:29 CST
	Nmap scan report for 111.13.149.108
	Host is up (0.079s latency).
	Not shown: 993 filtered tcp ports (no-response)
	PORT STATE SERVICE #目标主机所开放的端口
	80/tcp open http
	443/tcp open https
	2000/tcp closed cisco-sccp
	2001/tcp closed dc
	2002/tcp closed globe
	2003/tcp closed finger
	2004/tcp closed mailbox

	Nmap done: 1 IP address (1 host up) scanned in 25.21 seconds

扫描多个 IP： nmap IP1 IP2

	┌──(root㉿kali)-[~]
	└─# nmap 111.13.149.108 140.205.220.96
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:32 CST
	Nmap scan report for 111.13.149.108
	Host is up (0.033s latency).
	Not shown: 993 filtered tcp ports (no-response)
	PORT STATE SERVICE
	80/tcp open http
	443/tcp open https
	2000/tcp closed cisco-sccp
	2001/tcp closed dc
	2002/tcp closed globe
	2003/tcp closed finger
	2004/tcp closed mailbox

	Nmap scan report for 140.205.220.96
	Host is up (0.043s latency).
	Not shown: 998 filtered tcp ports (no-response)
	PORT STATE SERVICE
	80/tcp open http
	443/tcp open https

	Nmap done: 2 IP addresses (2 hosts up) scanned in 7.22 seconds

扫描目标地址所在网段： nmap xxx.xxx.xxx.xxx/xx

	┌──(root㉿kali)-[~]
	└─# nmap 192.168.1.0/24
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:36 CST
	Nmap scan report for 192.168.1.1
	Host is up (0.0042s latency).
	Not shown: 995 closed tcp ports (reset)
	PORT STATE SERVICE
	53/tcp open domain
	80/tcp open http
	5080/tcp open onscreen
	5555/tcp open freeciv
	8080/tcp open http-proxy
	MAC Address: 8C:8F:8B:A4:0E:38 (China Mobile Chongqing branch)

	Nmap scan report for 192.168.1.4
	Host is up (0.037s latency).
	All 1000 scanned ports on 192.168.1.4 are in ignored states.
	Not shown: 1000 filtered tcp ports (no-response)
	MAC Address: 20:FF:36:1F:32:DF (Iflytek)

	Nmap scan report for 192.168.1.8
	Host is up (0.033s latency).
	All 1000 scanned ports on 192.168.1.8 are in ignored states.
	Not shown: 1000 filtered tcp ports (no-response)
	MAC Address: 40:23:43:A8:7F:17 (Chongqing Fugui Electronics)

	Nmap scan report for 192.168.1.5
	Host is up (0.0000060s latency).
	All 1000 scanned ports on 192.168.1.5 are in ignored states.
	Not shown: 1000 closed tcp ports (reset)

	Nmap done: 256 IP addresses (4 hosts up) scanned in 47.08 seconds

指定端口进行扫描： nmap IP -p 端口号

	┌──(root㉿kali)-[~]
	└─# nmap 111.13.149.108 -p 80
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:39 CST
	Nmap scan report for 111.13.149.108
	Host is up (0.070s latency).

	PORT STATE SERVICE
	80/tcp open http

	Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds

检测目标主机的操作系统： nmap -O IP

	┌──(root㉿kali)-[~]
	└─# nmap -O 111.13.149.108
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:47 CST
	Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
	SYN Stealth Scan Timing: About 86.63% done; ETC: 14:47 (0:00:02 remaining)
	Nmap scan report for 111.13.149.108
	Host is up (0.037s latency).
	Not shown: 993 filtered tcp ports (no-response)
	PORT STATE SERVICE
	80/tcp open http
	443/tcp open https
	2000/tcp closed cisco-sccp
	2001/tcp closed dc
	2002/tcp closed globe
	2003/tcp closed finger
	2004/tcp closed mailbox
	Device type: general purpose\|specialized
	Running (JUST GUESSING): Linux 3.X\|4.X (89%), AVtech embedded (88%)
	OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.9
	Aggressive OS guesses: Linux 3.18 (89%), AVtech Room Alert 26W environmental monitor (88%), Linux 4.9 (85%)
	No exact OS matches for host (test conditions non-ideal).

	OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 26.79 seconds

对目标地址进行路由跟踪： nmap --traceroute IP

	┌──(root㉿kali)-[~]
	└─# nmap --traceroute 140.205.220.96
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:53 CST
	Nmap scan report for 140.205.220.96
	Host is up (0.088s latency).
	Not shown: 998 filtered tcp ports (no-response)
	PORT STATE SERVICE
	80/tcp open http
	443/tcp open https

	TRACEROUTE (using port 443/tcp)
	HOP RTT ADDRESS
	1 2.23 ms 192.168.1.1
	2 6.71 ms 10.173.0.1
	3 115.40 ms 117.157.95.177
	4 ...
	5 7.16 ms 117.157.95.93
	6 ... 7
	8 40.94 ms 221.183.39.130
	9 47.57 ms 120.204.35.238
	10 ... 11
	12 47.12 ms 116.251.106.194
	13 ... 14
	15 108.64 ms 140.205.220.96

	Nmap done: 1 IP address (1 host up) scanned in 13.62 seconds

扫描目标主机开放的端口服务版本： nmap -sV IP

	┌──(root㉿kali)-[~]
	└─# nmap -sV 140.205.220.96
	Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 14:55 CST
	Nmap scan report for 140.205.220.96
	Host is up (0.080s latency).
	Not shown: 998 filtered tcp ports (no-response)
	PORT STATE SERVICE VERSION
	80/tcp open http Tengine httpd
	443/tcp open ssl/http Tengine httpd

	Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 32.28 seconds

探测防火墙: nmap -sF -T4 IP
绕过防火墙进行全面扫描： nmap -Pn -A IP

计算机网络网络安全 kali

# 主动信息收集的原理

# 主动信息手机的特点

# 发现目标主机的过程

# OSI 七层模型与 TCP/IP 协议对应关系

# 二层发现：arping,netdiscover

# arping

# 用法

# 常用选项：

# netdiscover

# 用法

# 常用选项

# 三层发现：ping，traceroute

# ping

# 用法

# 常用选项

# fping

# traceroute

# 四层发现：Nmap

# 用法

# 常用选项

网络基础

解决shoka主题评论使用waline后无法显示阅读量问题