标签:systems pat NPU tin controls poi scanner point discovery
1、NetDiscover you performe layer 2
the comand : netdiscover -r 192.168.2.0/24 or use netdiscover -l iplist.txt
2、in fact we use ARP to request the system get the replay is Poor concealment, because we use the Broadcasting ARP request for every IP address in an entire subnet can sometimes trigger alerts or resopnses from security devices such as Intrusion Detection Systems(IDS ) or other devices Intrusion Prevention System(IPS)
A stealthier approach is to listen for the ARP traffic as the scanner system naturally interacts with other system on the network ,and then record the data collected from the ARP response ,this passive scanning techinque can be performed usign the -p option . the command as follow ,but we the rate of scanning is slower .we ofter use it to scanning the wireless network .
netdiscover -p [ip ]
3、use the auxiliary in the Metasploit
the start command is :msfconsole and the use the auxiliary :
use auxiliary/Scanner/discover/arp_sweep and use to show what need configuration
4 、As with the ARPing request, the bytes from unique sting is only present in the ouput associated with live ip address ,and it is also on a line that contains this address ,in the same fashion ,we can extract the ip address from any successful ping request using a combination of grep and cut ,the command :
ping 192.168.1.1 -c 3 | gerp "butes from "
ping 192.168.1.1 -c 3 | gerp " byte from" | cut -d " " -f 4
ping 192.168.1.1 -c 3 | grep " bytes from " | cut -d " " -f 4 | -d ":" -f 1
5、using Nmap to perform layer3 discovery
IPCM scan command : nmap -sn [ip] ,besides ,we can use the comand : (nmap -iL iplist.txt -sn [ip] )
6、 fping and hping3
unlike the standard ping utility ,fping will stop sending ICMP echo requests after it receives a single replay ,but if a response is not received from the address ,fping will make four attempts to contact the system prior to determining that the host is unreachable .
using the -g option to dynamically generate a list of ip address .to specify a range to scan ,pass this argument to both the first and last ip address in the desird sequential range ,,the command is : fping -g 192.168.1.0 192.168.1.11 of course it can write this : fping -g 192.168.1.0/24 ,fping can also used a series of address as specified by the contents of an input text file ,to use an input file ,use the -f file option and supply the filename or path of the input file; thec command is : fping -f iplist.txt
the other tool is hping3 , it is canable of performing discovery at both layer 3 and layer 4, the comman is : hping3 192.168.1.0 --icmp , in the linux use the -c option appoint should be include with an integer value that indicates the desired number of attempts .
the command : hping3 192.168.1.1 --icmp -c 2
7、 using Scapy to perform layer 4 discovery
an ACK packet sent to live host on any port ,regardless of the port status ,will return an RST packet ,but on response will be received from an IP if no live host is associzted with it , so we can perform a discovery scan on a large number of system by only interacting with a single port on the each system, using Scapy in conjuction with the python , we can use the brief command , through send ACK packet to only the one the TCP port on the each system ,by eveulating the response returned by each host , so , we can easily output a list the ip address .
eg : #/usr/bin/python
import loging
logging.getLogger("Scapy.runtime).setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print(" Usage -./ACK_Ping.py[/24 network address]")
print(" Example -/ACK_Ping.py 192.168.1.2")
print(" Example will perform a TCP ACK ping scan of the 192.168.1.0/24 range")
sys.exit()
address=src(sys.arvg[1])
prefix=address.split( ‘.‘)[0]+ ‘ .‘ +address.split(‘.‘)[1]+ ‘ .‘ +address.split(‘.‘)[2]+ ‘ .‘
for addr in range(1,254):
response=srl(IP(dst(prefix+str(addr))/TCP(dport=80,flag=‘A‘),timeout=1,verbose=0)
try:
if int (response[TCP].flags)==4:
print(" "192.168.1.2"+str(addr) ")
except:
pass
end the code ,we can use ./ACK_Ping.py perform
8、using the nmap to perform layer 4 dissovery
to perform a discovery scan with UDP ,use the -PU in the conjuction with the port to test like with : nmap 192.168.2.1 -PU53 -sn besides we can use the command to perform scan use ip address list .like the command : nmap -il iplist.txt -sn -PU53 (designated port 53)
using -PA option means use the ACK packets to identify live hosts . the command : nmap 192.168.1.2 -PA80 -sn ,of couse we can performed on a range os host using dash notation ,the command is : nmap 192.168.1.2 -192.168.1.255 -PA80 -sn or use 0/24
9、Using hping3 to perform layer 4 discovery
by specifying the UDP mode with the --udp option ,UDP probes can transmisted in attempts to trigger replies from live hosts:
the command like this : hping3 --udp 192.168.1.2 we can use the -c option indicated the desired number of attempts
eg: nmap --udp 192.168.1.2 -c 2
we know the hping3 does not support the scanning of mulltiple system by default, but we can use the bush scripting.like this :
hping3 --upd 192.168.1.2 -c 2 ;hping3 --upd 192.168.2.3 -c 2 | gerp " Unreachable " Hping 192.168.1.2 (eth1 192.168.1.2):udp mode set 28 headers +0 data bytes ICMP port Unreachable from ip=192.168.1.2 name=unknow status=0 port 2836 seq=0
标签:systems pat NPU tin controls poi scanner point discovery
原文地址:https://www.cnblogs.com/xinxianquan/p/10289541.html
