(1)主动信息收集的特点
(2)解决方法
(3)发现(IP层面)
原理:使用ARP协议,在网段内进行广播,查看是否有回包,如果有,证明该主机存活;
优点:扫描速度快、可靠;
缺点:不可路由,只能发现同一网段内的主机;
(1)arping
1.1> arping 单个的IP地址
root@root:~# arping 192.168.37.130 #会一直ping下去,Ctrl+C暂停
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC] 2.265ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC] 1.578ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC] 1.645ms
^CSent 3 probes (1 broadcast(s))
Received 3 response(s)
root@root:~# arping 192.168.37.130 -c 2 #指定发包的数量
ARPING 192.168.37.130 from 192.168.37.131 eth0
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC] 1.534ms
Unicast reply from 192.168.37.130 [00:0C:29:B6:06:CC] 1.376ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)
root@root:~# arping 192.168.37.130 -c 1 |grep "reply from" |awk '{print $4}'
192.168.37.130
#只过滤出IP地址
1.2> arping命令无法一次性实现多个ip的扫描,但可以配合shell脚本实现整个局域网的扫描
脚本1:arping.sh #扫描整个网段
#!/bin/bash
#该脚本用于扫描整个局域网内存活的主机
ETH=$(ifconfig | head -1 |awk -F":" '{print $1 }')
PREFIX=$(ifconfig $ETH | grep 'netmask' |awk '{print $2}'|cut -d '.' -f 1-3)
for addr in $(seq 1 254)
do
arping -c 1 $PREFIX.$addr | grep "reply from"|cut -d" " -f 4
done
结果如下:并使用Wireshark抓包查看
root@root:~# sh arping.sh
192.168.37.1
192.168.37.2
192.168.37.130
192.168.37.254
脚本2:arping2.sh #针对文件中的IP列表,进行扫描
#!/bin/bash
#该脚本主要用户实现扫描文件中的IP地址列表
FILE=$1
for addr in $(cat $FILE)
do
arping -c 1 $addr | grep "reply from" | cut -d" " -f 4
done
结果如下:并使用Wireshark抓包查看
root@root:~# cat IP.txt
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# sh arping2.sh IP.txt
192.168.37.2
192.168.37.130
(2)Nmap(很强大)
nmap相比arping,可以扫描整个网段,而且扫描速度快,内容多;
root@root:~# nmap -sn 192.168.37.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.130
Host is up (0.00045s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
root@root:~# nmap -sn 192.168.37.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 19:55 CST
Nmap scan report for 192.168.37.1
Host is up (0.00014s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.37.2
Host is up (0.00011s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00037s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap scan report for 192.168.37.254
Host is up (0.00030s latency).
MAC Address: 00:50:56:E2:44:F8 (VMware)
Nmap scan report for 192.168.37.131
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.04 seconds
root@root:~# cat IP.txt
192.168.37.2
192.168.37.8
192.168.37.130
192.168.37.133
192.168.37.180
192.168.37.190
root@root:~# nmap -iL IP.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-09 20:06 CST
Nmap scan report for 192.168.37.2
Host is up (0.000064s latency).
MAC Address: 00:50:56:E8:E0:56 (VMware)
Nmap scan report for 192.168.37.130
Host is up (0.00026s latency).
MAC Address: 00:0C:29:B6:06:CC (VMware)
Nmap done: 6 IP addresses (2 hosts up) scanned in 0.31 seconds
(3)Netdiscover
3.1> 主动发现
root@root:~# netdiscover -i eth0 -r 192.168.37.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.37.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.37.2 00:50:56:e8:e0:56 1 60 VMware, Inc.
192.168.37.130 00:0c:29:b6:06:cc 1 60 VMware, Inc.
192.168.37.254 00:50:56:e2:44:f8 1 60 VMware, Inc.
root@root:~# netdiscover -l IP.txt
Currently scanning: Finished! | Screen View: Unique Hosts
24 Captured ARP Req/Rep packets, from 4 hosts. Total size: 1440
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.37.1 00:50:56:c0:00:08 6 360 VMware, Inc.
192.168.37.2 00:50:56:e8:e0:56 6 360 VMware, Inc.
192.168.37.130 00:0c:29:b6:06:cc 6 360 VMware, Inc.
192.168.37.254 00:50:56:e2:44:f8 6 360 VMware, Inc.
3.2> 被动发现
主动ARP容易触发报警,所以也可以采用被动发现的方式发现网络中存活的主机;
root@root:~# netdiscover -p
Currently scanning: (passive) | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 2 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.37.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.37.130 00:0c:29:b6:06:cc 2 120 VMware, Inc.
(4)scapy
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> ARP().display() #显示ARP包中的信息
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:3e:df:60
psrc= 192.168.37.131
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp=ARP()
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:3e:df:60
psrc= 192.168.37.131
hwdst= 00:00:00:00:00:00
pdst= 0.0.0.0
>>> arp.pdst="192.168.37.130"
>>> arp.display()
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= who-has
hwsrc= 00:0c:29:3e:df:60
psrc= 192.168.37.131
hwdst= 00:00:00:00:00:00
pdst= 192.168.37.130
>>> sr1(arp) #发包
Begin emission:
*Finished to send 1 packets.
Received 1 packets, got 1 answers, remaining 0 packets
>
>>> answer=sr1(arp)
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
>>> answer.display() #接收包,其中padding为部位,当包的大小小于最小包长时,就会采用16进制0补位
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:b6:06:cc
psrc= 192.168.37.130
hwdst= 00:0c:29:3e:df:60
pdst= 192.168.37.131
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'