【安全牛學習筆記】UDP埠掃描
ICMP port-unreachable
python指令碼:
#! /usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import time
import sys
if len(sys.argv) != 4:
print "Usage ./udp_scan.py [Target-IP] [First Port] [End Port]"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start, end):
a = sr1(IP(dst = ip)/UDP(dport = port), timeout = 5, verbose = 0)
time.sleep(1)
if a == None:
print port
else:
pass
nmap -sU 1.1.1.1 預設1000個埠,udp掃描
nmap 1.1.1.1 -sU -p 53 53埠
nmap -iL iplist.txt -sU -p 1-200
隱蔽掃描:只發送SYS包,返回ACK,SYS包則開放,應用層日誌不會記錄,網路層日誌可能記錄
殭屍掃描:極其隱蔽,條件苛刻,掃描發起方可以地址偽造,必須要有殭屍機(機器閒置,但不被控制,作業系統IPID遞增,在IP包頭裡的ID欄位,linux與windows系統的ID隨機產生,早期的wndows系統是順序產生的),有掃描發起者向殭屍機發送SYN,ACK包,TCP協議會返回RST,包的IPID等於x時,掃描者向目標伺服器傳送SYN包,傳送時IP偽造為殭屍機,埠開放的話會向殭屍機發送SYN,ACK,殭屍機返回RST包,IPID為x+1,掃描者再向殭屍機發送SYN,ACK包,殭屍機返回RST包,IPID為x+2。如果埠未開放,返回RST包給殭屍機,掃描者再次向殭屍機發送SYN,ACK包返回RST,IPID為x+1.
SYN,ACK,flag值為18
Windows,445埠開放,防火牆會組織埠探測
隱蔽埠掃描:
nmap -sS 1.1.1.1 -p 80,21,25,110,443
nmap -sS 1.1.1.1 -p 1-65535 --open
nmap -sS 1.1.1.1 -p - --open 全埠
nmap -sS -iL iplist.txt -p 80,21,22,23
hping3 1.1.1.1 --scan 80 -S
hping3 1.1.1.1 --scan 80,21,25,443 -S
hping3 1.1.1.1 --scan 0-65535 -S
hping3 -c 10 -S --spoof 1.1.1.2 -p ++1 1.1.1.3 偽造ip為1.1.1.2,從1號埠開始每次加一,目標為1.1.1.3
全連線埠掃描:
指令碼:
#! /usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
response = sr1(IP(dst = "192.168.1.2")/TCP(dport = 80, flags = "S"))
reply = sr1(IP(dst = "192.168.1.2")/TCP(dport = 80, flags = "A", ack = (response[TCP].seq+1)))
由於作業系統自動返回的RST包,建立三次握手失敗
iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.20.2 -j DROP 禁用向192.168.20.2傳送的RST包
iptables -L iptables的規則
nmap全連線掃描
nmap -sT 1.1.1.1 -p 80
nmap -sT 1.1.1.1 -p 80,21,25
nmap -sT 1.1.1.1 -p 80-2000
nmap -sT -iL iplist.txt -p 80
dmitry工具
dmitry -p 172.16.36.135
dmitry -p 172.16.36.135 -o output
nc工具
nc -nv -w 1 -z 192.168.60.4 1-100 -w超時,-z掃描模式
for x in $(seq 20 30); do nc -nv -w 1 -z 1.1.1.1 $x; done | grep open
for x in $(seq 1 254); do nc -nv -w 1 -z 1.1.1.$x 80; done
殭屍掃描:
send()命令發包不接收,sr1()發包接收
指令碼:
#! /usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import time
import sys
def ipid(zombie):
reply1=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
send(IP(dst=zombie)/TCP(flags="SA"))
reply2=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
if reply2[IP].id==(reply1[IP].id+2):
print"IPID sequence is incremental and target seems to be idel, ZOMBIE LOCATED"
response=raw_input("Do you want to use this zombie to perform a scan?(Y/N): ")
if(response=='Y'):
target=raw_input("Enter the IP address of the target: ")
zombiescan(target, zombie)
else:
print"IPID sequence is not incremental and target is not idel, ZOMBIE NOT FOUND"
def zombiescan(target, zombie):
print"\nScanning target "+target+" with the zombie "+zombie
print"\n------Open Ports On Target------\n"
for port in range(1,1000):
try:
start_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
send(IP(src=zombie,dst=target)/TCP(flags="S",dport=port),verbose=0)
end_val=sr1(IP(dst=zombie)/TCP(flags="SA"),timeout=2,verbose=0)
if end_val[IP].id==(start_val[IP].id+2):
print port
except:
pass
print"------Zombie Scan Suite------\n"
print"1.Identify Zombie Host\n"
print"2.Perform Zombie Scan\n"
ans=raw_input("Select One Option: ")
if ans=="1":
zombie=raw_input("Enter the IP address the test IPID: ")
ipid(zombie)
else:
if ans=="2":
zombie=raw_input("Enter the IP address of zombie host: ")
target=raw_input("Enter the IP address of target host: ")
zombiescan(target,zombie)
smb檔案共享139,445埠,windows開放
nmap殭屍掃描
發現殭屍機:nmap -p445 192.168.1.105 --script=ipidseq.nse
殭屍掃描:nmap 192.168.1.107 -sI 192.168.1.105 -Pn -p 0-100-sI指定殭屍機
ftp21埠