OSI及TCP/IP模型

互聯(lián)網(wǎng)的本質(zhì)就是一系列的網(wǎng)絡(luò)協(xié)議，這個協(xié)議就叫OSI協(xié)議（即開放式系統(tǒng)互聯(lián)）

OSI協(xié)議

按照功能不同，分工不同，人為的分層七層。實際上還有人把它劃成五層、四層。

網(wǎng)絡(luò)分成模型

每一層的功能和用到的協(xié)議：

OSI分層和用到的協(xié)議

OSI分層和用到的協(xié)議

二層主機發(fā)現(xiàn)

二層主機發(fā)現(xiàn)指：利用OSI中鏈路層中的協(xié)議進行主機發(fā)現(xiàn)。一般使用ARP協(xié)議（局域網(wǎng)中通信使用ARP協(xié)議，利用MAC地址作為對應(yīng)的識別地址）。

優(yōu)點：1、速度快；2、可靠性高
缺點：無法掃描經(jīng)過路由的主機

二層主機發(fā)現(xiàn)工具使用

arping工具

Arping 是一個 ARP 級別的 ping 工具，可用來直接 ping MAC 地址，以及找出那些 ip 地址被哪些電腦所使用了。缺點：無法多個主機同時掃描

通過eth0網(wǎng)卡對同網(wǎng)段ip進行ARP嗅探，只請求一次。

root@kali:~# arping -c 1 -i eth0  192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=25.626 msec

--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 25.626/25.626/25.626/0.000 ms

有時候，本地查不到某主機，可以通過讓網(wǎng)關(guān)或別的機器進行ARP嗅探。

root@kali:~# arping -c 1 -S 192.168.56.0 192.168.56.102
ARPING 192.168.56.102
60 bytes from 0a:00:27:00:00:05 (192.168.56.102): index=0 time=19.355 msec

--- 192.168.56.102 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 19.355/19.355/19.355/0.000 ms

netdiscover工具

Netdiscover是一個主動/被動的APR偵查工具。該工具在不使用DHCP的無線網(wǎng)絡(luò)上非常有用。使用Netdiscover工具可以在網(wǎng)絡(luò)上掃描IP地址，檢查在主機或搜索為它們發(fā)送的APR請求。

使用Netdiscover工具，掃描局域網(wǎng)中所有的主機

root@kali:~# netdiscover 

 Currently scanning: 192.168.50.0/16   |   Screen View: Unique Hosts                                                                                     
                                                                                                                                                         
 1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 60                                                                                          
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.102  0a:00:27:00:00:05      1      60  Unknown vendor  

使用Netdiscover工具，使用被動模式，監(jiān)聽指定網(wǎng)卡，指定子網(wǎng)中的所有主機

root@kali:~# netdiscover -p  -i eth1 -r 10.0.2.0/24

 Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                           
                                                                                                                                                         
 4 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 240                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.2.9        08:00:27:89:4b:13      2     120  PCS Systemtechnik GmbH                                                                                
 10.0.2.8        08:00:27:c4:40:af      2     120  PCS Systemtechnik GmbH 

三層主機發(fā)現(xiàn)

三層主機發(fā)現(xiàn)指：利用OSI中網(wǎng)絡(luò)中的協(xié)議進行主機發(fā)現(xiàn)。一般使用ICMP協(xié)議。
優(yōu)點：1、可以發(fā)現(xiàn)遠程主機，經(jīng)過路由的主機；2、速度相對比較快
缺點：1、經(jīng)常被防火墻過濾；2、速度相比二層發(fā)現(xiàn)慢

三層主機發(fā)現(xiàn)工具使用

ping工具

ping工具通過ICMP協(xié)議回復(fù)請求以檢測主機是否存在，它在Linux和windows都有自帶，Linux下ping如果不指定-c參數(shù)，一直掃描。Windows下默認進行四次探測。

root@kali:~# ping 192.168.56.102 -c 1
PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.
64 bytes from 192.168.56.102: icmp_seq=1 ttl=64 time=1.17 ms

--- 192.168.56.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.167/1.167/1.167/0.000 ms

fping工具

fping程序類似于ping，與ping不同的地方在于，可以針對多個主機同時進行主機發(fā)現(xiàn)。

fping對多個IP進行嗅探

root@kali:~# fping -4 -a  10.0.2.8 10.0.2.9 10.0.2.10
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10

fping利用文本對多個IP進行嗅探

root@kali:~# cat ips.txt
10.0.2.8
10.0.2.9
10.0.2.10
root@kali:~# fping -4 -f ips.txt
10.0.2.8 is alive
10.0.2.9 is alive
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
10.0.2.10 is unreachable

fping對一個子網(wǎng)或IP范圍進行修改

root@kali:~# fping  -c 1  -4 -g 10.0.2.0/24 > result.txt 
...
root@kali:~# cat result.txt 
10.0.2.1   : [0], 84 bytes, 0.19 ms (0.19 avg, 0% loss)
10.0.2.2   : [0], 84 bytes, 1.46 ms (1.46 avg, 0% loss)
10.0.2.7   : [0], 84 bytes, 0.02 ms (0.02 avg, 0% loss)
10.0.2.8   : [0], 84 bytes, 0.22 ms (0.22 avg, 0% loss)
10.0.2.9   : [0], 84 bytes, 0.24 ms (0.24 avg, 0% loss)

root@kali:~# fping  -a  -4 -g 10.0.2.7 10.0.2.10
10.0.2.7
10.0.2.8
10.0.2.9
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10
ICMP Host Unreachable from 10.0.2.7 for ICMP Echo sent to 10.0.2.10

hping3工具

hping3，它支持TCP，UDP，ICMP和RAW-IP協(xié)議，具有跟蹤路由模式，能夠在覆蓋的信道之間發(fā)送文件以及許多其他功能，支持使用tcl腳本自動化地調(diào)用其API。特點：支持發(fā)送自定義ICMP數(shù)據(jù)包

使用hping3工具，利用icmp協(xié)議嗅探主機

root@kali:~# hping3 -c 1 --icmp 10.0.2.9 
HPING 10.0.2.9 (eth1 10.0.2.9): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 id=14501 icmp_seq=0 rtt=9.5 ms

--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.5/9.5/9.5 ms

端口掃描。Hping3支持指定TCP各個標志位、長度等信息。

root@kali:~# hping3 -c 1 -I eth1 -S  10.0.2.9  -p 68
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
len=46 ip=10.0.2.9 ttl=64 DF id=62866 sport=68 flags=RA seq=0 win=0 rtt=7.5 ms

--- 10.0.2.9 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.5/7.5/7.5 ms

拒絕服務(wù)攻擊，比如對目標機發(fā)起大量SYN連接，偽造源地址為10.0.2.8，并使用1000微秒的間隔發(fā)送各個SYN包。其他攻擊如smurf、teardrop、land attack等也很容易構(gòu)建出來。

root@kali:~# hping3 -I eth1 -a 10.0.2.8 -S 10.0.2.9 -p 68 -i u1000
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
3020 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

LandAttack攻擊（Land Attack是將發(fā)送源地址設(shè)置為與目標地址相同，誘使目標機與自己不停地建立連接）

root@kali:~# hping3 -S -c 1000000 -a 10.0.2.9 -p 53 10.0.2.9
HPING 10.0.2.9 (eth1 10.0.2.9): S set, 40 headers + 0 data bytes
^C
--- 10.0.2.9 hping statistic ---
36 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

使用Hping3測試防火墻規(guī)則，測試防火墻對ICMP包的反應(yīng)、是否支持traceroute、是否開放某個端口、對防火墻進行拒絕服務(wù)攻擊（DoS attack）等。

四層主機發(fā)現(xiàn)

四層發(fā)現(xiàn)指利用OSI中的傳輸層協(xié)議進行主機發(fā)現(xiàn)，一般使用TCP、UDP探測。

優(yōu)點：1、可以探測遠程主機；2、比三層發(fā)現(xiàn)更為可靠
缺點：花費時間更長

四層主機發(fā)現(xiàn)工具使用

Nmap工具

Nmap可以進行二、三、四層的探測，功能十分強大。
-sn：使用ping探測
--traceroute：二層發(fā)現(xiàn)

root@kali:~# nmap  10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:34 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00041s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

hping3工具

hping3同樣可以用來做四層主機發(fā)現(xiàn)

root@kali:~# hping3 -c 1 --udp 10.0.2.5
HPING 10.0.2.5 (eth1 10.0.2.5): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.0.2.5 name=UNKNOWN   
status=0 port=1356 seq=0

--- 10.0.2.5 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 14.5/14.5/14.5 ms

使用python腳本

使用Github上分享的主機發(fā)現(xiàn)腳本： https://github.com/Cyber-Forensic/nWatch

root@kali:~/Desktop# git clone https://github.com/Cyber-Forensic/nWatch.git
Cloning into 'nWatch'...
remote: Enumerating objects: 80, done.
remote: Total 80 (delta 0), reused 0 (delta 0), pack-reused 80
Unpacking objects: 100% (80/80), done.
root@kali:~/Desktop# cd nWatch/
root@kali:~/Desktop/nWatch# pip install python-nmap
Collecting python-nmap
  Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB)
    100% |████████████████████████████████| 51kB 59kB/s 
Building wheels for collected packages: python-nmap
  Running setup.py bdist_wheel for python-nmap ... done
  Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.6.1
root@kali:~/Desktop/nWatch# python nwatch.py 

         888       888          888            888      
         888   o   888          888            888      
         888  d8b  888          888            888      
    88888b.  888 d888b 888  8888b.  888888 .d8888b 88888b.  
    888 "88b 888d88888b888     "88b 888   d88P"    888 "88b 
    888  888 88888P Y88888 .d888888 888   888      888  888 
    888  888 8888P   Y8888 888  888 Y88b. Y88b.    888  888 
    888  888 888P     Y888 "Y888888  "Y888 "Y8888P 888  888 

                    [&] Created by suraj (#r00t)
[+] Started at 22:47:35
[*] Choose a network interface

------------------------------------------------------------------------------------------
| Sl-no | Interface name |     IPv4-address     |              IPv6-address              |
------------------------------------------------------------------------------------------
|   1   |       lo       |      127.0.0.1       |                  ::1                   |<= DO NOT USE LOCALHOST
|   2   |      eth1      |       10.0.2.7       |        fe80::a00:27ff:fec2:3234        | 
|   3   |      eth0      |    192.168.56.103    |        fe80::a00:27ff:fee9:b184        | 
------------------------------------------------------------------------------------------
choose an interface> 2
[*] Interface => eth1
[*] Scanning subnet(10.0.2.7/24) on eth1 interface
------------
| 10.0.2.5 |
------------
      |_ MAC : 08:00:27:87:7b:b0
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     21      open
      |     22      open
      |     23      open
      |     25      open
      |     53      open
      |     80      open
      |     111     open
      |     139     open
      |     445     open
      |     512     open
      |     513     open
      |     514     open
      |     1099        open
      |     1524        open
      |     2049        open
      |     2121        open
      |     3306        open
      |     5432        open
      |     5900        open
      |     6000        open
      |     6667        open
      |     8009        open
      |     8180        open
      |_ OS fingerprinting
        [+] Name : Linux 2.6.9 - 2.6.33 (accuracy 100%)
------------
| 10.0.2.3 |
------------
      |_ MAC : 08:00:27:cf:7a:bb
      |_ Hostname : -unknown-
      |_ DHCP server : True
      |_ State : up
      |_ Ports : -none-
      |_ OS fingerprinting
------------
| 10.0.2.2 |
------------
      |_ MAC : 52:54:00:12:35:00
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     135     open
      |     445     open
      |     8081        open
      |_ OS fingerprinting
        [+] Name : Grandstream GXP1105 VoIP phone (accuracy 90%)
        [+] Name : FireBrick FB2700 firewall (accuracy 87%)
        [+] Name : Garmin Virb Elite action camera (accuracy 87%)
        [+] Name : 2N Helios IP VoIP doorbell (accuracy 87%)
------------
| 10.0.2.1 |
------------
      |_ MAC : 52:54:00:12:35:00
      |_ Hostname : -unknown-
      |_ State : up
      |_ Ports
      | [+] Protocol : tcp
      |     Port        State
      |     ====        =====
      |     53      open
      |_ OS fingerprinting
        [+] Name : Grandstream GXP1105 VoIP phone (accuracy 98%)
        [+] Name : Garmin Virb Elite action camera (accuracy 94%)
        [+] Name : 2N Helios IP VoIP doorbell (accuracy 93%)
        [+] Name : NodeMCU firmware (lwIP stack) (accuracy 93%)
        [+] Name : Philips Hue Bridge (lwIP stack v1.4.0) (accuracy 92%)
        [+] Name : Rigol DSG3060 signal generator (accuracy 92%)
        [+] Name : Ocean Signal E101V emergency beacon (FreeRTOS/lwIP) (accuracy 91%)
        [+] Name : Espressif esp8266 firmware (lwIP stack) (accuracy 91%)
        [+] Name : lwIP 1.4.0 lightweight TCP/IP stack (accuracy 91%)
        [+] Name : Sony PlayStation 2 game console (accuracy 91%)

[*] Scanning took 171 seconds, task completed at 22:50:33.