主机枚举

10 months ago

red.ghostwolflab.com

3 minutes

hping3 --scan 端口 -S 域名/IP地址
hping3 -S --flood --rand-source -p 端口 IP地址/域名
nmap -A -T4 IP地址/域名
nmap -T4 -p 1-65535 IP地址/域名  //全端口扫描
nmap -T4 IP地址/域名 --spoof-mac 0  //伪造MAC地址
nmap -T4 -f IP地址/域名  //请求包分段
nmap -D IP地址1,IP地址2,...... IP/域名  //伪造IP地址并插入攻击者IP地址
nmap -D RND 随机IP地址数量 IP/域名  //随机IP地址伪造
nmap --spoof-mac 0 --data-length 24 -T4 -f --mtu 16 -D RND -sS -sV -p 1-65535 -n -oA 文本文件 IP/域名
//高隐蔽性扫描

nmap IP地址段 --open -oG scan; cat scan | grep "/open" | cut -d " " -f 2 > active
cat active
//查看地址段存活IP地址

for x in 80 8080 443; do nmap -Pn --host-timeout 201 --max-retries 0 -p $x IP地址段; done
//枚举地址段端口状态

ICMP

ping -c 1 192.168.1.1 
fping -g 199.168.1.0/24
nmap -PEPM -sP -n 192.168.1.0/24

Masscan

masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 192.168.1.0/24
masscan -p80,443,8000-8100,8443 192.168.1.0/24

内部主机扫描

netdiscover -i [interface]

选项:
  -i device: your network device
  -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
  -l file: scan the list of ranges contained into the given file
  -p passive mode: do not send anything, only sniff
  -m file: scan the list of known MACs and host names
  -F filter: Customize pcap filter expression (default: "arp")
  -s time: time to sleep between each arp request (miliseconds)
  -n node: last ip octet used for scanning (from 2 to 253)
  -c count: number of times to send each arp reques (for nets with packet loss)
  -f enable fastmode scan, saves a lot of time, recommended for auto
  -d ignore home config files for autoscan and fast mode
  -S enable sleep time supression betwen each request (hardcore mode)
  -P print results in a format suitable for parsing by another program
  -N Do not print header. Only valid when -P is enabled.
  -L in parsable output mode (-P), continue listening after the active scan is completed
  
----

# 主动模式
netdiscover -i eth0 -r 192.168.1.0/24

# 文件读取范围
netdiscover -l <file containing ranges>

# 被动模式
netdiscover -p -r <range,optional>

p0f -i eth0 -p -o /tmp/p0f.log

Bettercap

1.
net.recon on/off #Read local ARP cache periodically
net.show
set net.show.meta true #more info

2.
bettercap -X --proxy --proxy-https -T <target IP>

3.
net.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD
set net.probe.mdns true/false #Enable mDNS discovery probes (default=true)
set net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)
set net.probe.upnp true/false #Enable UPNP discovery probes (default=true)
set net.probe.wsd true/false #Enable WSD discovery probes (default=true)
set net.probe.throttle 10 #10ms between probes sent (default=10)

Responder

responder -I eth0 -A 
responder -I eth0 -wrf