Discovery Scanning
1、NetDiscover you performe layer 2
the comand : netdiscover -r 192.168.2.0/24 or use netdiscover -l iplist.txt
2、in fact we use ARP to request the system get the replay is Poor concealment, because we use the Broadcasting ARP request for every IP address in an entire subnet can sometimes trigger alerts or resopnses from security devices such as Intrusion Detection Systems(IDS ) or other devices Intrusion Prevention System(IPS)
A stealthier approach is to listen for the ARP traffic as the scanner system naturally interacts with other system on the network ,and then record the data collected from the ARP response ,this passive scanning techinque can be performed usign the -p option . the command as follow ,but we the rate of scanning is slower .we ofter use it to scanning the wireless network .
netdiscover -p [ip ]
3、use the auxiliary in the Metasploit
the start command is :msfconsole and the use the auxiliary :
use auxiliary/Scanner/discover/arp_sweep and use to show what need configuration
4 、As with the ARPing request, the bytes from unique sting is only present in the ouput associated with live ip address ,and it is also on a line that contains this address ,in the same fashion ,we can extract the ip address from any successful ping request using a combination of grep and cut ,the command :
ping 192.168.1.1 -c 3 | gerp "butes from "
ping 192.168.1.1 -c 3 | gerp " byte from" | cut -d " " -f 4
ping 192.168.1.1 -c 3 | grep " bytes from " | cut -d " " -f 4 | -d ":" -f 1
5、using Nmap to perform layer3 discovery
IPCM scan command : nmap -sn [ip] ,besides ,we can use the comand : (nmap -iL iplist.txt -sn [ip] )
6、 fping and hping3
unlike the standard ping utility ,fping will stop sending ICMP echo requests after it receives a single replay ,but if a response is not received from the address ,fping will make four attempts to contact the system prior to determining that the host is unreachable .
using the -g option to dynamically generate a list of ip address .to specify a range to scan ,pass this argument to both the first and last ip address in the desird sequential range ,,the command is : fping -g 192.168.1.0 192.168.1.11 of course it can write this : fping -g 192.168.1.0/24 ,fping can also used a series of address as specified by the contents of an input text file ,to use an input file ,use the -f file option and supply the filename or path of the input file; thec command is : fping -f iplist.txt
the other tool is hping3 , it is canable of performing discovery at both layer 3 and layer 4, the comman is : hping3 192.168.1.0 --icmp , in the linux use the -c option appoint should be include with an integer value that indicates the desired number of attempts .
the command : hping3 192.168.1.1 --icmp -c 2
7、 using Scapy to perform layer 4 discovery
an ACK packet sent to live host on any port ,regardless of the port status ,will return an RST packet ,but on response will be received from an IP if no live host is associzted with it , so we can perform a discovery scan on a large number of system by only interacting with a single port on the each system, using Scapy in conjuction with the python , we can use the brief command , through send ACK packet to only the one the TCP port on the each system ,by eveulating the response returned by each host , so , we can easily output a list the ip address .
eg : #/usr/bin/python
import loging
logging.getLogger("Scapy.runtime).setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)!=2:
print(" Usage -./ACK_Ping.py[/24 network address]")
print(" Example -/ACK_Ping.py 192.168.1.2")
print(" Example will perform a TCP ACK ping scan of the 192.168.1.0/24 range")
sys.exit()
address=src(sys.arvg[1])
prefix=address.split( '.')[0]+ ' .' +address.split('.')[1]+ ' .' +address.split('.')[2]+ ' .'
for addr in range(1,254):
response=srl(IP(dst(prefix+str(addr))/TCP(dport=80,flag='A'),timeout=1,verbose=0)
try:
if int (response[TCP].flags)==4:
print(" "192.168.1.2"+str(addr) ")
except:
pass
end the code ,we can use ./ACK_Ping.py perform
8、using the nmap to perform layer 4 dissovery
to perform a discovery scan with UDP ,use the -PU in the conjuction with the port to test like with : nmap 192.168.2.1 -PU53 -sn besides we can use the command to perform scan use ip address list .like the command : nmap -il iplist.txt -sn -PU53 (designated port 53)
using -PA option means use the ACK packets to identify live hosts . the command : nmap 192.168.1.2 -PA80 -sn ,of couse we can performed on a range os host using dash notation ,the command is : nmap 192.168.1.2 -192.168.1.255 -PA80 -sn or use 0/24
9、Using hping3 to perform layer 4 discovery
by specifying the UDP mode with the --udp option ,UDP probes can transmisted in attempts to trigger replies from live hosts:
the command like this : hping3 --udp 192.168.1.2 we can use the -c option indicated the desired number of attempts
eg: nmap --udp 192.168.1.2 -c 2
we know the hping3 does not support the scanning of mulltiple system by default, but we can use the bush scripting.like this :
hping3 --upd 192.168.1.2 -c 2 ;hping3 --upd 192.168.2.3 -c 2 | gerp " Unreachable " Hping 192.168.1.2 (eth1 192.168.1.2):udp mode set 28 headers +0 data bytes ICMP port Unreachable from ip=192.168.1.2 name=unknow status=0 port 2836 seq=0
Discovery Scanning的更多相关文章
- JavaPersistenceWithHibernate第二版笔记Getting started with ORM-001用JPA和Hibernate实现HellowWorld(JTA、Bitronix)
一.结构 二.model层 1. package org.jpwh.model.helloworld; import javax.persistence.Entity; import javax.pe ...
- 启动elasticsearch的时候报出Exception in thread "main" SettingsException[Failed to load settings from /usr/local/elasticsearch/config/elasticsearch.yml]; nested: MarkedYAMLException[while scanning a simple ke
故障现象: [elasticsearch@tiantianml- ~]$ /usr/local/elasticsearch/bin/elasticsearch Exception in thread ...
- 论文笔记(1)——《Where's Wally?Precise User Discovery Attacks in Location Proximity Services》
Abstract: 位置相近服务在社交和移动网络的广泛使用是基于可用性和用户隐私的平衡,但引发了三角定位攻击的风险.文章系统化地讨论了此类攻击的防范,包括问题在不同临近模型下的形式化,针对不同模型的有 ...
- 使用discovery板上的st-link给别的板子下载
discovery板上的6pin swd接口 20pin 的jtag 接线: 6 20 def 1 1 目标vdd 2 9 swclk(PA14) 3 20 gnd 4 7 swdio(PA13) ...
- XCode一直显示"scanning for working copies"的解决办法
一个SVN上的项目,在本地重新CheckOut打开后,一直提示"scanning for working copies"且不能使用SVN的更新.提交等功能,当时想着晾它一晚上,看能 ...
- Zabbix low-level discovery
Version: zabbix 3.0.1 概述 Low-Level discovery 可以自动创建items,triggers,graphs为不同的实体对象. 例如:zabbix能自动监控服务器上 ...
- False Discovery Rate, a intuitive explanation
[转载请注明出处]http://www.cnblogs.com/mashiqi Today let's talk about a intuitive explanation of Benjamini- ...
- 专注docker安全:Security Scanning
导读 Docker毫无疑问是近期运维同学们的热点话题,Docker安全也由此倍受重视,Docker Security Scanning 是一款Docker镜像扫描的安全工具,目前已经在Docker C ...
- Service Discovery with Apache Curator
Curator的介绍 Curator就是Zookeeper的一个客户端工具(不知道Zookeeper的同学可以到http://www.ibm.com/developerworks/cn/opensou ...
随机推荐
- apply和call与this
函数本身的apply方法,改变this指向哪个对象: function getAge() { var y = new Date().getFullYear(); return y - this.bir ...
- jmeter学习记录--07--jmeter元件
通过jmeter元件可以模拟负载.参数化.设置关联.设置检查点.设置集合点.控制场景运行.监控测试结果等. 1.逻辑控制器:比如foreach控制器,查询到了订单并要对每个订单进行出库操作,以订单号作 ...
- React Native之支付集成(微信 支付宝)(ios android)
React Native之支付集成(微信 支付宝)(ios android) 一,需求分析 1.1,app在线充值与提现 二,技术介绍与集成 2.1,微信支付 2.1.1,Android配置 详细配置 ...
- RfcConfig 类 主要解决Tomcat 报 The valid characters are defined in RFC 7230 and RFC 3986
tomcat 8.0以后对请求URL做了严格的过滤 就是严格按照 RFC 3986规范进行访问解析,而 RFC 3986规范定义了Url中只允许包含英文字母(a-zA-Z).数字(0-9).-_.~4 ...
- Linux 学习 (九) 网络基础
Linux网络管理 学习笔记 ISO/OSI 七层模型 ISO :国际标准化组织 OSI :开放系统互联模型 应用层.表示层.会话层服务于用户 传输层.网络层.数据链路层.物理层服务于实际数据传输 帧 ...
- Atcoder Beginner Contest 124 解题报告
心态爆炸.本来能全做出来的.但是由于双开了Comet oj一个比赛,写了ABC就去搞那个的B题 还被搞死了. 回来写了一会D就过了.可惜比赛已经结束了.真的是作死. A - Buttons #incl ...
- git 学习(1) ----- git 本地仓库操作
最近在项目中使用git了,在实战中才知道,以前学习的git 知识只是皮毛,需要重新系统的学一下,读了一本叫 Learn Git in a Month of Lunches 的书籍,这本书通俗易懂,使 ...
- centos6 mongodb 安装
1. 下载MongoDB 官网下载地址 https://www.mongodb.com/download-center#community 下载地址 32位 http://dl.mongodb.org ...
- 在本机使用虚拟机安装一个linux系统,并搭建ftp服务器
一.Linux基础使用:linux服务器环境搭建(FTP服务器), 在本机使用虚拟机安装一个linux系统,并搭建ftp服务器,要求能使用ftp服务将本机文件到保存linux虚拟机上 资料: VMwa ...
- django系列7:修改404页面展示,优化模板,降低urlconf和模板之间的耦合,命名app将模板和app绑定
为了增加程序的友好和健壮性,修改view代码,处理以下如果出现404,页面的UI展示. 修改view代码 from django.http import Http404 from django.sho ...