1、NetDiscover you performe layer 2

the comand  : netdiscover -r 192.168.2.0/24   or use   netdiscover  -l  iplist.txt

2、in fact we use ARP  to request the system get the replay  is Poor concealment, because we use the Broadcasting ARP request for every IP address in an entire subnet can sometimes trigger alerts or resopnses from security devices such as Intrusion Detection Systems(IDS )  or other devices Intrusion Prevention System(IPS)

A stealthier approach is to listen for the ARP traffic as the scanner system naturally interacts with other system on the network ,and then record the data collected from the ARP response ,this passive scanning techinque can be performed usign the -p option . the command as follow  ,but  we  the rate of scanning is slower .we ofter use it to scanning the wireless network .

netdiscover -p   [ip ]

3、use the  auxiliary in the Metasploit

the  start command is  :msfconsole  and the use the  auxiliary :

use  auxiliary/Scanner/discover/arp_sweep   and use  to show what need configuration

4 、As   with the ARPing request, the bytes  from unique sting is only present in the ouput associated with live ip address ,and it is also on a line that contains this address ,in the same fashion  ,we can extract the ip address from any successful ping request using a combination of grep and cut ,the command :

ping 192.168.1.1 -c 3 | gerp   "butes from "

ping  192.168.1.1 -c 3 | gerp " byte from" | cut -d " "  -f 4

ping 192.168.1.1 -c 3 | grep " bytes from " | cut -d " " -f 4 | -d ":" -f 1

5、using Nmap to perform layer3 discovery

IPCM   scan    command :   nmap -sn [ip]     ,besides ,we can use the comand :  (nmap -iL iplist.txt  -sn [ip] )

6、 fping and hping3

unlike the standard ping utility ,fping will stop sending ICMP echo requests after it receives a single replay ,but if a response is not received from the address ,fping will make four attempts to contact the system prior to determining that the host is unreachable .

using the -g option to dynamically generate a list of ip address .to specify a range to scan ,pass this argument to both the first and last ip address in the  desird sequential range  ,,the command is :   fping -g 192.168.1.0 192.168.1.11   of course   it can write this :  fping -g 192.168.1.0/24   ,fping  can also used a series of address as specified by the contents of an input text file ,to use an input file ,use the -f file option and supply the filename or path of the input file; thec command is :   fping -f iplist.txt

the other tool is hping3  ,  it is  canable of performing discovery at both layer 3 and layer 4, the comman is : hping3 192.168.1.0 --icmp , in the linux  use the -c option appoint should be include with an integer value that indicates the desired number of attempts .

the command :    hping3  192.168.1.1 --icmp  -c  2

7、 using Scapy  to perform layer 4 discovery

an ACK packet  sent to live host on any port ,regardless of the port status ,will return an RST packet ,but on response will be received from an IP if no live host is associzted with it , so we can perform a discovery scan on a large number of system by only interacting with a single port on the each system, using Scapy in conjuction with the python , we can use the brief command , through send ACK packet to  only the one the TCP port on the each system ,by  eveulating the response   returned by each host , so , we can easily output a list the ip address .

eg :  #/usr/bin/python

import loging

logging.getLogger("Scapy.runtime).setLevel(logging.ERROR)

from scapy.all import *

if len(sys.argv)!=2:

print(" Usage -./ACK_Ping.py[/24 network address]")

print(" Example -/ACK_Ping.py 192.168.1.2")

print(" Example will perform a TCP ACK ping scan of the 192.168.1.0/24 range")

sys.exit()

address=src(sys.arvg[1])

prefix=address.split( '.')[0]+ ' .' +address.split('.')[1]+ ' .' +address.split('.')[2]+ ' .'

for addr in range(1,254):

response=srl(IP(dst(prefix+str(addr))/TCP(dport=80,flag='A'),timeout=1,verbose=0)

try:

if int (response[TCP].flags)==4:

print(" "192.168.1.2"+str(addr) ")

except:

pass

end the code  ,we can use ./ACK_Ping.py   perform

8、using  the nmap to perform layer 4 dissovery

to perform  a discovery scan with UDP ,use the -PU in the conjuction with the port to test like with :   nmap 192.168.2.1 -PU53 -sn   besides we can use the command  to perform  scan  use  ip address list  .like the command : nmap -il iplist.txt  -sn -PU53     (designated port  53)

using  -PA option  means use the ACK packets to identify live hosts .  the command  :  nmap 192.168.1.2  -PA80 -sn     ,of couse we can  performed on a range os host using dash notation ,the command is : nmap 192.168.1.2 -192.168.1.255 -PA80 -sn  or  use  0/24

9、Using hping3 to perform layer 4 discovery

by specifying the UDP mode with the  --udp option ,UDP probes can  transmisted in attempts to trigger replies from live hosts:

the command like this :    hping3 --udp 192.168.1.2    we can use the -c option indicated the desired number of attempts

eg: nmap  --udp 192.168.1.2 -c 2

we know the hping3 does not support the scanning of mulltiple system by default,  but we can use the bush scripting.like this :

hping3 --upd 192.168.1.2 -c 2 ;hping3 --upd 192.168.2.3 -c 2 | gerp  " Unreachable " Hping 192.168.1.2 (eth1 192.168.1.2):udp mode set 28 headers +0 data bytes  ICMP port Unreachable from ip=192.168.1.2 name=unknow status=0 port 2836 seq=0

Discovery Scanning的更多相关文章

  1. JavaPersistenceWithHibernate第二版笔记Getting started with ORM-001用JPA和Hibernate实现HellowWorld(JTA、Bitronix)

    一.结构 二.model层 1. package org.jpwh.model.helloworld; import javax.persistence.Entity; import javax.pe ...

  2. 启动elasticsearch的时候报出Exception in thread "main" SettingsException[Failed to load settings from /usr/local/elasticsearch/config/elasticsearch.yml]; nested: MarkedYAMLException[while scanning a simple ke

    故障现象: [elasticsearch@tiantianml- ~]$ /usr/local/elasticsearch/bin/elasticsearch Exception in thread ...

  3. 论文笔记(1)——《Where's Wally?Precise User Discovery Attacks in Location Proximity Services》

    Abstract: 位置相近服务在社交和移动网络的广泛使用是基于可用性和用户隐私的平衡,但引发了三角定位攻击的风险.文章系统化地讨论了此类攻击的防范,包括问题在不同临近模型下的形式化,针对不同模型的有 ...

  4. 使用discovery板上的st-link给别的板子下载

    discovery板上的6pin swd接口 20pin 的jtag 接线: 6 20 def 1 1 目标vdd 2 9  swclk(PA14) 3 20 gnd 4 7  swdio(PA13) ...

  5. XCode一直显示"scanning for working copies"的解决办法

    一个SVN上的项目,在本地重新CheckOut打开后,一直提示"scanning for working copies"且不能使用SVN的更新.提交等功能,当时想着晾它一晚上,看能 ...

  6. Zabbix low-level discovery

    Version: zabbix 3.0.1 概述 Low-Level discovery 可以自动创建items,triggers,graphs为不同的实体对象. 例如:zabbix能自动监控服务器上 ...

  7. False Discovery Rate, a intuitive explanation

    [转载请注明出处]http://www.cnblogs.com/mashiqi Today let's talk about a intuitive explanation of Benjamini- ...

  8. 专注docker安全:Security Scanning

    导读 Docker毫无疑问是近期运维同学们的热点话题,Docker安全也由此倍受重视,Docker Security Scanning 是一款Docker镜像扫描的安全工具,目前已经在Docker C ...

  9. Service Discovery with Apache Curator

    Curator的介绍 Curator就是Zookeeper的一个客户端工具(不知道Zookeeper的同学可以到http://www.ibm.com/developerworks/cn/opensou ...

随机推荐

  1. python 支付宝SDK

    python 支付宝SDK代码如下 from datetime import datetime from Crypto.PublicKey import RSA from Crypto.Signatu ...

  2. max-height、min-height、height优先级的问题

    前言 我们在实际开发中可能会限制元素的最大高度,那么我们使用的属性必定是max-height,那么不知道大家有没有考虑过如果同时设置max-height和height会发生什么呢? max-heigh ...

  3. java内存模型详解

    对于本篇文章,将从四个概念来介绍:内存模型基础,重排序,顺序一致性和happens-before 1.内存模型基础 在并发编程中,有两个关键问题:线程之间如何通信和如何同步.由此而引出了两种并发模型: ...

  4. codeforces451C

    Predict Outcome of the Game CodeForces - 451C There are n games in a football tournament. Three team ...

  5. ORM基础之字段及其参数介绍

    一.外键ForeignKey 1.字段参数 1.to 设置要关联的表 2.to_field 设置要关联的表的字段(一般不设置,默认使用主键id关联) 3.related_name 反向操作时,使用的字 ...

  6. GitHub最基本使用总结

    GitHub最基本使用入门 入门必看博客:https://mp.weixin.qq.com/s/LbzSwl4dYwrSPze0w10l8w 一.Git Linux安装 Git Linux安装教程:h ...

  7. PHP——模糊匹配文件|目录

    内置函数 glob函数 详解 http://www.w3school.com.cn/php/func_filesystem_glob.asp

  8. apt-get软件包管理命令 和 apt-key命令

    apt-get命令是Debian Linux发行版中的APT软件包管理工具. 所有基于Debian的发行都使用这个包管理系统.deb包可以把一个应用的文件包在一起,大体就如同Windows上的安装文件 ...

  9. sqlite 数据库 boolean类型的小小测试

    根据官方文档的介绍: SQLite does not have a separate Boolean storage class. Instead, Boolean values are stored ...

  10. 04Vue.js路由系统

    Vue.js路由系统: https://pizzali.github.io/2018/10/28/Vue.js%E8%B7%AF%E7%94%B1%E7%B3%BB%E7%BB%9F/