0x01 various ARP scanning methods based on different platforms. First of all, try various intranet host discovery methods based on ARP, which can easily bypass all kinds of application layer firewalls, as we all know. If it is a professional ARP firewall, ha ha
0x02 perform various ARP scans under win:
One
# start /b arpscan.exe -t 192.168.3.0/24 >> result.txt
Using PowerShell script for ARP scanning, which is also recommended by individuals, is light and has a good effect of killing free. The system is self-contained, flexible and convenient:
One
# powershell.exe -exec bypass -Command "Import-Module C:\Invoke-ARPScan.ps1;Invoke-ARPScan -CIDR 192.168.3.0/24" >> result.txt
When it comes to PowerShell, I have to mention the Empire, which also provides a module for ARP scanning, and it is better than the MSP's ARP [an excellent domain intranet penetration framework, friends who often perform win intranet penetration, should use a lot, so I won't talk about it here]:
empire
Use the old nmap, in addition to using it under win, you may need to install the required win runtime library and npcap first. When installing the library, the default option is OK. Note that if there is a problem in the Chinese system installation, it is recommended to use the English system, and all the required dependency libraries have been brought in the nmap package. To be honest, I do not recommend to directly throw nmap on the target machine, It is difficult to install a dependency library without a graphical interface. In addition, if it is only a survival scan, it will not be the first choice, at least not its own
One
#Nmap-sn-pr 192.168.3.0/24 scan in ARP mode
ARP scanning function is also included in the Cain. Although the tool has not been updated for N years, it is still classic. It is recommended to use it in the system below 03. In addition, it needs to be free from killing:
0x03 ARP scanning under Linux: in fact, nmap has been brought by default in some mainstream Linux hairstyle software packages, but it's version 5.0, and general operation and maintenance may not be installed, so it's better to compile and install it by yourself. By the way, install tools on the target machine to compile and install the source code as much as possible. When you leave, it's relatively easy to handle:
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
# wget https://nmap.org/dist/nmap-7.40.tar.bz2
# bzip2 -cd nmap-7.40.tar.bz2 | tar xvf -
# cd nmap-7.40
#. / configure here you can use -- prefix to specify the installation path
Echo $?
Make
# make install
Echo $?
# make install
Echo $?
#Nmap-sn-pr 192.168.3.0/24 try ARP scanning
Compile and install arpscan:
One
Two
Three
Four
Five
Six
Seven
Eight
Nine
Ten
Eleven
Twelve
Thirteen
Fourteen
Fifteen
Sixteen
Seventeen
Eighteen
Nineteen
Twenty
Twenty-one
# unzip arpscan.zip
CD arpscan
# autoreconf --install
#. / configure tool relies on Libpcap library. You need to install the library first
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
# tar -zxvf libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure
Echo $?
# make && make install
Echo $?
CD.
#. / configure check again
Echo $?
Make
Echo $?
#Chmod - R 755. / * give permission first, otherwise it will fail to pass the detection
Make check
# make install
Echo $?
#ARP scan -- interface = eth3 -- localnet scan the network segment of the specified network card
0x04 other ARP scanning methods: if you are directly in someone else's VPN intranet, you can also choose to use netdiscover (Kali's own), specify the network card interface of the VPN intranet for ARP scanning, and the speed is OK
One
# netdiscover -r 192.168.3.0/24 -i eth0
Use the various ARP scanning modules built in MSF, or that sentence. If you are currently directly in the Intranet environment of the other party, you can directly use the following modules
One
Two
Three
Four
Five
Six
Seven
Eight
msf > use auxiliary/scanner/discovery/arp_sweep
msf > show options
msf > set interface eth0
msf > set smac 00:0c:29:92:fd:85
msf > set rhosts 192.168.3.0/24
msf > set threads 20
msf > set shost 192.168.3.28
MSF > run
If you only get one of the other party's internal networks, you can also use the built-in ARP scanning module of the meterpreter. However, before that, you may need to add a route in the middle:
One
Two
Three
In addition, when scanning on the target machine, you must first mention the right. It is purely personal advice, which will be more convenient. Otherwise, there may be some problems during the scanning process
meterpreter > run autoroute -s 192.168.244.0/24
meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.3.0/24
0x05 various intranet host discovery methods based on ICMP. If the ICMP request is filtered by the firewall, this method is basically useless. However, if it is in the domain, it is easy to use:
0x06 perform various ICMP scans under win:
Execute the following command in CMD to Ping scan the whole C segment
One
#For / L% I in (1,1254) do @ Ping - W 1 - N 1 192.168.3.% i| findstr "TTL =" > > result.txt scan so many machines from 1 to 254
Nmap also provides ICMP based scanning mode. PE is the most common ICMP echo request. In addition, there are ICMP scanning modes based on timestamp and netmask request discovery
One
# nmap -sn -PE 192.168.3.0/24
When using nping, the nmap package usually comes with nping. There are still some problems when using in win. The tools are too old to talk about
One
# nping --icmp --icmp-type time 192.168.3.0/24 | findstr "reply"
Using PowerShell to scan the target intranet for ICMP
One
# powershell.exe -exec bypass -Command "Import-Module C:\Invoke-TSPingSweep.ps1;Invoke-TSPingSweep -StartAddress 192.168.3.1 -EndAddress 192.168.3.254 -ResolveHost -ScanPort -Port 21,22,23,25,53,80,81,82,83,84,85,86,87,88,89,110,111,143,389,443,445,873,1025,1433,1521,2601,3306,3389,3690,5432,5900,7001,8000,8080,8081,8082,8083,8084,8085,8086,8087, 8089909010000 "target network segment, not only C segment, for example, you can also write this way 192.168.3.1 - 192.168.31.254
0x07 use all kinds of ICMP scanning under Linux: the simplest way is to save the following code to the shell, give it execution permission, and execute the script
One
Two
Three
Four
Five
Six
Seven
Eight
for ip in 192.168.3.{1..254}
Do
ping $ip -c 1 &> /dev/null
if [ $? -eq 0 ];then
echo $ip is alive ....
Fi
Done
As above, we can still use the ICMP scan of nmap
One
# nmap -sn -PE 192.168.3.0/24
Use nping, the usage is still the same as above
One
# nping --icmp --icmp-type time 192.168.3.0/24 | grep "reply"
0x07 intranet host discovery mode based on SMB and NetBIOS, which is usually very practical in win intranet: under win:
One
#Nbtscan.exe - M 192.168.3.0/24 very classic gadget
Linux:
One
Two
Three
Four
Five
Six
# wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
# tar -zxvf nbtscan-source-1.0.35.tgz
Make
Echo $?
# ./nbtscan -h
# ./nbtscan -m 192.168.3.0/24
Other SMB discovery methods:
After adding a route to the target machine through the returned meterpreter, the same purpose can be achieved by using the SMB Ou version module:
One
/auxiliary/scanner/smb/smb_version
0x08 the discovery method of Intranet hosts based on conventional TCP / UDP port scanning, or that sentence, if firewalls or other protection systems block some port methods, it is still a waste:
Scanline TCP / UDP port scanning, a very classic small tool, single file, convenient in actual penetration:
One
Two
#Sl-htz 192.168.3.1-160 if no port is specified by default, it will scan according to its own high risk. For which ports to scan, please check McAfee's official website
# sl -hz -t 21,22,23,25,53,80-89,110,111,143,389,443,445,873,1025,1433,1521,2601,3306,3389,3690,5432,5900,7001,8000,8080-8089,9090,10000 -u 161 192.168.3.1-160 >> result.txt
Nmap TCP / UDP port scan:
One
#Nmap -- script smb-enum-shares.nse - p445 192.168.3.0/24 scan read-write sharing, with very limited ability, has many better alternatives
Superscan TCP / UDP port scanning: pure graphical interface, very simple to use, in addition, it can also be used to enumerate specific machine information, but when it is used for enumeration, it can not directly specify the network segment, it is a pity
There are also built-in various service port scanning modules in MSF. However, you may need to claim the right first and then add a route to use it normally. Of course, if you are directly in the other party's intranet, you do not need to:
One
Two
Three
Four
Five
Six
msf > use auxiliary/scanner/portscan/*
msf > use auxiliary/scanner/smb/*
msf > use auxiliary/scanner/smtp/*
msf > use auxiliary/scanner/snmp/*
msf > use auxiliary/scanner/telnet/*
...
In addition, there is a very good py script, f-nascan, which is very fast and very easy to use on the Linux intranet machine [provided that the corresponding version of Py environment is required]
One
# python F-NAScan.py -h 192.168.3.1-192.168.3.250 -p 21,22,23,25,53,80,81,82,83,84,85,86,87,88,89,110,111,143,389,443,445,873,1025,1433,1521,2601,3306,3389,3690,5432,5900,7001,8000,8080,8081,8082,8083,8084 -m 30 -t 5
0x09 if your current shell permission is really limited or we are unable to proxy into the intranet for various reasons, it is a very good way to snoop the intranet with the help of Web script
Aspx based intranet survival detection script:
Php based intranet survival detection script:
JSP based intranet survival detection script:
0x10 the host discovery method in the domain environment is generally in the domain, and various conditions are relatively loose, because most of them may be office networks:
One
Two
Net view
#In fact, the best external in the domain is nbtscan
0X11 SNMP based intranet information collection method:
One
To be continued...
0x12 finally, I will introduce a fun IP traffic monitoring tool
One
Iptraf
A small tool to check the service corresponding to the port. You can try it yourself if you are interested
One
Whatportis
Summary: all scans must be run under the administrator's permission when conditions permit. For intranet hosts, it's basically what individuals usually use. But when actually scanning, remember not to give too high a thread and not too many ports to scan at one time. If there is a random IP scanning option in the tool, it's better to add it. In addition, In the intranet, theoretically speaking, you should first aim to find some intranet machines that can get shell quickly, such as SA, SMB, FTP for Linux, anonymous sharing that can read and write, etc It is strictly forbidden to scan on a large scale aimlessly. When you get a machine, you should immediately go up and grasp all the password hash that can be grasped, such as all kinds of passwords in the browser, hash of the machine, hash of commonly used software, etc We can't use the keyboard to record any more. After we get these passwords, we will slowly expand other machines. Remember, we should try not to scan for a long time and a large amount of traffic. Basically, the tool message signs we use now have been written into the identification rules of all kinds of IDS. Especially for nmap, we will leave a large number of scanning logs in the opposite system, A slightly more rigorous intranet may trigger an alarm, or even directly lock the IP address. The intranet is no better than the web. In the web, you may be able to do it relatively freely, but in the intranet, you must be careful. The authority is hard won, and you must not let it fall down easily. Try your best to stabilize the current machine. In addition, in the usual intranet penetration, you can use the system's own tools to do it, It's very important to use the tools that come with the system to realize the fact that the system itself already has a lot of penetration tools, which may not be discovered very well for the time being. From now on, we should also try to develop the habit of using some external tools as less as possible. The less, the better. At the same time, the security can't be guaranteed, It may not be very convenient in actual use, not to mention the flexibility. Especially in some deformed intranet, it is difficult to use tools remotely due to various limitations. In addition, a considerable part of other tools may need to be saved by themselves based on assembly layer alone. If you don't, it will be very troublesome, After all, it doesn't come from one's own hands, and it's always uneasy to use others' hands. Therefore, we should consider some things by ourselves It's just a little personal advice here. Of course, if you have the habit of using tools against others, you can directly ignore everything mentioned here. If you can't use the tools against others, it's better to be cautious. If you want to observe the scanning details based on different protocols more carefully, use Wireshark. It's definitely the most powerful and practical penetration tool I've ever seen. Yes, it's not one of them, Have a nice day.
针对linux
基本上我们现在所用的工具报文标志早已被写进各类ids的识别规则里了,尤其是针对nmap的
其实,系统自己就已经有非常多的渗透工具,可能只是暂时还没有很好的被发掘出来
单单基于汇编层免杀还是很有限的