安全牛学习笔记主动信息收集-发现
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记主动信息收集-发现相关的知识,希望对你有一定的参考价值。
╋━━━━━━━━━━━━━╋
┃发现-----三层发现 ┃
┃优点 ┃
┃ 可路由 ┃
┃ 速度比较快 ┃
┃缺点 ┃
┃ 速度比二层慢 ┃
┃ 经常被边界防火墙过滤 ┃
┃IP、icmp协议 ┃
╋━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃发现-----三层发现 ┃
┃Ping 1.1.1.1 -c 2 ┃
┃Ping -R 1.1.1.1 / traceroute 1.1.1.1 ┃
┃Ping 1.1.1.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 ┃
┃脚本 ┃
┃ Ping.sh 1.1.1.0 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# ping 192.168.1.1 -c 5
[email protected]:~# traceroute www.sina.com
[email protected]:~# ping -R www.sina.com
[email protected]:~# ping -h
Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
[-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
[-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
[-w deadline] [-W timeout] [hop1 ...] destination
▉→●→●→●→●→▉ 从我的机器跳过四个路由器
[email protected]:~# man ping
PING(8) System Manager‘s Manual: iputils PING(8)
NAME
ping, ping6 - send ICMP ECHO_REQUEST to network hosts
SYNOPSIS
ping [-aAbBdDfhLnOqrRUvV] [-c count] [-F flowlabel] [-i interval] [-I
interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N node‐
info_option] [-w deadline] [-W timeout] [-p pattern] [-Q tos] [-s pack‐
etsize] [-S sndbuf] [-t ttl] [-T timestamp option] [hop ...] destina‐
tion
DESCRIPTION
ping uses the ICMP protocol‘s mandatory ECHO_REQUEST datagram to elicit
an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams
(``pings‘‘) have an IP and ICMP header, followed by a struct timeval
and then an arbitrary number of ``pad‘‘ bytes used to fill out the
packet.
ping6 is IPv6 version of ping, and can also send Node Information
Queries (RFC4620). Intermediate hops may not be allowed, because IPv6
source routing was deprecated (RFC5095).
OPTIONS
-a Audible ping.
-A Adaptive ping. Interpacket interval adapts to round-trip time,
so that effectively not more than one (or more, if preload is
set) unanswered probe is present in the network. Minimal inter‐
val is 200msec for not super-user. On networks with low rtt
this mode is essentially equivalent to flood mode.
-b Allow pinging a broadcast address.
-B Do not allow ping to change source address of probes. The
address is bound to one selected when ping starts.
-c count
Stop after sending count ECHO_REQUEST packets. With deadline
option, ping waits for count ECHO_REPLY packets, until the time‐
out expires.
-d Set the SO_DEBUG option on the socket being used. Essentially,
this socket option is not used by Linux kernel.
-D Print timestamp (unix time + microseconds as in gettimeofday)
before each line.
-f Flood ping. For every ECHO_REQUEST sent a period ``.‘‘ is
printed, while for ever ECHO_REPLY received a backspace is
printed. This provides a rapid display of how many packets are
being dropped. If interval is not given, it sets interval to
zero and outputs packets as fast as they come back or one hun‐
dred times per second, whichever is more. Only the super-user
may use this option with zero interval.
-F flow label
ping6 only. Allocate and set 20 bit flow label (in hex) on echo
request packets. If value is zero, kernel allocates random flow
label.
-h Show help.
-i interval
Wait interval seconds between sending each packet. The default
is to wait for one second between each packet normally, or not
to wait in flood mode. Only super-user may set interval to val‐
ues less 0.2 seconds.
-I interface
interface is either an address, or an interface name. If inter‐
face is an address, it sets source address to specified inter‐
face address. If interface in an interface name, it sets source
interface to specified interface. For ping6, when doing ping to
a link-local scope address, link specification (by the ‘%‘-nota‐
tion in destination, or by this option) is required.
-l preload
If preload is specified, ping sends that many packets not wait‐
ing for reply. Only the super-user may select preload more than
3.
-L Suppress loopback of multicast packets. This flag only applies
if the ping destination is a multicast address.
-m mark
use mark to tag the packets going out. This is useful for vari‐
ety of reasons within the kernel such as using policy routing to
select specific outbound processing.
-M pmtudisc_opt
Select Path MTU Discovery strategy. pmtudisc_option may be
either do (prohibit fragmentation, even local one), want (do
PMTU discovery, fragment locally when packet size is large), or
dont (do not set DF flag).
-N nodeinfo_option
ping6 only. Send ICMPv6 Node Information Queries (RFC4620),
instead of Echo Request.
help Show help for NI support.
name Queries for Node Names.
ipv6 Queries for IPv6 Addresses. There are several IPv6 spe‐
cific flags.
ipv6-global
Request IPv6 global-scope addresses.
ipv6-sitelocal
Request IPv6 site-local addresses.
ipv6-linklocal
Request IPv6 link-local addresses.
ipv6-all
Request IPv6 addresses on other interfaces.
ipv4 Queries for IPv4 Addresses. There is one IPv4 specific
flag.
ipv4-all
Request IPv4 addresses on other interfaces.
subject-ipv6=ipv6addr
IPv6 subject address.
subject-ipv4=ipv4addr
IPv4 subject address.
subject-name=nodename
Subject name. If it contains more than one dot, fully-
qualified domain name is assumed.
subject-fqdn=nodename
Subject name. Fully-qualified domain name is always
assumed.
-n Numeric output only. No attempt will be made to lookup symbolic
names for host addresses.
-O Report outstanding ICMP ECHO reply before sending next packet.
This is useful together with the timestamp -D to log output to a
diagnostic file and search for missing answers.
-p pattern
You may specify up to 16 ``pad‘‘ bytes to fill out the packet
you send. This is useful for diagnosing data-dependent problems
in a network. For example, -p ff will cause the sent packet to
be filled with all ones.
-q Quiet output. Nothing is displayed except the summary lines at
startup time and when finished.
-Q tos Set Quality of Service -related bits in ICMP datagrams. tos can
be decimal (ping only) or hex number.
In RFC2474, these fields are interpreted as 8-bit Differentiated
Services (DS), consisting of: bits 0-1 (2 lowest bits) of sepa‐
rate data, and bits 2-7 (highest 6 bits) of Differentiated Ser‐
vices Codepoint (DSCP). In RFC2481 and RFC3168, bits 0-1 are
used for ECN.
Historically (RFC1349, obsoleted by RFC2474), these were inter‐
preted as: bit 0 (lowest bit) for reserved (currently being
redefined as congestion control), 1-4 for Type of Service and
bits 5-7 (highest bits) for Precedence.
-r Bypass the normal routing tables and send directly to a host on
an attached interface. If the host is not on a directly-
attached network, an error is returned. This option can be used
to ping a local host through an interface that has no route
through it provided the option -I is also used.
-R ping only. Record route. Includes the RECORD_ROUTE option in
the ECHO_REQUEST packet and displays the route buffer on
returned packets. Note that the IP header is only large enough
for nine such routes. Many hosts ignore or discard this option.
-s packetsize
Specifies the number of data bytes to be sent. The default is
56, which translates into 64 ICMP data bytes when combined with
the 8 bytes of ICMP header data.
-S sndbuf
Set socket sndbuf. If not specified, it is selected to buffer
not more than one packet.
-t ttl ping only. Set the IP Time to Live.
-T timestamp option
Set special IP timestamp options. timestamp option may be
either tsonly (only timestamps), tsandaddr (timestamps and
addresses) or tsprespec host1 [host2 [host3 [host4]]] (timestamp
prespecified hops).
-U Print full user-to-user latency (the old behaviour). Normally
ping prints network round trip time, which can be different f.e.
due to DNS failures.
-v Verbose output.
-V Show version and exit.
-w deadline
Specify a timeout, in seconds, before ping exits regardless of
how many packets have been sent or received. In this case ping
does not stop after count packet are sent, it waits either for
deadline expire or until count probes are answered or for some
error notification from network.
-W timeout
Time to wait for a response, in seconds. The option affects only
timeout in absence of any responses, otherwise ping waits for
two RTTs.
When using ping for fault isolation, it should first be run on the
local host, to verify that the local network interface is up and run‐
ning. Then, hosts and gateways further and further away should be
``pinged‘‘. Round-trip times and packet loss statistics are computed.
If duplicate packets are received, they are not included in the packet
loss calculation, although the round trip time of these packets is used
in calculating the minimum/average/maximum round-trip time numbers.
When the specified number of packets have been sent (and received) or
if the program is terminated with a SIGINT, a brief summary is dis‐
played. Shorter current statistics can be obtained without termination
of process with signal SIGQUIT.
If ping does not receive any reply packets at all it will exit with
code 1. If a packet count and deadline are both specified, and fewer
than count packets are received by the time the deadline has arrived,
it will also exit with code 1. On other error it exits with code 2.
Otherwise it exits with code 0. This makes it possible to use the exit
code to see if a host is alive or not.
This program is intended for use in network testing, measurement and
management. Because of the load it can impose on the network, it is
unwise to use ping during normal operations or from automated scripts.
ICMP PACKET DETAILS
An IP header without options is 20 bytes. An ICMP ECHO_REQUEST packet
contains an additional 8 bytes worth of ICMP header followed by an
arbitrary amount of data. When a packetsize is given, this indicated
the size of this extra piece of data (the default is 56). Thus the
amount of data received inside of an IP packet of type ICMP ECHO_REPLY
will always be 8 bytes more than the requested data space (the ICMP
header).
If the data space is at least of size of struct timeval ping uses the
beginning bytes of this space to include a timestamp which it uses in
the computation of round trip times. If the data space is shorter, no
round trip times are given.
DUPLICATE AND DAMAGED PACKETS
ping will report duplicate and damaged packets. Duplicate packets
should never occur, and seem to be caused by inappropriate link-level
retransmissions. Duplicates may occur in many situations and are
rarely (if ever) a good sign, although the presence of low levels of
duplicates may not always be cause for alarm.
Damaged packets are obviously serious cause for alarm and often indi‐
cate broken hardware somewhere in the ping packet‘s path (in the net‐
work or in the hosts).
TRYING DIFFERENT DATA PATTERNS
The (inter)network layer should never treat packets differently depend‐
ing on the data contained in the data portion. Unfortunately, data-
dependent problems have been known to sneak into networks and remain
undetected for long periods of time. In many cases the particular pat‐
tern that will have problems is something that doesn‘t have sufficient
``transitions‘‘, such as all ones or all zeros, or a pattern right at
the edge, such as almost all zeros. It isn‘t necessarily enough to
specify a data pattern of all zeros (for example) on the command line
because the pattern that is of interest is at the data link level, and
the relationship between what you type and what the controllers trans‐
mit can be complicated.
This means that if you have a data-dependent problem you will probably
have to do a lot of testing to find it. If you are lucky, you may man‐
age to find a file that either can‘t be sent across your network or
that takes much longer to transfer than other similar length files.
You can then examine this file for repeated patterns that you can test
using the -p option of ping.
TTL DETAILS
The TTL value of an IP packet represents the maximum number of IP
routers that the packet can go through before being thrown away. In
current practice you can expect each router in the Internet to decre‐
ment the TTL field by exactly one.
The TCP/IP specification states that the TTL field for TCP packets
should be set to 60, but many systems use smaller values (4.3 BSD uses
30, 4.2 used 15).
The maximum possible value of this field is 255, and most Unix systems
set the TTL field of ICMP ECHO_REQUEST packets to 255. This is why you
will find you can ``ping‘‘ some hosts, but not reach them with tel‐
net(1) or ftp(1).
In normal operation ping prints the TTL value from the packet it
receives. When a remote system receives a ping packet, it can do one
of three things with the TTL field in its response:
· Not change it; this is what Berkeley Unix systems did before the
4.3BSD Tahoe release. In this case the TTL value in the received
packet will be 255 minus the number of routers in the round-trip
path.
· Set it to 255; this is what current Berkeley Unix systems do. In
this case the TTL value in the received packet will be 255 minus the
number of routers in the path from the remote system to the pinging
host.
· Set it to some other value. Some machines use the same value for ICMP
packets that they use for TCP packets, for example either 30 or 60.
Others may use completely wild values.
BUGS
· Many Hosts and Gateways ignore the RECORD_ROUTE option.
· The maximum IP header length is too small for options like
RECORD_ROUTE to be completely useful. There‘s not much that that can
be done about this, however.
· Flood pinging is not recommended in general, and flood pinging the
broadcast address should only be done under very controlled condi‐
tions.
SEE ALSO
netstat(1), ifconfig(8).
HISTORY
The ping command appeared in 4.3BSD.
The version described here is its descendant specific to Linux.
SECURITY
ping requires CAP_NET_RAW capability to be executed. It may be used as
set-uid root.
AVAILABILITY
ping is part of iputils package and the latest versions are available
in source form at http://www.skbuff.net/iputils/iputils-cur‐
rent.tar.bz2.
[email protected]:~# ping 1.1.1.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
[email protected]:~# ping 192.168.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
192.168.1.1
[email protected]:~# ifconfig sinterface | grep "inet addr" | cut -d ‘:‘ -f 2 | cut -d ":" -f 1| cut -d ‘.‘ -f 1-3
[email protected]:~# ifconfig eth0 | grep grep "inet addr" | cut -d ‘:‘ -f 2 | cut -d ":" -f 1| cut -d ‘.‘ -f 1-31
╭────────────────────────────────────────────╮
[pinger1.py]
#!/bin/bash
if{"#$" -ne 1};then
echo "Usage - ./pinger.sh {/24 network address}"
echo "Example - ./pinger.sh 172.16.36.0"
echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"
exit
fi
prefix=$(echo $1 | cut -d ‘.‘ -f 1-3)
for addr in$(seq 1 254);do
ping -c 1 Sprefix.Saddr | grep "bytes from" | cut -d ‘ ‘ -f 4 | cut -d ‘.‘ -f 1 &
done
╰────────────────────────────────────────────╯
[email protected]:~# chmod u+x pinger
[email protected]:~# chmod u+x pinger.sh
[email protected]:~# ./pinger.sh
[email protected]:~# ./pinger.sh 211.144.145.0
╋━━━━━━━━━━━━━━━━━━━━━━╋
┃发现-----三层发现 ┃
┃Scapy ┃
┃ OSI多层堆叠手工声称ICMP包-----IP/ICMP ┃
┃ ip=IP() ┃
┃ ip.ds="1.1.1.1" ┃
┃ ping=ICMP() ┃
┃ a=sr1(ip/ping) ┃
┃ a.display() ┃
┃Ping不存在的地址 ┃
┃ a=sr1(ip/ping.timeout=1) ┃
┃ ┃
┃ a=sr1(IP(dst="1.1.1.1")/ICMP(),timeout=1) ┃
╋━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>> i=IP()
>>> p=ICMP()
>>> ping=(i/p)
>>> ping.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
>>> ping[IP].dst="192.168.1.1"
>>> ping.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= icmp
chksum= None
src= 192.168.77.129
dst= 192.168.1.1
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= None
id= 0x0
seq= 0x0
>>> a=sr1(ping)
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> a.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 63695
flags=
frag= 0L
ttl= 128
proto= icmp
chksum= 0x723e
src= 192.168.1.1
dst= 192.168.77.129
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= ‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00‘
>>> sr1(IP(dst="192.168.1.1")/ICMP())
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=28 id=63719 flags= frag=0L ttl=128 proto=icmp chksum=0x7226 src=192.168.1.1 dst=192.168.77.129 options=[] |<ICMP type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<Padding load=‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00‘ |>>>
>>> sr1(IP(dst="192.168.1.11")/ICMP())
Begin emission:
Finished to send 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
<IP version=4L ihl=5L tos=0x0 len=56 id=63720 flags= frag=0L ttl=128 proto=icmp chksum=0x71a5 src=192.168.1.101 dst=192.168.77.129 options=[] |<ICMP type=dest-unreach code=host-unreachable chksum=0xfcfe unused=0 |<IPerror version=4L ihl=5L tos=0x0 len=28 id=17594 flags= frag=0L ttl=63 proto=icmp chksum=0x674a src=192.168.77.129 dst=192.168.1.11 options=[] |<ICMPerror type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>>
>>> sr1(IP(dst="192.168.1.11")/ICMP(),timeout=1)
Begin emission:
.Finished to send 1 packets.
Received 1 packets, got 0 answers, remaining 1 packets
╭────────────────────────────────────────────╮
[pinger1.py]
#!/bin/bash
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)1=2;
echo "Usage - ./pinger.sh {/24 network address}"
echo "Example - ./pinger.sh 172.16.36.0"
echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"
sys.exit()
address=str(sys.argv[1])
prefix=address.split(‘.‘)[0]+‘.‘+address.split(‘.‘)[1]+‘.‘+address.split(‘.‘)[2]+‘.‘
for addr in range(1,254);
a=sr1(IP(dst=prefix+str(addr)/ICMP().timeout=0.1,verbose=0)
if a==None;
pass
else:
print prefix+str(addr)
╰────────────────────────────────────────────╯
[email protected]:~# chmod u+x pinger1.sh
[email protected]:~# ./pinger1.sh
[email protected]:~# ./pinger1.sh 211.144.145.0
╭────────────────────────────────────────────╮
[pinger1.py]
#!/bin/bash
import logging
import subprocess
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
if len(sys.argv)1=2;
echo "Usage - ./pinger.sh {/24 network address}"
echo "Example - ./pinger.sh 172.16.36.0"
echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"
sys.exit()
filename=str(sys.argv[1])
file=open(filename,‘|‘)
for addr in file;
a=sr1(IP(dst=prefix+str(addr)/ICMP().timeout=0.1,verbose=0)
if a==None;
pass
else:
print addr.srtip()
╰────────────────────────────────────────────╯
[email protected]:~# ./pinger2.sh addr
[email protected]:~# nmap 192.168.1.1 -sn
╋━━━━━━━━━━━━━╋
┃发现-----三层发现 ┃
┃fping 1.1.1.1 -c 1 ┃
┃fping -g 1.1.1.1 1.1.2 ┃
┃fping -g 1.1.1.0/24 ┃
┃fping -f iplist.txt ┃
╋━━━━━━━━━━━━━╋
fping的命令和参数详解
Usage: fping [options] [targets...]
用法:fping [选项] [ping的目标]
-a show targets that are alive
显示可ping通的目标
-A show targets by address
将目标以ip地址的形式显示
-b n amount of ping data to send, in bytes (default 56)
ping 数据包的大小。(默认为56)
-B f set exponential backoff factor to f
设置指数反馈因子到f 【这个不懂,求指教~】
-c n count of pings to send to each target (default 1)
ping每个目标的次数 (默认为1)
-C n same as -c, report results in verbose format
同-c, 返回的结果为冗长格式
-e show elapsed time on return packets
显示返回数据包所费时间
-f file read list of targets from a file ( - means stdin) (only if no -g specified)
从文件获取目标列表( - 表示从标准输入)(不能与 -g 同时使用)
-g generate target list (only if no -f specified)
生成目标列表(不能与 -f 同时使用)
(specify the start and end IP in the target list, or supply a IP netmask)
(ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
(可指定目标的开始和结束IP, 或者提供ip的子网掩码)
(例:fping -g 192.168.1.0 192.168.1.255 或 fping -g 192.168.1.0/24)
-H n Set the IP TTL value (Time To Live hops)
设置ip的TTL值 (生存时间)
-i n interval between sending ping packets (in millisec) (default 25)
ping包之间的间隔(单位:毫秒)(默认25)
-l loop sending pings forever
循环发送ping
-m ping multiple interfaces on target host
ping目标主机的多个网口
-n show targets by name (-d is equivalent)
将目标以主机名或域名显示(等价于 -d )
-p n interval between ping packets to one target (in millisec)
对同一个目标的ping包间隔(毫秒)
(in looping and counting modes, default 1000)
(在循环和统计模式中,默认为1000)
-q quiet (don‘t show per-target/per-ping results)
安静模式(不显示每个目标或每个ping的结果)
-Q n same as -q, but show summary every n seconds
同-q, 但是每n秒显示信息概要
-r n number of retries (default 3)
当ping失败时,最大重试次数(默认为3次)
-s print final stats
打印最后的统计数据
-I if bind to a particular interface
绑定到特定的网卡
-S addr set source address
设置源ip地址
-t n individual target initial timeout (in millisec) (default 500)
单个目标的超时时间(毫秒)(默认500)
-T n ignored (for compatibility with fping 2.4)
请忽略(为兼容fping 2.4)
-u show targets that are unreachable
显示不可到达的目标
-O n set the type of service (tos) flag on the ICMP packets
在icmp包中设置tos(服务类型)
-v show version
显示版本号
targets list of targets to check (if no -f specified)
需要ping的目标列表(不能和 -f 同时使用)
-h show this page
显示本帮助页
[email protected]:~# fping 192.168.1.1 -c 1
[email protected]:~# fping 192.168.1.1 -c 10
[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1
[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 | egrep -v 100%
[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 | grep min/avg/max
[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 >> result.txt
[email protected]:~# cat result.txt | grep min/avg/max
[email protected]:~# cat result.txt
[email protected]:~# fping 192.168.1.0/24
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃发现-----三层发现 ┃
┃Hping ┃
┃ 能够发送几乎任意TCP/IP包 ┃
┃ 功能请发但每次只能扫描一个目标 ┃
┃hping3 1.1.1.1 --icmp -c 2 ┃
┃for addr in $(seq 1 254);do hping3 1.1.1.$addr --icmp -c 1 >>handle.txt & done ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# hping3 192.168.1.1 --icmp -c 2
HPING 192.168.1.1 (eth0 192.168.1.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.1.1 ttl=128 id=63816 icmp_seq=0 rtt=8.4 ms
len=46 ip=192.168.1.1 ttl=128 id=63817 icmp_seq=1 rtt=3.2 ms
--- 192.168.1.1 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 3.2/5.8/8.4 ms
[email protected]:~# for addr in $(seq 1 254);do hping3 192.168.1.$addr --icmp -c 1 >>handle.txt & done
1] 8236
[2] 8237
[3] 8238
[4] 8239
[5] 8240
[6] 8241
[7] 8242
[8] 8243
[9] 8244
[10] 8245
[11] 8246
[12] 8247
......
[email protected]:~# cat handle.txt
HPING 1.1.1.4 (eth0 1.1.1.4): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.6 (eth0 1.1.1.6): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.3 (eth0 1.1.1.3): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.9 (eth0 1.1.1.9): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.11 (eth0 1.1.1.11): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.8 (eth0 1.1.1.8): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.5 (eth0 1.1.1.5): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.7 (eth0 1.1.1.7): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.12 (eth0 1.1.1.12): icmp mode set, 28 headers + 0 data bytes
HPING 1.1.1.2 (eth0 1.1.1.2): icmp mode set, 28 headers + 0 data bytes
......
[email protected]:~# cat handle.txt | grep ^len //以这个行的启始位置
[email protected]:~# cat handle.txt | grep ^len
len=46 ip=192.168.1.1 ttl=128 id=63818 icmp_seq=0 rtt=45.0 ms
len=46 ip=192.168.1.101 ttl=128 id=63819 icmp_seq=0 rtt=38.2 ms
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
近期,安全牛课堂在做此类线上培训,感兴趣可以了解
本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1965017
以上是关于安全牛学习笔记主动信息收集-发现的主要内容,如果未能解决你的问题,请参考以下文章