安全牛学习笔记主动信息收集-发现

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记主动信息收集-发现相关的知识,希望对你有一定的参考价值。

╋━━━━━━━━━━━━━╋

┃发现-----三层发现         ┃

┃优点                      ┃

┃    可路由                ┃

┃    速度比较快            ┃

┃缺点                      ┃

┃    速度比二层慢          ┃

┃    经常被边界防火墙过滤  ┃

┃IP、icmp协议              ┃

╋━━━━━━━━━━━━━╋

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃发现-----三层发现                                                         ┃

┃Ping 1.1.1.1 -c 2                                                         ┃

┃Ping -R 1.1.1.1 / traceroute 1.1.1.1                                      ┃

┃Ping 1.1.1.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 ┃

┃脚本                                                                      ┃

┃    Ping.sh 1.1.1.0                                                       ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

[email protected]:~# ping 192.168.1.1 -c 5

[email protected]:~# traceroute www.sina.com

[email protected]:~# ping -R www.sina.com

[email protected]:~# ping -h

Usage: ping [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]

            [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]

            [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]

            [-w deadline] [-W timeout] [hop1 ...] destination

 ▉→●→●→●→●→▉      从我的机器跳过四个路由器

[email protected]:~# man ping

PING(8)                System Manager‘s Manual: iputils                PING(8)

NAME

       ping, ping6 - send ICMP ECHO_REQUEST to network hosts

SYNOPSIS

       ping  [-aAbBdDfhLnOqrRUvV]  [-c count] [-F flowlabel] [-i interval] [-I

       interface] [-l  preload]  [-m  mark]  [-M  pmtudisc_option]  [-N  node‐

       info_option] [-w deadline] [-W timeout] [-p pattern] [-Q tos] [-s pack‐

       etsize] [-S sndbuf] [-t ttl] [-T timestamp option] [hop  ...]  destina‐

       tion

DESCRIPTION

       ping uses the ICMP protocol‘s mandatory ECHO_REQUEST datagram to elicit

       an ICMP ECHO_RESPONSE from a host or gateway.   ECHO_REQUEST  datagrams

       (``pings‘‘)  have  an  IP and ICMP header, followed by a struct timeval

       and then an arbitrary number of ``pad‘‘ bytes  used  to  fill  out  the

       packet.

       ping6  is  IPv6  version  of  ping,  and can also send Node Information

       Queries (RFC4620).  Intermediate hops may not be allowed, because  IPv6

       source routing was deprecated (RFC5095).

OPTIONS

       -a     Audible ping.

      -A     Adaptive  ping.  Interpacket interval adapts to round-trip time,

              so that effectively not more than one (or more,  if  preload  is

              set)  unanswered probe is present in the network. Minimal inter‐

              val is 200msec for not super-user.  On  networks  with  low  rtt

              this mode is essentially equivalent to flood mode.

       -b     Allow pinging a broadcast address.

       -B     Do  not  allow  ping  to  change  source address of probes.  The

              address is bound to one selected when ping starts.

       -c count

              Stop after sending count  ECHO_REQUEST  packets.  With  deadline

              option, ping waits for count ECHO_REPLY packets, until the time‐

              out expires.

       -d     Set the SO_DEBUG option on the socket being used.   Essentially,

              this socket option is not used by Linux kernel.

       -D     Print  timestamp  (unix  time + microseconds as in gettimeofday)

              before each line.

       -f     Flood ping. For  every  ECHO_REQUEST  sent  a  period  ``.‘‘  is

              printed,  while  for  ever  ECHO_REPLY  received  a backspace is

              printed.  This provides a rapid display of how many packets  are

              being  dropped.   If  interval is not given, it sets interval to

              zero and outputs packets as fast as they come back or  one  hun‐

              dred  times  per second, whichever is more.  Only the super-user

              may use this option with zero interval.

       -F flow label

              ping6 only.  Allocate and set 20 bit flow label (in hex) on echo

              request packets.  If value is zero, kernel allocates random flow

              label.

       -h     Show help.

      -i interval

              Wait interval seconds between sending each packet.  The  default

              is  to  wait for one second between each packet normally, or not

              to wait in flood mode. Only super-user may set interval to  val‐

              ues less 0.2 seconds.

       -I interface

              interface is either an address, or an interface name.  If inter‐

              face is an address, it sets source address to  specified  inter‐

              face address.  If interface in an interface name, it sets source

              interface to specified interface.  For ping6, when doing ping to

              a link-local scope address, link specification (by the ‘%‘-nota‐

              tion in destination, or by this option) is required.

       -l preload

              If preload is specified, ping sends that many packets not  wait‐

              ing for reply.  Only the super-user may select preload more than

              3.

       -L     Suppress loopback of multicast packets.  This flag only  applies

              if the ping destination is a multicast address.

       -m mark

              use  mark to tag the packets going out. This is useful for vari‐

              ety of reasons within the kernel such as using policy routing to

              select specific outbound processing.

       -M pmtudisc_opt

              Select  Path  MTU  Discovery  strategy.   pmtudisc_option may be

              either do (prohibit fragmentation, even  local  one),  want  (do

              PMTU  discovery, fragment locally when packet size is large), or

              dont (do not set DF flag).

       -N nodeinfo_option

              ping6 only.  Send ICMPv6  Node  Information  Queries  (RFC4620),

              instead of Echo Request.

              help   Show help for NI support.

              name   Queries for Node Names.

              ipv6   Queries  for  IPv6 Addresses. There are several IPv6 spe‐

                     cific flags.

                     ipv6-global

                            Request IPv6 global-scope addresses.

                     ipv6-sitelocal

                            Request IPv6 site-local addresses.

                     ipv6-linklocal

                            Request IPv6 link-local addresses.

                     ipv6-all

                            Request IPv6 addresses on other interfaces.

              ipv4   Queries for IPv4 Addresses.  There is one  IPv4  specific

                     flag.

                     ipv4-all

                            Request IPv4 addresses on other interfaces.

              subject-ipv6=ipv6addr

                     IPv6 subject address.

             subject-ipv4=ipv4addr

                     IPv4 subject address.

              subject-name=nodename

                     Subject  name.   If it contains more than one dot, fully-

                     qualified domain name is assumed.

              subject-fqdn=nodename

                     Subject name.   Fully-qualified  domain  name  is  always

                     assumed.

       -n     Numeric output only.  No attempt will be made to lookup symbolic

              names for host addresses.

       -O     Report outstanding ICMP ECHO reply before sending  next  packet.

              This is useful together with the timestamp -D to log output to a

              diagnostic file and search for missing answers.

       -p pattern

              You may specify up to 16 ``pad‘‘ bytes to fill  out  the  packet

              you send.  This is useful for diagnosing data-dependent problems

              in a network.  For example, -p ff will cause the sent packet  to

              be filled with all ones.

       -q     Quiet  output.  Nothing is displayed except the summary lines at

              startup time and when finished.

       -Q tos Set Quality of Service -related bits in ICMP datagrams.  tos can

              be decimal (ping only) or hex number.

              In RFC2474, these fields are interpreted as 8-bit Differentiated

              Services (DS), consisting of: bits 0-1 (2 lowest bits) of  sepa‐

              rate  data, and bits 2-7 (highest 6 bits) of Differentiated Ser‐

              vices Codepoint (DSCP).  In RFC2481 and RFC3168,  bits  0-1  are

              used for ECN.

              Historically  (RFC1349, obsoleted by RFC2474), these were inter‐

              preted as: bit 0 (lowest  bit)  for  reserved  (currently  being

              redefined  as  congestion  control), 1-4 for Type of Service and

            bits 5-7 (highest bits) for Precedence.

       -r     Bypass the normal routing tables and send directly to a host  on

              an  attached  interface.   If  the  host  is  not on a directly-

              attached network, an error is returned.  This option can be used

              to  ping  a  local  host  through an interface that has no route

              through it provided the option -I is also used.

       -R     ping only.  Record route.  Includes the RECORD_ROUTE  option  in

              the  ECHO_REQUEST  packet  and  displays  the  route  buffer  on

              returned packets.  Note that the IP header is only large  enough

              for nine such routes.  Many hosts ignore or discard this option.

       -s packetsize

              Specifies  the  number of data bytes to be sent.  The default is

              56, which translates into 64 ICMP data bytes when combined  with

              the 8 bytes of ICMP header data.

       -S sndbuf

              Set  socket  sndbuf.  If not specified, it is selected to buffer

              not more than one packet.

    -t ttl ping only.  Set the IP Time to Live.

       -T timestamp option

              Set special IP  timestamp  options.   timestamp  option  may  be

              either  tsonly  (only  timestamps),  tsandaddr  (timestamps  and

              addresses) or tsprespec host1 [host2 [host3 [host4]]] (timestamp

              prespecified hops).

       -U     Print  full  user-to-user  latency (the old behaviour). Normally

              ping prints network round trip time, which can be different f.e.

              due to DNS failures.

       -v     Verbose output.

       -V     Show version and exit.

       -w deadline

              Specify  a  timeout, in seconds, before ping exits regardless of

              how many packets have been sent or received. In this  case  ping

              does  not  stop after count packet are sent, it waits either for

              deadline expire or until count probes are answered or  for  some

              error notification from network.

       -W timeout

              Time to wait for a response, in seconds. The option affects only

              timeout in absence of any responses, otherwise  ping  waits  for

              two RTTs.

       When  using  ping  for  fault  isolation, it should first be run on the

       local host, to verify that the local network interface is up  and  run‐

       ning.  Then,  hosts  and  gateways  further  and further away should be

       ``pinged‘‘. Round-trip times and packet loss statistics  are  computed.

       If  duplicate packets are received, they are not included in the packet

       loss calculation, although the round trip time of these packets is used

       in  calculating  the  minimum/average/maximum  round-trip time numbers.

       When the specified number of packets have been sent (and  received)  or

       if  the  program  is  terminated with a SIGINT, a brief summary is dis‐

       played. Shorter current statistics can be obtained without  termination

       of process with signal SIGQUIT.

       If  ping  does  not  receive any reply packets at all it will exit with

       code 1. If a packet count and deadline are both  specified,  and  fewer

       than  count  packets are received by the time the deadline has arrived,

       it will also exit with code 1.  On other error it exits  with  code  2.

       Otherwise  it exits with code 0. This makes it possible to use the exit

       code to see if a host is alive or not.

       This program is intended for use in network  testing,  measurement  and

       management.   Because  of  the load it can impose on the network, it is

       unwise to use ping during normal operations or from automated scripts.

ICMP PACKET DETAILS

       An IP header without options is 20 bytes.  An ICMP ECHO_REQUEST  packet

       contains  an  additional  8  bytes  worth of ICMP header followed by an

       arbitrary amount of data.  When a packetsize is given,  this  indicated

       the  size  of  this  extra  piece of data (the default is 56). Thus the

       amount of data received inside of an IP packet of type ICMP  ECHO_REPLY

       will  always  be  8  bytes more than the requested data space (the ICMP

       header).

       If the data space is at least of size of struct timeval ping  uses  the

       beginning  bytes  of this space to include a timestamp which it uses in

       the computation of round trip times.  If the data space is shorter,  no

       round trip times are given.

DUPLICATE AND DAMAGED PACKETS

       ping  will  report  duplicate  and  damaged packets.  Duplicate packets

       should never occur, and seem to be caused by  inappropriate  link-level

       retransmissions.   Duplicates  may  occur  in  many  situations and are

       rarely (if ever) a good sign, although the presence of  low  levels  of

       duplicates may not always be cause for alarm.

       Damaged  packets  are obviously serious cause for alarm and often indi‐

       cate broken hardware somewhere in the ping packet‘s path (in  the  net‐

       work or in the hosts).

TRYING DIFFERENT DATA PATTERNS

       The (inter)network layer should never treat packets differently depend‐

       ing on the data contained in the data  portion.   Unfortunately,  data-

       dependent  problems  have  been known to sneak into networks and remain

       undetected for long periods of time.  In many cases the particular pat‐

       tern  that will have problems is something that doesn‘t have sufficient

       ``transitions‘‘, such as all ones or all zeros, or a pattern  right  at

       the  edge,  such  as  almost all zeros.  It isn‘t necessarily enough to

       specify a data pattern of all zeros (for example) on the  command  line

       because  the pattern that is of interest is at the data link level, and

       the relationship between what you type and what the controllers  trans‐

       mit can be complicated.

       This  means that if you have a data-dependent problem you will probably

       have to do a lot of testing to find it.  If you are lucky, you may man‐

       age  to  find  a  file that either can‘t be sent across your network or

       that takes much longer to transfer than  other  similar  length  files.

       You  can then examine this file for repeated patterns that you can test

       using the -p option of ping.

TTL DETAILS

       The TTL value of an IP packet  represents  the  maximum  number  of  IP

       routers  that  the  packet can go through before being thrown away.  In

       current practice you can expect each router in the Internet  to  decre‐

       ment the TTL field by exactly one.

       The  TCP/IP  specification  states  that  the TTL field for TCP packets

       should be set to 60, but many systems use smaller values (4.3 BSD  uses

       30, 4.2 used 15).

   The  maximum possible value of this field is 255, and most Unix systems

       set the TTL field of ICMP ECHO_REQUEST packets to 255.  This is why you

       will  find  you  can  ``ping‘‘ some hosts, but not reach them with tel‐

       net(1) or ftp(1).

       In normal operation ping prints  the  TTL  value  from  the  packet  it

       receives.   When  a remote system receives a ping packet, it can do one

       of three things with the TTL field in its response:

       · Not change it; this is what Berkeley  Unix  systems  did  before  the

         4.3BSD  Tahoe  release.  In  this  case the TTL value in the received

         packet will be 255 minus the number  of  routers  in  the  round-trip

         path.

       · Set  it  to  255;  this is what current Berkeley Unix systems do.  In

         this case the TTL value in the received packet will be 255 minus  the

         number  of  routers in the path from the remote system to the pinging

         host.

       · Set it to some other value. Some machines use the same value for ICMP

         packets  that  they use for TCP packets, for example either 30 or 60.

         Others may use completely wild values.

BUGS

       · Many Hosts and Gateways ignore the RECORD_ROUTE option.

       · The  maximum  IP  header  length  is  too  small  for  options   like

         RECORD_ROUTE to be completely useful.  There‘s not much that that can

         be done about this, however.

       · Flood pinging is not recommended in general, and  flood  pinging  the

         broadcast  address  should  only be done under very controlled condi‐

         tions.

SEE ALSO

       netstat(1), ifconfig(8).

HISTORY

       The ping command appeared in 4.3BSD.

       The version described here is its descendant specific to Linux.

SECURITY

       ping requires CAP_NET_RAW capability to be executed. It may be used  as

       set-uid root.

AVAILABILITY

       ping  is part of iputils package and the latest versions are  available

       in   source    form    at    http://www.skbuff.net/iputils/iputils-cur‐

       rent.tar.bz2.

[email protected]:~# ping 1.1.1.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1

[email protected]:~# ping 192.168.1 -c 1 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1

192.168.1.1

[email protected]:~# ifconfig sinterface | grep "inet addr" | cut -d ‘:‘ -f 2 | cut -d ":" -f 1| cut -d ‘.‘ -f 1-3

[email protected]:~# ifconfig eth0 | grep grep "inet addr" | cut -d ‘:‘ -f 2 | cut -d ":" -f 1| cut -d ‘.‘ -f 1-31

╭────────────────────────────────────────────╮

[pinger1.py]

#!/bin/bash

if{"#$" -ne 1};then

  echo "Usage - ./pinger.sh {/24 network address}"

  echo "Example - ./pinger.sh 172.16.36.0"

  echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"

  exit

fi

prefix=$(echo $1 | cut -d ‘.‘ -f 1-3)

for addr in$(seq 1 254);do

  ping -c 1 Sprefix.Saddr | grep "bytes from" | cut -d ‘ ‘ -f 4 | cut -d ‘.‘ -f 1 & 

done

╰────────────────────────────────────────────╯

[email protected]:~# chmod u+x pinger

[email protected]:~# chmod u+x pinger.sh

[email protected]:~# ./pinger.sh

[email protected]:~# ./pinger.sh 211.144.145.0

╋━━━━━━━━━━━━━━━━━━━━━━╋

┃发现-----三层发现                           ┃

┃Scapy                                       ┃                                  

┃  OSI多层堆叠手工声称ICMP包-----IP/ICMP     ┃

┃  ip=IP()                                   ┃

┃  ip.ds="1.1.1.1"                           ┃

┃  ping=ICMP()                               ┃

┃  a=sr1(ip/ping)                            ┃

┃  a.display()                               ┃

┃Ping不存在的地址                            ┃

┃    a=sr1(ip/ping.timeout=1)                ┃

┃                                            ┃

┃  a=sr1(IP(dst="1.1.1.1")/ICMP(),timeout=1) ┃

╋━━━━━━━━━━━━━━━━━━━━━━╋

[email protected]:~# scapy

WARNING: No route found for IPv6 destination :: (no default route?)

Welcome to Scapy (2.2.0)

>>> i=IP()

>>> p=ICMP()

>>> ping=(i/p)

>>> ping.display()

###[ IP ]###

  version= 4

  ihl= None

  tos= 0x0

  len= None

  id= 1

  flags= 

  frag= 0

  ttl= 64

  proto= icmp

  chksum= None

  src= 127.0.0.1

  dst= 127.0.0.1

  \options\

###[ ICMP ]###

     type= echo-request

     code= 0

     chksum= None

     id= 0x0

     seq= 0x0

>>> ping[IP].dst="192.168.1.1"

>>> ping.display()

###[ IP ]###

  version= 4

  ihl= None

  tos= 0x0

  len= None

  id= 1

  flags= 

  frag= 0

  ttl= 64

  proto= icmp

  chksum= None

  src= 192.168.77.129

  dst= 192.168.1.1

  \options\

###[ ICMP ]###

     type= echo-request

     code= 0

     chksum= None

     id= 0x0

     seq= 0x0

>>> a=sr1(ping)

Begin emission:

.Finished to send 1 packets.

*

Received 2 packets, got 1 answers, remaining 0 packets

>>> a.display()

###[ IP ]###

  version= 4L

  ihl= 5L

  tos= 0x0

  len= 28

  id= 63695

  flags= 

  frag= 0L

  ttl= 128

  proto= icmp

  chksum= 0x723e

  src= 192.168.1.1

  dst= 192.168.77.129

  \options\

###[ ICMP ]###

     type= echo-reply

     code= 0

     chksum= 0xffff

     id= 0x0

     seq= 0x0

###[ Padding ]###

        load= ‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00‘

>>> sr1(IP(dst="192.168.1.1")/ICMP())

Begin emission:

.Finished to send 1 packets.

*

Received 2 packets, got 1 answers, remaining 0 packets

<IP  version=4L ihl=5L tos=0x0 len=28 id=63719 flags= frag=0L ttl=128 proto=icmp chksum=0x7226 src=192.168.1.1 dst=192.168.77.129 options=[] |<ICMP  type=echo-reply code=0 chksum=0xffff id=0x0 seq=0x0 |<Padding  load=‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00‘ |>>>

>>> sr1(IP(dst="192.168.1.11")/ICMP())

Begin emission:

Finished to send 1 packets.

*

Received 1 packets, got 1 answers, remaining 0 packets

<IP  version=4L ihl=5L tos=0x0 len=56 id=63720 flags= frag=0L ttl=128 proto=icmp chksum=0x71a5 src=192.168.1.101 dst=192.168.77.129 options=[] |<ICMP  type=dest-unreach code=host-unreachable chksum=0xfcfe unused=0 |<IPerror  version=4L ihl=5L tos=0x0 len=28 id=17594 flags= frag=0L ttl=63 proto=icmp chksum=0x674a src=192.168.77.129 dst=192.168.1.11 options=[] |<ICMPerror  type=echo-request code=0 chksum=0xf7ff id=0x0 seq=0x0 |>>>>

>>> sr1(IP(dst="192.168.1.11")/ICMP(),timeout=1)

Begin emission:

.Finished to send 1 packets.

Received 1 packets, got 0 answers, remaining 1 packets

╭────────────────────────────────────────────╮

[pinger1.py]

#!/bin/bash

import logging

import subprocess

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

from scapy.all import *

if len(sys.argv)1=2;

  echo "Usage - ./pinger.sh {/24 network address}"

  echo "Example - ./pinger.sh 172.16.36.0"

  echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"

  sys.exit()

address=str(sys.argv[1])

prefix=address.split(‘.‘)[0]+‘.‘+address.split(‘.‘)[1]+‘.‘+address.split(‘.‘)[2]+‘.‘

for addr in range(1,254);

  a=sr1(IP(dst=prefix+str(addr)/ICMP().timeout=0.1,verbose=0)

if a==None;

    pass

else:

    print prefix+str(addr)

╰────────────────────────────────────────────╯

[email protected]:~# chmod u+x pinger1.sh

[email protected]:~# ./pinger1.sh

[email protected]:~# ./pinger1.sh 211.144.145.0

╭────────────────────────────────────────────╮

[pinger1.py]

#!/bin/bash

import logging

import subprocess

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

from scapy.all import *

if len(sys.argv)1=2;

  echo "Usage - ./pinger.sh {/24 network address}"

  echo "Example - ./pinger.sh 172.16.36.0"

  echo "Example will perform an ICMP ping sweep of the 172.16.36.0/24 network"

  sys.exit()

filename=str(sys.argv[1])

file=open(filename,‘|‘)

for addr in file;

  a=sr1(IP(dst=prefix+str(addr)/ICMP().timeout=0.1,verbose=0)

if a==None;

    pass

else:

    print addr.srtip()

╰────────────────────────────────────────────╯

[email protected]:~# ./pinger2.sh addr

[email protected]:~# nmap 192.168.1.1 -sn

╋━━━━━━━━━━━━━╋

┃发现-----三层发现         ┃

┃fping 1.1.1.1 -c 1        ┃

┃fping -g 1.1.1.1 1.1.2    ┃

┃fping -g 1.1.1.0/24       ┃

┃fping -f iplist.txt       ┃

╋━━━━━━━━━━━━━╋

fping的命令和参数详解

Usage: fping [options] [targets...]

用法:fping [选项] [ping的目标]

   -a         show targets that are alive

               显示可ping通的目标

   -A         show targets by address

               将目标以ip地址的形式显示

   -b n       amount of ping data to send, in bytes (default 56)

               ping 数据包的大小。(默认为56)

   -B f       set exponential backoff factor to f

               设置指数反馈因子到f 【这个不懂,求指教~】

   -c n       count of pings to send to each target (default 1)

                ping每个目标的次数 (默认为1)

   -C n       same as -c, report results in verbose format

                同-c, 返回的结果为冗长格式

   -e         show elapsed time on return packets

                显示返回数据包所费时间

   -f file    read list of targets from a file ( - means stdin) (only if no -g specified)

               从文件获取目标列表( - 表示从标准输入)(不能与 -g 同时使用)

   -g         generate target list (only if no -f specified)

               生成目标列表(不能与 -f 同时使用)

                (specify the start and end IP in the target list, or supply a IP netmask)

                (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)

                (可指定目标的开始和结束IP, 或者提供ip的子网掩码)

                (例:fping -g 192.168.1.0 192.168.1.255 或 fping -g 192.168.1.0/24)

   -H n       Set the IP TTL value (Time To Live hops)

                设置ip的TTL值 (生存时间)

   -i n       interval between sending ping packets (in millisec) (default 25)

               ping包之间的间隔(单位:毫秒)(默认25)

   -l         loop sending pings forever

              循环发送ping

   -m         ping multiple interfaces on target host

                ping目标主机的多个网口

   -n         show targets by name (-d is equivalent)

                将目标以主机名或域名显示(等价于 -d )

   -p n       interval between ping packets to one target (in millisec)

                对同一个目标的ping包间隔(毫秒)

                (in looping and counting modes, default 1000)

                (在循环和统计模式中,默认为1000)

   -q         quiet (don‘t show per-target/per-ping results)

               安静模式(不显示每个目标或每个ping的结果)

   -Q n       same as -q, but show summary every n seconds

               同-q, 但是每n秒显示信息概要

   -r n       number of retries (default 3)

               当ping失败时,最大重试次数(默认为3次)

   -s         print final stats

               打印最后的统计数据

   -I if      bind to a particular interface

              绑定到特定的网卡

   -S addr    set source address

                  设置源ip地址

   -t n       individual target initial timeout (in millisec) (default 500)

               单个目标的超时时间(毫秒)(默认500)

   -T n       ignored (for compatibility with fping 2.4)

                请忽略(为兼容fping 2.4)

   -u         show targets that are unreachable

                显示不可到达的目标

   -O n       set the type of service (tos) flag on the ICMP packets

                在icmp包中设置tos(服务类型)

   -v         show version

                显示版本号

   targets    list of targets to check (if no -f specified)

                需要ping的目标列表(不能和 -f 同时使用)

-h              show this page

                 显示本帮助页

[email protected]:~# fping 192.168.1.1 -c 1

[email protected]:~# fping 192.168.1.1 -c 10

[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1

[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 | egrep -v 100%

[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 | grep min/avg/max

[email protected]:~# fping 192.168.1.100 192.168.1.200 -c 1 >> result.txt

[email protected]:~# cat result.txt | grep min/avg/max

[email protected]:~# cat result.txt

[email protected]:~# fping 192.168.1.0/24

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

┃发现-----三层发现                                                               ┃

┃Hping                                                                           ┃

┃    能够发送几乎任意TCP/IP包                                                    ┃

┃    功能请发但每次只能扫描一个目标                                              ┃

┃hping3 1.1.1.1 --icmp -c 2                                                      ┃

┃for addr in $(seq 1 254);do hping3 1.1.1.$addr --icmp -c 1 >>handle.txt & done  ┃

╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋

[email protected]:~# hping3 192.168.1.1 --icmp -c 2

HPING 192.168.1.1 (eth0 192.168.1.1): icmp mode set, 28 headers + 0 data bytes

len=46 ip=192.168.1.1 ttl=128 id=63816 icmp_seq=0 rtt=8.4 ms

len=46 ip=192.168.1.1 ttl=128 id=63817 icmp_seq=1 rtt=3.2 ms

--- 192.168.1.1 hping statistic ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max = 3.2/5.8/8.4 ms

[email protected]:~# for addr in $(seq 1 254);do hping3 192.168.1.$addr --icmp -c 1 >>handle.txt & done

1] 8236

[2] 8237

[3] 8238

[4] 8239

[5] 8240

[6] 8241

[7] 8242

[8] 8243

[9] 8244

[10] 8245

[11] 8246

[12] 8247

......


[email protected]:~# cat handle.txt

HPING 1.1.1.4 (eth0 1.1.1.4): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.6 (eth0 1.1.1.6): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.3 (eth0 1.1.1.3): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.9 (eth0 1.1.1.9): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.11 (eth0 1.1.1.11): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.8 (eth0 1.1.1.8): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.5 (eth0 1.1.1.5): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.7 (eth0 1.1.1.7): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.12 (eth0 1.1.1.12): icmp mode set, 28 headers + 0 data bytes

HPING 1.1.1.2 (eth0 1.1.1.2): icmp mode set, 28 headers + 0 data bytes

......

[email protected]:~# cat handle.txt | grep ^len       //以这个行的启始位置

[email protected]:~# cat handle.txt | grep ^len

len=46 ip=192.168.1.1 ttl=128 id=63818 icmp_seq=0 rtt=45.0 ms

len=46 ip=192.168.1.101 ttl=128 id=63819 icmp_seq=0 rtt=38.2 ms

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂


Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+

        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?

        

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。


       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。


        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。

 近期,安全牛课堂在做此类线上培训,感兴趣可以了解

本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1965017

以上是关于安全牛学习笔记主动信息收集-发现的主要内容,如果未能解决你的问题,请参考以下文章

安全牛学习笔记主动信息收集 - 发现

安全牛学习笔记主动信息收集-发现

安全牛学习笔记漏洞概念

安全牛学习笔记DNS信息收集-DIG

安全牛学习笔记主动探测

安全牛学习笔记DNS信息收集