1、 Network Reconnaissance
first we can use the command to gather the site information by whois
eg : whois -i mnt-by YAHOO-MNT
2 、dig to gather the DNS informstion
Dig is the essentially a DNS lookup Swiss Army
Using the wiget such as dnsmap for example : dns baidu.com besides it , we often use other arguments such as : dnsmap doman -w (指定参数列表)、 dnsmap doman -r(指定保存的结果文件)、dnsmap domain -c (指定保存的文件类型使用CSV格式)、 dnsmap domian -i (指定要遍历的IP范围)
3 、Enumerating targets on the local network
we can use the namp to gathering the system information
namp -sn (the switch -sn tell the Nmap to use the ICMP protocol to determine whether the hosts in the mentioned range reachable )
another wiget is metasploit
4、 Stealth scanning with Scapy
fisrt to demonstrate has SYN scan is performed .we craft a SYN request using Scapy ,and identify the response associated with open port , closed port ,and noresponse system ,to scan a TCP SYN request to any given port ,we first need to build the layer of this request ,the first layer that we can construct is the IP layer
>>> i=IP()
>>> i.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 127.0.0.1
dst= 127.0.0.1
options
>>> i.dst="192.168.142.170"
>>> i.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= hopopt
chksum= None
src= 192.168.142.181
dst= 192.168.142.170
options
>>> t=TCP()
>>> t.display()
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= []
>>> request=(i/t)
>>> request.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.142.181
dst= 192.168.142.170
options
###[ TCP ]###
sport= ftp_data
dport= http
seq= 0
ack= 0
dataofs= None
reserved= 0
flags= S
window= 8192
chksum= None
urgptr= 0
options= []
>>> response=sr1(request)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0x0
len= 44
id= 0
flags= DF
frag= 0
ttl= 64
proto= tcp
chksum= 0x9c1b
src= 192.168.142.170
dst= 192.168.142.181
options
###[ TCP ]###
sport= http
dport= ftp_data
seq= 383470489
ack= 1
dataofs= 6
reserved= 0
flags= SA
window= 5840
chksum= 0x7fbc
urgptr= 0
options= [('MSS', 1460)]
###[ Padding ]###
load= 'x00x00'
>>> sr1(IP(dst="192.168.142.170")/TCP(dport=80))
Begin emission:
Finished sending 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
<IP version=4 ihl=5 tos=0x0 len=44 id=0 flags=DF frag=0 ttl=64 proto=tcp chksum=0x9c1b src=192.168.142.170 dst=192.168.142.181 options=[] |<TCP sport=http dport=ftp_data seq=1571343895 ack=1 dataofs=6 reserved=0 flags=SA window=5840 chksum=0xb670 urgptr=0 options=[('MSS', 1460)] |<Padding load='x00x00' |>>>
>>> response=sr1(IP(dst="192.168.142.170")/TCP(dport=4444))
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ IP ]###
version= 4
ihl= 5
tos= 0x0
len= 40
id= 0
flags= DF
frag= 0
ttl= 64
proto= tcp
chksum= 0x9c1f
src= 192.168.142.170
dst= 192.168.142.181
options
###[ TCP ]###
sport= 4444
dport= ftp_data
seq= 0
ack= 1
dataofs= 5
reserved= 0
flags= RA
window= 0
chksum= 0xffae
urgptr= 0
options= []
###[ Padding ]###
load= 'x00x00x00x00x00x00'
>>>