碳基体

奋斗在产品安全第一线的安全妹子

二、TCP/IP数据包分析应用-端口扫描

前言:一、TCP/IP数据包基础知识


端口扫描是网络安全评估中资产识别的主要方法(资产识别及评估的三部曲,主机存活识别--主机服务识别(端口开放探测+指纹匹配)--漏洞识别)


端口扫描技术

1. tcp connect 扫描

发起nmap扫描

nmap -sT -P0 xxx.xxx.xxx.xxx


开放端口示例

python print_pcap.py --pcapfile=data/tcpconnect.pcap --assetip=xxx.xxx.xxx.xxx --assetport=80


[TCP][1500226472.882017-07-16 17:34:32]10.0.0.7:50335(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c)SEQ=3955688181ACK=0FLAGS=['SYN']WIN=65535DATA=ttl=255DATA_BINARY=LEN=0

[TCP][1500226473.162017-07-16 17:34:33]xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c) ----->10.0.0.7:50335(98:01:a7:9e:dd:c1)SEQ=2321344633ACK=3955688182FLAGS=['ACK', 'SYN']WIN=14480DATA=ttl=49DATA_BINARY=LEN=0

[TCP][1500226473.162017-07-16 17:34:33]10.0.0.7:50335(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c)SEQ=3955688182ACK=2321344634FLAGS=['ACK']WIN=4120DATA=ttl=255DATA_BINARY=LEN=0

[TCP][1500226473.162017-07-16 17:34:33]10.0.0.7:50335(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c)SEQ=3955688182ACK=2321344634FLAGS=['ACK', 'RST']WIN=4120DATA=ttl=255DATA_BINARY=LEN=0


关闭端口示例

python print_pcap.py --pcapfile=data/pcap_private/portscan/tcpconnect.pcap --assetip=xxx.xxx.xxx.xxx --assetport=21

[TCP][1500226472.892017-07-16 17:34:32]10.0.0.7:50342(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:21(e0:46:9a:62:69:7c)SEQ=1007191068ACK=0FLAGS=['SYN']WIN=65535DATA=ttl=255DATA_BINARY=LEN=0

[TCP][1500226473.172017-07-16 17:34:33]xxx.xxx.xxx.xxx:21(e0:46:9a:62:69:7c) ----->10.0.0.7:50342(98:01:a7:9e:dd:c1)SEQ=0ACK=1007191069FLAGS=['ACK', 'RST']WIN=0DATA=ttl=49DATA_BINARY=LEN=0


原理:tcp connect扫描通过完成tcp三次握手来判断端口是否开放。若端口开放,服务端响应客户端ack+syn包;若端口关闭,服务端响应客户端ack+rst


2.tcp syn扫描

发起nmap扫描

sudo nmap -sS -P0 xxx.xxx.xxx.xxx


开放端口示例

python print_pcap.py --pcapfile=data/pcap_private/portscan/tcpsyn.pcap --assetip=xxx.xxx.xxx.xxx --assetport=80


[TCP][1500227733.662017-07-16 17:55:33]10.0.0.7:56684(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c)SEQ=2674946894ACK=0FLAGS=['SYN']WIN=1024DATA=ttl=52DATA_BINARY=LEN=0

[TCP][1500227733.952017-07-16 17:55:33]xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c) ----->10.0.0.7:56684(98:01:a7:9e:dd:c1)SEQ=355536423ACK=2674946895FLAGS=['ACK', 'SYN']WIN=14600DATA=ttl=49DATA_BINARY=LEN=0

[TCP][1500227733.952017-07-16 17:55:33]10.0.0.7:56684(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:80(e0:46:9a:62:69:7c)SEQ=2674946895ACK=0FLAGS=['RST']WIN=0DATA=ttl=64DATA_BINARY=LEN=0


关闭端口示例

python print_pcap.py --pcapfile=data/pcap_private/portscan/tcpsyn.pcap --assetip=xxx.xxx.xxx.xxx --assetport=21


[TCP][1500227732.972017-07-16 17:55:32]10.0.0.7:56684(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:21(e0:46:9a:62:69:7c)SEQ=2674946894ACK=0FLAGS=['SYN']WIN=1024DATA=ttl=48DATA_BINARY=LEN=0

[TCP][1500227733.642017-07-16 17:55:33]xxx.xxx.xxx.xxx:21(e0:46:9a:62:69:7c) ----->10.0.0.7:56684(98:01:a7:9e:dd:c1)SEQ=0ACK=2674946895FLAGS=['ACK', 'RST']WIN=0DATA=ttl=49DATA_BINARY=LEN=0


原理:与tcp connect扫描的唯一区别是,当服务端响应客户端ack+syn包时,客户端发送rst包断开连接,因此也叫半开扫描。若端口开放,服务端响应客户端ack+syn包;若端口关闭,服务端响应客户端ack+rst

tcp syn扫描可以伪造扫描发起者的源ip与源端口,例如伪造扫描发起者的源ip为1.2.3.4,源端口为80

sudo nmap --source-port 80 -D 1.2.3.4 -sS -P0 xxx.xxx.xxx.xxx


3.tcp udp扫描

sudo nmap -sU -P0 209.141.37.81

开放端口示例

python print_pcap.py --pcapfile=data/pcap_private/portscan/udp.pcap --assetport=500


[UDP]   [1500285744.54  2017-07-17 10:02:24]    172.18.24.97:63816(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:500(58:f3:9c:51:83:c7)        ttl=53  DATA_BINARY=00 11 22 33 44 55 66 77 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 c0 00 00 00 a4 00 00 00 01 00 00 00 01 00 00 00 98 01 01 00 04 03 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 03 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 03 00 00 24 03 01 00 00 80 01 00 01 80 02 00 02 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01 00 00 00 24 04 01 00 00 80 01 00 01 80 02 00 01 80 03 00 01 80 04 00 02 80 0b 00 01 00 0c 00 04 00 00 00 01     LEN=192

[UDP]   [1500285744.7   2017-07-17 10:02:24]    xxx.xxx.xxx.xxx:500(58:f3:9c:51:83:c7) ----->172.18.24.97:63816(98:01:a7:9e:dd:c1)        ttl=43  DATA_BINARY=00 11 22 33 44 55 66 77 71 db bb 63 e8 d1 a9 86 01 10 02 00 00 00 00 00 00 00 00 70 0d 00 00 34 00 00 00 01 00 00 00 01 00 00 00 28 01 01 00 01 00 00 00 20 01 01 00 00 80 01 00 05 80 02 00 02 80 04 00 02 80 03 00 01 80 0b 00 01 80 0c 00 01 0d 00 00 0c 09 00 26 89 df d6 b7 12 00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00     LEN=112


关闭端口示例

python print_pcap.py --pcapfile=data/pcap_private/portscan/udp.pcap --assetport=53

[UDP]   [1500286158.82  2017-07-17 10:09:18]    172.18.24.97:63816(98:01:a7:9e:dd:c1) ----->xxx.xxx.xxx.xxx:53(58:f3:9c:51:83:c7) ttl=49  DATA_BINARY=00 00 10 00 00 00 00 00 00 00 00 00 LEN=12


原理:客户端向服务端发起按照端口号构造的指定udp payload数据包,然后根据服务端是否有响应数据包来判断端口是否开放。


nmap在进行udp扫描的时候会从nmap-probes中读取udp payload数据包,可以看到与上面标红的 DATA_BINARY相同

 

 

预告: 三、TCP/IP协议分析-MySQL认证协议分析


https://github.com/tanjiti/packet_analysis/blob/master/print_pcap.py

来源:碳基体

评论