Penettation testing with the bush Shell

1、? Network Reconnaissance

?first we can use the command to gather the site information by whois

????? eg : whois -i mnt-by YAHOO-MNT

2 、dig to gather the DNS informstion

? ? ? ? Dig is the essentially a DNS lookup Swiss Army

??? Using the wiget such as ? ?? dnsmap ?? for example ? :? dns baidu.com????? besides it,?? we often use other arguments? such as? :? dnsmap doman? -w? （指定参数列表）、? dnsmap doman -r（指定保存的结果文件）、dnsmap domain -c （指定保存的文件类型使用CSV格式）、? dnsmap domian -i （指定要遍历的IP范围）

3? 、Enumerating targets on the local network

?? we can use the namp? to gathering the system information

??? namp? -sn?? (the?? switch?? -sn tell the Nmap to use the ICMP protocol to determine whether the hosts in the mentioned range reachable )

?? another wiget is metasploit?

4、 Stealth scanning with Scapy?

?????? fisrt?? to demonstrate has SYN scan is performed .we craft? a SYN request using Scapy,and identify the response associated with open port,closed port,and noresponse system,to scan a TCP SYN request to any given port,we first need to build the layer of this? request?,the first layer that we can construct is the IP layer

??? >>> i=IP()>>> i.display()###[ IP ]### ? version= 4? ihl= None? tos= 0x0? len= None? id= 1? flags= ? frag= 0? ttl= 64? proto= hopopt? chksum= None? src= 127.0.0.1? dst= 127.0.0.1? options&;>> i.dst="192.168.142.170">>> i.display()###[ IP ]### ? version= 4? ihl= None? tos= 0x0? len= None? id= 1? flags= ? frag= 0? ttl= 64? proto= hopopt? chksum= None? src= 192.168.142.181? dst= 192.168.142.170? options&;>> t=TCP()>>> t.display()###[ TCP ]### ? sport= ftp_data? dport= http? seq= 0? ack= 0? dataofs= None? reserved= 0? flags= S? window= 8192? chksum= None? urgptr= 0? options= []>>> request=(i/t)>>> request.display()###[ IP ]### ? version= 4? ihl= None? tos= 0x0? len= None? id= 1? flags= ? frag= 0? ttl= 64? proto= tcp? chksum= None? src= 192.168.142.181? dst= 192.168.142.170? options###[ TCP ]### ???? sport= ftp_data???? dport= http???? seq= 0???? ack= 0???? dataofs= None???? reserved= 0???? flags= S???? window= 8192???? chksum= None???? urgptr= 0???? options= []>>> response=sr1(request)Begin emission:.Finished sending 1 packets.*Received 2 packets,got 1 answers,remaining 0 packets>>> response.display()###[ IP ]### ? version= 4? ihl= 5? tos= 0x0? len= 44? id= 0? flags= DF? frag= 0? ttl= 64? proto= tcp? chksum= 0x9c1b? src= 192.168.142.170? dst= 192.168.142.181? options###[ TCP ]### ???? sport= http???? dport= ftp_data???? seq= 383470489???? ack= 1???? dataofs= 6???? reserved= 0???? flags= SA???? window= 5840???? chksum= 0x7fbc???? urgptr= 0???? options= [(‘MSS‘,1460)]###[ Padding ]### ??????? load= ‘x00x00‘>>> sr1(IP(dst="192.168.142.170")/TCP(dport=80))Begin emission:Finished sending 1 packets.*Received 1 packets,remaining 0 packets<IP? version=4 ihl=5 tos=0x0 len=44 id=0 flags=DF frag=0 ttl=64 proto=tcp chksum=0x9c1b src=192.168.142.170 dst=192.168.142.181 options=[] |<TCP? sport=http dport=ftp_data seq=1571343895 ack=1 dataofs=6 reserved=0 flags=SA window=5840 chksum=0xb670 urgptr=0 options=[(‘MSS‘,1460)] |<Padding? load=‘x00x00‘ |>>>>>> response=sr1(IP(dst="192.168.142.170")/TCP(dport=4444))Begin emission:.Finished sending 1 packets.*Received 2 packets,remaining 0 packets>>> response.display()###[ IP ]### ? version= 4? ihl= 5? tos= 0x0? len= 40? id= 0? flags= DF? frag= 0? ttl= 64? proto= tcp? chksum= 0x9c1f? src= 192.168.142.170? dst= 192.168.142.181? options###[ TCP ]### ???? sport= 4444???? dport= ftp_data???? seq= 0???? ack= 1???? dataofs= 5???? reserved= 0???? flags= RA???? window= 0???? chksum= 0xffae???? urgptr= 0???? options= []###[ Padding ]### ??????? load= ‘x00x00x00x00x00x00‘>>>