Penettation testing with the bush Shell

1、  Network Reconnaissance

first we can use the command to gather the site information by whois

eg : whois -i mnt-by YAHOO-MNT

2 、dig to gather the DNS informstion

Dig is the essentially a DNS lookup Swiss Army

Using the wiget such as      dnsmap    for example   :  dns baidu.com      besides it ,   we often use other arguments  such as  :  dnsmap doman  -w  （指定参数列表）、  dnsmap doman -r（指定保存的结果文件）、dnsmap domain -c （指定保存的文件类型使用CSV格式）、  dnsmap domian -i （指定要遍历的IP范围）

3  、Enumerating targets on the local network

we can use the namp  to gathering the system information

namp  -sn   (the   switch   -sn tell the Nmap to use the ICMP protocol to determine whether the hosts in the mentioned range reachable )

another wiget is metasploit

4、 Stealth scanning with Scapy

fisrt   to demonstrate has SYN scan is performed .we craft  a SYN request using Scapy ,and identify the response associated with open port , closed port ,and noresponse system ,to scan a TCP SYN request to any given port ,we first need to build the layer of this  request  ,the first layer that we can construct is the IP layer

>>> i=IP()
>>> i.display()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags=
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None
  src= 127.0.0.1
  dst= 127.0.0.1
  \options\

>>> i.dst="192.168.142.170"
>>> i.display()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags=
  frag= 0
  ttl= 64
  proto= hopopt
  chksum= None
  src= 192.168.142.181
  dst= 192.168.142.170
  \options\

>>> t=TCP()
>>> t.display()
###[ TCP ]###
  sport= ftp_data
  dport= http
  seq= 0
  ack= 0
  dataofs= None
  reserved= 0
  flags= S
  window= 8192
  chksum= None
  urgptr= 0
  options= []

>>> request=(i/t)
>>> request.display()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags=
  frag= 0
  ttl= 64
  proto= tcp
  chksum= None
  src= 192.168.142.181
  dst= 192.168.142.170
  \options\
###[ TCP ]###
     sport= ftp_data
     dport= http
     seq= 0
     ack= 0
     dataofs= None
     reserved= 0
     flags= S
     window= 8192
     chksum= None
     urgptr= 0
     options= []

>>> response=sr1(request)
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ IP ]###
  version= 4
  ihl= 5
  tos= 0x0
  len= 44
  id= 0
  flags= DF
  frag= 0
  ttl= 64
  proto= tcp
  chksum= 0x9c1b
  src= 192.168.142.170
  dst= 192.168.142.181
  \options\
###[ TCP ]###
     sport= http
     dport= ftp_data
     seq= 383470489
     ack= 1
     dataofs= 6
     reserved= 0
     flags= SA
     window= 5840
     chksum= 0x7fbc
     urgptr= 0
     options= [('MSS', 1460)]
###[ Padding ]###
        load= '\x00\x00'

>>> sr1(IP(dst="192.168.142.170")/TCP(dport=80))
Begin emission:
Finished sending 1 packets.
*
Received 1 packets, got 1 answers, remaining 0 packets
<IP  version=4 ihl=5 tos=0x0 len=44 id=0 flags=DF frag=0 ttl=64 proto=tcp chksum=0x9c1b src=192.168.142.170 dst=192.168.142.181 options=[] |<TCP  sport=http dport=ftp_data seq=1571343895 ack=1 dataofs=6 reserved=0 flags=SA window=5840 chksum=0xb670 urgptr=0 options=[('MSS', 1460)] |<Padding  load='\x00\x00' |>>>
>>> response=sr1(IP(dst="192.168.142.170")/TCP(dport=4444))
Begin emission:
.Finished sending 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> response.display()
###[ IP ]###
  version= 4
  ihl= 5
  tos= 0x0
  len= 40
  id= 0
  flags= DF
  frag= 0
  ttl= 64
  proto= tcp
  chksum= 0x9c1f
  src= 192.168.142.170
  dst= 192.168.142.181
  \options\
###[ TCP ]###
     sport= 4444
     dport= ftp_data
     seq= 0
     ack= 1
     dataofs= 5
     reserved= 0
     flags= RA
     window= 0
     chksum= 0xffae
     urgptr= 0
     options= []
###[ Padding ]###
        load= '\x00\x00\x00\x00\x00\x00'

>>>