kali学习-主动信息收集

一. 简介

 

  • 直接与目标系统交互通信
  • 无法避免留下访问的痕迹
  • 使用受控的第三方电脑进行探测
    • 使用代理或已经被控制的主机
    • 做好被封杀的准备
    • 使用噪声迷惑目标,淹没真实的探测流量
  • 扫描
    • 发送不同的探测,根据返回结果判断目标状态
  • 识别或者的主机
    • 潜在的被攻击目标
  • 输出一个IP地址列表
  • 2、3、4层发现
  • 优点
    • 扫描速度快、可靠
  • 缺点
    • 不可路由
  • ARP协议 
    • 抓包分析

二. 主机发现

 1. 简介

2. 二层发现

2.1. arping

  1. 简介
    root@kali:~# arping
    Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
      -f : quit on first reply
      -q : be quiet
      -b : keep broadcasting, don't go unicast
      -D : duplicate address detection mode
      -U : Unsolicited ARP mode, update your neighbours
      -A : ARP answer mode, update your neighbours
      -V : print version and exit
      -c count : how many packets to send
      -w timeout : how long to wait for a reply
      -I device : which ethernet device to use
      -s source : source ip address
      destination : ask for what ip address
  2. # 发送包数量
    root@kali:~# arping 10.10.10.132 -c 1
    ARPING 10.10.10.132 from 10.10.10.131 eth0
    Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C]  1.130ms
    Sent 1 probes (1 broadcast(s))
    Received 1 response(s)

    # 重复地址检测模式
    root@kali:~# arping 10.10.10.132 -D
    ARPING 10.10.10.132 from 0.0.0.0 eth0
    Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C]  0.812ms
    Sent 1 probes (1 broadcast(s))
    Received 1 response(s)

    # 输出 MAC 地址
    root@kali:~# arping -c 1 10.10.10.132 | grep "reply from" | cut -d " " -f 5 | cut -d "[" -f 2 | cut -d "]" -f 1
    00:0C:29:D0:AB:2C

2.2. nmap

  1. 简介
    -sn: Ping扫描-禁用端口扫描
    -iL <inputfilename>: 来自主机/网络列表的输入
  2. 主机扫描
    # 指定 IP 地址范围
    root@kali:~# nmap 10.10.10.1-254 -sn
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:06 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.00020s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.00058s latency).
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00025s latency).
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap scan report for 10.10.10.136
    Host is up (0.00036s latency).
    MAC Address: 00:0C:29:35:6A:2D (VMware)
    Nmap scan report for 10.10.10.137
    Host is up (0.0032s latency).
    MAC Address: 00:50:56:21:D2:3A (VMware)
    Nmap scan report for 10.10.10.254
    Host is up (0.00014s latency).
    MAC Address: 00:50:56:E2:6B:78 (VMware)
    Nmap scan report for 10.10.10.131
    Host is up.
    Nmap done: 254 IP addresses (7 hosts up) scanned in 2.01 seconds

    # 创建地址列表
    fo = open('/root/Desktop/ipaddr.txt','w')
    for i in range(1,255):
        fo.write('10.10.10.')
        fo.write(str(i))
        fo.write('\n')
    fo.close()

    # 扫描地址列表
    root@kali:~# nmap -iL ipaddr.txt -sn
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:21 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.00071s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.0021s latency).
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00047s latency).
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap scan report for 10.10.10.136
    Host is up (0.00089s latency).
    MAC Address: 00:0C:29:35:6A:2D (VMware)
    Nmap scan report for 10.10.10.137
    Host is up (0.00018s latency).
    MAC Address: 00:50:56:21:D2:3A (VMware)
    Nmap scan report for 10.10.10.254
    Host is up (0.00050s latency).
    MAC Address: 00:50:56:E2:6B:78 (VMware)
    Nmap scan report for 10.10.10.131
    Host is up.
    Nmap done: 254 IP addresses (7 hosts up) scanned in 1.83 seconds

2.3. Netdiscover

  1. 简介
  • 专用于二层发现
  • 可用于无线和交换网络环境
  • 主动和被动探测
  • 使用帮助
    root@kali:~# netdiscover -h
    Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool]
    Written by: Jaime Penalba <jpenalbae@gmail.com>

    Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c]
      -i device: 网络设备
      -r range: 指定 IP 扫描范围. 192.168.6.0/24,/16,/8
      -l file: 指定扫描 IP 地址文件
      -p passive mode: 不发送任何数据, 仅监听
      -m file: 扫描 MAC 地址列表
      -F filter: Customize pcap filter expression (default: "arp")
      -s time: time to sleep between each arp request (milliseconds)
      -n node: last ip octet used for scanning (from 2 to 253)
      -c count: number of times to send each arp reques (for nets with packet loss)
      -f enable fastmode scan, saves a lot of time, recommended for auto
      -d ignore home config files for autoscan and fast mode
      -S enable sleep time supression between each request (hardcore mode)
      -P print results in a format suitable for parsing by another program
      -N Do not print header. Only valid when -P is enabled.
      -L in parsable output mode (-P), continue listening after the active scan is completed
  1. 主机扫描
    -主动扫描
        # 指定地址扫描
        Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                                                                          
         6 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 360                                                                                     
         _____________________________________________________________________________
           IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
         -----------------------------------------------------------------------------
         10.10.10.1      00:50:56:c0:00:08      1      60  VMware, Inc.                                                                                     
         10.10.10.2      00:50:56:e1:24:a1      1      60  VMware, Inc.                                                                                     
         10.10.10.132    00:0c:29:d0:ab:2c      1      60  VMware, Inc.                                                                                     
         10.10.10.136    00:0c:29:35:6a:2d      1      60  VMware, Inc.                                                                                     
         10.10.10.137    00:50:56:21:d2:3a      1      60  VMware, Inc.                                                                                      
         10.10.10.254    00:50:56:e2:6b:78      1      60  VMware, Inc.

    # 指定地址列表扫描
        root@kali:~# netdiscover -l ipaddr.txt
        Currently scanning: 10.10.10.0/24   |   Screen View: Unique Hosts                                                                                   

    248 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 14880                                                                                
         _____________________________________________________________________________
           IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
         -----------------------------------------------------------------------------
         10.10.10.1      00:50:56:c0:00:08     42    2520  VMware, Inc.                                                                                     
         10.10.10.2      00:50:56:e1:24:a1     42    2520  VMware, Inc.                                                                                      
         10.10.10.132    00:0c:29:d0:ab:2c     41    2460  VMware, Inc.                                                                                     
         10.10.10.136    00:0c:29:35:6a:2d     41    2460  VMware, Inc.                                                                                      
         10.10.10.137    00:50:56:21:d2:3a     41    2460  VMware, Inc.                                                                                     
         10.10.10.254    00:50:56:e2:6b:78     41    2460  VMware, Inc.
  • 被动扫描
    # 主动 arp 容易触发警报
    root@kali:~# netdiscover -p
    Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                      

    12 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 720                                                                                   
     _____________________________________________________________________________
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
     -----------------------------------------------------------------------------
     10.10.10.254    00:50:56:e2:6b:78      1      60  VMware, Inc.                                                                                     
     10.10.10.2      00:50:56:e1:24:a1      3     180  VMware, Inc.                                                                                     
     10.10.10.137    00:50:56:21:d2:3a      2     120  VMware, Inc.                                                                                      
     10.10.10.132    00:0c:29:d0:ab:2c      4     240  VMware, Inc.                                                                                     
     10.10.10.136    00:0c:29:35:6a:2d      2     120  VMware, Inc.

3. 三层发现

  • 优点 
    • 可路由
    • 速度比较快
  • 缺点
    • 速度比二层慢
    • 经常被便捷防火墙过滤
  • IP、ICMP 协议

3.1. ping

  1. 简介
    root@kali:~# ping -h
    Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
                [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
                [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
                [-w deadline] [-W timeout] [hop1 ...] destination
    Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
                 [-l preload] [-m mark] [-M pmtudisc_option]
                 [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
                 [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
                 [-W timeout] destination
  2. 主机扫描
    # 指定发包数量
    root@kali:~# ping 10.10.10.132 -c 2
    PING 10.10.10.132 (10.10.10.132) 56(84) bytes of data.
    64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=10.3 ms
    64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.214 ms

    --- 10.10.10.132 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 0.214/5.302/10.390/5.088 ms

    # 路由追踪
    root@kali:~# ping -R 10.10.10.132
    PING 10.10.10.132 (10.10.10.132) 56(124) bytes of data.
    64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=0.237 ms
    RR:     10.10.10.131
        10.10.10.132
        10.10.10.132
        10.10.10.131

    64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.376 ms (same route)
    64 bytes from 10.10.10.132: icmp_seq=3 ttl=64 time=0.233 ms (same route)
    64 bytes from 10.10.10.132: icmp_seq=4 ttl=64 time=0.227 ms (same route)

    root@kali:~# traceroute 10.10.10.132
    traceroute to 10.10.10.132 (10.10.10.132), 30 hops max, 60 byte packets
     1  10.10.10.132 (10.10.10.132)  0.311 ms  0.199 ms  0.140 ms

    ping -c 1 10.10.10.132 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1

3.2. fping

  1. 简介
    root@kali:~# fping -h
    Usage: fping [options] [targets...]

    Probing options:
       -4, --ipv4         only ping IPv4 addresses
       -6, --ipv6         only ping IPv6 addresses
       -b, --size=BYTES   amount of ping data to send, in bytes (default: 56)
       -B, --backoff=N    set exponential backoff factor to N (default: 1.5)
       -c, --count=N      count mode: send N pings to each target
       -f, --file=FILE    read list of targets from a file ( - means stdin)
       -g, --generate     generate target list (only if no -f specified)
                          (give start and end IP in the target list, or a CIDR address)
                          (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
       -H, --ttl=N        set the IP TTL value (Time To Live hops)
       -I, --iface=IFACE  bind to a particular interface
       -l, --loop         loop mode: send pings forever
       -m, --all          use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A
       -M, --dontfrag     set the Don't Fragment flag
       -O, --tos=N        set the type of service (tos) flag on the ICMP packets
       -p, --period=MSEC  interval between ping packets to one target (in ms)
                          (in loop and count modes, default: 1000 ms)
       -r, --retry=N      number of retries (default: 3)
       -R, --random       random packet data (to foil link data compression)
       -S, --src=IP       set source address
       -t, --timeout=MSEC individual target initial timeout (default: 500 ms,
                          except with -l/-c/-C, where it's the -p period up to 2000 ms)

    Output options:
       -a, --alive        show targets that are alive
       -A, --addr         show targets by address
       -C, --vcount=N     same as -c, report results in verbose format
       -D, --timestamp    print timestamp before each output line
       -e, --elapsed      show elapsed time on return packets
       -i, --interval=MSEC  interval between sending ping packets (default: 10 ms)
       -n, --name         show targets by name (-d is equivalent)
       -N, --netdata      output compatible for netdata (-l -Q are required)
       -o, --outage       show the accumulated outage time (lost packets * packet interval)
       -q, --quiet        quiet (don't show per-target/per-ping results)
       -Q, --squiet=SECS  same as -q, but show summary every n seconds
       -s, --stats        print final stats
       -u, --unreach      show targets that are unreachable
       -v, --version      show version
  2. 主机扫描
    # 指定发包数量
    root@kali:~# fping -c 1 10.10.10.132 | grep 0%
    10.10.10.132 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.29/0.29/0.29
    10.10.10.132 : [0], 84 bytes, 0.29 ms (0.29 avg, 0% loss)

    # 指定扫描范围
    root@kali:~# fping -g 10.10.10.132 10.10.10.136-137
    root@kali:~# fping -g 10.10.0/24
    root@kali:~# fping -f ipaddr.txt

3.3. hping3

  1. 简介
  • 能够发送几乎任意 TCP/IP 包
  • 功能强大但每次只能扫描一个目标
  1. 主机扫描
    # 指定 icmp 扫描
    root@kali:~# hping3 10.10.10.132 --icmp -c 2
    HPING 10.10.10.132 (eth0 10.10.10.132): icmp mode set, 28 headers + 0 data bytes
    len=46 ip=10.10.10.132 ttl=64 id=33497 icmp_seq=0 rtt=4.4 ms
    len=46 ip=10.10.10.132 ttl=64 id=33498 icmp_seq=1 rtt=8.0 ms

    --- 10.10.10.132 hping statistic ---
    2 packets transmitted, 2 packets received, 0% packet loss
    round-trip min/avg/max = 4.4/6.2/8.0 ms

3.4. scapy

  1. 简介
    OSI 多层堆叠手工生成 ICMP 包 --  IP/ICMP
  2. 主机扫描
    ip=IP()
    ip.dst=“1.1.1.1”
    ping=ICMP()
    a=sr1(ip/ping)
    a.display()
    a=sr1(ip/ping,timeout=1)    # Ping不存在的地址
    a = sr1(IP(dst=“1.1.1.1")/ICMP(),timeout=1)

4. 四层发现

  • 优点
    • 可路由且结果可靠
    • 不太可能被防火墙过滤
    • 甚至可以发现所有端口都被过滤的主机
    • 甚至可以发现所有端口都被过滤的主机
  • 缺点
    • 基于状态过滤的防火墙可能过滤扫描
    • 全端口扫描速度慢
  • TCP
    • 未经请求 ACK – RST
    • SYN – SYN/ACK、RET
  • UDP
    • ICMP 端口不可达、一去不复返
  • ACK – TCP port – RST
    i = IP()
    i.dst="1.1.1.1"
    t = TCP()
    t.flags='A'
    r = (i/t)
    a = sr1(r)
    a.display()
    a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1))
  • UDP——UDP Port——ICMP(不可靠)
    u = UDP()
    u.dport= 33333
    r = (i/u)
    a = sr1(r,timeout=1,verbose=1)

4.1. nmap

  1. 简介
    -A: 启用操作系统检测、版本检测、脚本扫描和traceroute
    -sn: Ping Scan - disable port scan
    -PU: 还有一个主机发现的选项是UDP ping
    -PS [portlist] (TCP SYN Ping)
    -PA [portlist] (TCP ACK Ping)
    -PE; -PP; -PM (ICMP Ping Types)
    -PR (ARP Ping)
  2. 主机扫描
    # UDP ping
    root@kali:~# nmap 10.10.10.1-254 -PU 53 -sn
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:13 EDT
    setup_target: failed to determine route to 53 (0.0.0.53)
    Nmap scan report for 10.10.10.1
    Host is up (0.00080s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.00045s latency).
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00045s latency).
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap scan report for 10.10.10.136
    Host is up (0.00039s latency).
    MAC Address: 00:0C:29:35:6A:2D (VMware)
    Nmap scan report for 10.10.10.137
    Host is up (0.00038s latency).
    MAC Address: 00:50:56:21:D2:3A (VMware)
    Nmap scan report for 10.10.10.254
    Host is up (0.00092s latency).
    MAC Address: 00:50:56:E2:6B:78 (VMware)
    Nmap scan report for 10.10.10.131
    Host is up.
    Nmap done: 254 IP addresses (7 hosts up) scanned in 2.07 seconds

    # ACK ping
    root@kali:~# nmap 10.10.10.1-254 -PA 80 -sn
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:15 EDT
    setup_target: failed to determine route to 80 (0.0.0.80)
    Nmap scan report for 10.10.10.1
    Host is up (0.00066s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.0033s latency).
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00064s latency).
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap scan report for 10.10.10.136
    Host is up (0.00052s latency).
    MAC Address: 00:0C:29:35:6A:2D (VMware)
    Nmap scan report for 10.10.10.137
    Host is up (0.0013s latency).
    MAC Address: 00:50:56:21:D2:3A (VMware)
    Nmap scan report for 10.10.10.254
    Host is up (0.00040s latency).
    MAC Address: 00:50:56:E2:6B:78 (VMware)
    Nmap scan report for 10.10.10.131
    Host is up.
    Nmap done: 254 IP addresses (7 hosts up) scanned in 1.81 seconds

    # 指定IP地址列表
    root@kali:~# nmap -iL ipaddr.txt 10.10.10.1-254 -PA 80 -sn
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:16 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.00089s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.00058s latency).
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00050s latency).
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap scan report for 10.10.10.136
    Host is up (0.00049s latency).
    MAC Address: 00:0C:29:35:6A:2D (VMware)
    Nmap scan report for 10.10.10.137
    Host is up (0.00043s latency).
    MAC Address: 00:50:56:21:D2:3A (VMware)
    Nmap scan report for 10.10.10.254
    Host is up (0.00031s latency).
    MAC Address: 00:50:56:E2:6B:78 (VMware)
    Nmap scan report for 10.10.10.131
    Host is up.
    Nmap done: 254 IP addresses (7 hosts up) scanned in 2.14 seconds

4.2. hping3

  1. 简介
    -c --count count
    -2 --udp
  2. 主机扫描
    root@kali:~# hping3 --udp 10.10.10.132 -c 1
    HPING 10.10.10.132 (eth0 10.10.10.132): udp mode set, 28 headers + 0 data bytes
    ICMP Port Unreachable from ip=10.10.10.132 name=UNKNOWN  
    status=0 port=2770 seq=0

    --- 10.10.10.132 hping statistic ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 55.1/55.1/55.1 ms

3. 端口扫描

  • 端口对应网路都访问及应用端程序
  • 服务端程序的漏洞通过端口攻入
  • 发现开放的端口
  • 更具体的攻击面

3.1. UDP 端口扫描

  • UDP 端口扫描
    • 假设 ICMP port-ubreachable 响应代表端口关闭
    • 目标系统不响应 port-ubreachable 时,坑你产生误判
  • 完整的 UDP 应用层请求
    • 准确性高
    • 耗时巨大
  • Scapy UDP Scan 
    • 端口关闭:ICMP port-ubreachable
    • 端口开放:没有回包
    • 了解每一种基于 UDP 的应用层包结构很有帮助
    • 与三层相同的技术
    • 误判

3.1.1. nmap

  1. 简介
    -sU: UDP Scan
    -p <port ranges>: Only scan specified ports
  2. 端口扫描
    # (默认的1000个参数)
    root@kali:~# nmap -sU 10.10.10.132

    # 指定端口
    root@kali:~# nmap -sU 10.10.10.132 -p 53
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:48 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00034s latency).
    PORT   STATE SERVICE
    53/udp open  domain
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

    # 指定 IP 地址列表
    root@kali:~# nmap -iL ipaddr.txt -sU -p 1-200

3.2. TCP 端口扫描

  • 基于连接的协议
  • 三次握手
  • 隐蔽扫描
  • 僵尸扫描
  • 全连接扫描
  • 所有的 TCP 扫描方式都是基于三次握手的变化来判断目标端口状态
  • 隐蔽扫描
    • 不建立完整的连接
    • 应用日志不记录扫描行为–隐蔽
  • 僵尸扫描
    • 极度隐蔽
    • 实施条件苛刻(基于IPID)
    • 可伪造源地址
    • 选择僵尸机 
      • 闲置系统
      • 系统使用递增的IPID 
        • 0
        • 随机

 

3.2.1. 隐蔽端口扫描

1. scapy

- syn -- syn/ack -- rst

sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1)

2. nmap

  1. 简介
    -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  2. 端口扫描
    # 指定扫描端口范围
    root@kali:~# nmap -sS 10.10.10.132 -p 80,21,25,110,443
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00034s latency).
    PORT    STATE  SERVICE
    21/tcp  open   ftp
    25/tcp  open   smtp
    80/tcp  open   http
    110/tcp closed pop3
    443/tcp closed https
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

    # 指定扫描端口范围
    root@kali:~# nmap -sS 10.10.10.132 -p 1-65535 --open
     Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00010s latency).
    Not shown: 65505 closed ports
    PORT      STATE SERVICE
    21/tcp    open  ftp
    22/tcp    open  ssh
    23/tcp    open  telnet
    25/tcp    open  smtp
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    445/tcp   open  microsoft-ds
    512/tcp   open  exec
    513/tcp   open  login
    514/tcp   open  shell
    1099/tcp  open  rmiregistry
    1524/tcp  open  ingreslock
    2049/tcp  open  nfs
    2121/tcp  open  ccproxy-ftp
    3306/tcp  open  mysql
    3632/tcp  open  distccd
    5432/tcp  open  postgresql
    5900/tcp  open  vnc
    6000/tcp  open  X11
    6667/tcp  open  irc
    6697/tcp  open  ircs-u
    8009/tcp  open  ajp13
    8180/tcp  open  unknown
    8787/tcp  open  msgsrvr
    37499/tcp open  unknown
    41241/tcp open  unknown
    44616/tcp open  unknown
    56072/tcp open  unknown
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds

    # 指定扫描端口范围
    root@kali:~# nmap -sS 10.10.10.132 -p- --open
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:58 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00027s latency).
    Not shown: 65505 closed ports
    PORT      STATE SERVICE
    21/tcp    open  ftp
    22/tcp    open  ssh
    23/tcp    open  telnet
    25/tcp    open  smtp
    53/tcp    open  domain
    80/tcp    open  http
    111/tcp   open  rpcbind
    139/tcp   open  netbios-ssn
    445/tcp   open  microsoft-ds
    512/tcp   open  exec
    513/tcp   open  login
    514/tcp   open  shell
    1099/tcp  open  rmiregistry
    1524/tcp  open  ingreslock
    2049/tcp  open  nfs
    2121/tcp  open  ccproxy-ftp
    3306/tcp  open  mysql
    3632/tcp  open  distccd
    5432/tcp  open  postgresql
    5900/tcp  open  vnc
    6000/tcp  open  X11
    6667/tcp  open  irc
    6697/tcp  open  ircs-u
    8009/tcp  open  ajp13
    8180/tcp  open  unknown
    8787/tcp  open  msgsrvr
    37499/tcp open  unknown
    41241/tcp open  unknown
    44616/tcp open  unknown
    56072/tcp open  unknown
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds

    # 指定 IP 地址列表
    root@kali:~# nmap -sS -iL ipaddr.txt -p 80,21,22,23
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:59 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.0011s latency).

    PORT   STATE  SERVICE
    21/tcp closed ftp
    22/tcp closed ssh
    23/tcp closed telnet
    80/tcp closed http
    MAC Address: 00:50:56:C0:00:08 (VMware)

    Nmap scan report for 10.10.10.254
    Host is up (0.00085s latency).

    PORT   STATE    SERVICE
    21/tcp filtered ftp
    22/tcp filtered ssh
    23/tcp filtered telnet
    80/tcp filtered http
    MAC Address: 00:50:56:E2:6B:78 (VMware)

    Nmap done: 254 IP addresses (7 hosts up) scanned in 3.48 seconds

3. hping3

  1. 简介
    -8  --scan       指定扫描端口范围
    -c  --count      packet count
    -a  --spoof      欺骗源地址
    -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
    -M  --setseq     set TCP sequence number
    -L  --setack     set TCP ack
    -F  --fin        set FIN flag
    -S  --syn        set SYN flag
    -R  --rst        set RST flag
    -P  --push       set PUSH flag
    -A  --ack        set ACK flag
    -U  --urg        set URG flag
    -X  --xmas       set X unused flag (0x40)
    -Y  --ymas       set Y unused flag (0x80)
  2. 端口扫描
    # SYN 扫描
    root@kali:~# hping3 10.10.10.132 --scan 80 -S
    Scanning 10.10.10.132 (10.10.10.132), port 80
    1 ports to scan, use -V to see all the replies
    +----+-----------+---------+---+-----+-----+-----+
    |port| serv name |  flags  |ttl| id  | win | len |
    +----+-----------+---------+---+-----+-----+-----+
       80 http       : .S..A...  64     0  5840    46
    All replies received. Done.
    Not responding ports:

    # 指定端口 SYN 扫描
    root@kali:~# hping3 10.10.10.132 --scan 801,21,25,443 -S
    Scanning 10.10.10.132 (10.10.10.132), port 801,21,25,443
    4 ports to scan, use -V to see all the replies
    +----+-----------+---------+---+-----+-----+-----+
    |port| serv name |  flags  |ttl| id  | win | len |
    +----+-----------+---------+---+-----+-----+-----+
       21 ftp        : .S..A...  64     0  5840    46
       25 smtp       : .S..A...  64     0  5840    46
    All replies received. Done.
    Not responding ports:

    # 指定端口范围
    root@kali:~# hping3 10.10.10.132 --scan 0-65535 -S
    Scanning 10.10.10.132 (10.10.10.132), port 0-65535
    65536 ports to scan, use -V to see all the replies
    +----+-----------+---------+---+-----+-----+-----+
    |port| serv name |  flags  |ttl| id  | win | len |
    +----+-----------+---------+---+-----+-----+-----+
       21 ftp        : .S..A...  64     0  5840    46
       22 ssh        : .S..A...  64     0  5840    46
       23 telnet     : .S..A...  64     0  5840    46
       25 smtp       : .S..A...  64     0  5840    46
       53 domain     : .S..A...  64     0  5840    46
       80 http       : .S..A...  64     0  5840    46
      111 sunrpc     : .S..A...  64     0  5840    46
      139 netbios-ssn: .S..A...  64     0  5840    46
      445 microsoft-d: .S..A...  64     0  5840    46
      512 exec       : .S..A...  64     0  5840    46
      513 login      : .S..A...  64     0  5840    46
      514 shell      : .S..A...  64     0  5840    46
     1099 rmiregistry: .S..A...  64     0  5840    46
     1524 ingreslock : .S..A...  64     0  5840    46
     3306 mysql      : .S..A...  64     0  5840    46
     5432 postgresql : .S..A...  64     0  5840    46
     5900            : .S..A...  64     0  5840    46
     6000 x11        : .S..A...  64     0  5840    46
     8009            : .S..A...  64     0  5840    46
     8180            : .S..A...  64     0  5840    46
     8787            : .S..A...  64     0  5840    46
    37499            : .S..A...  64     0  5840    46
    44616            : .S..A...  64     0  5840    46
    56072            : .S..A...  64     0  5840    46
     2049 nfs        : .S..A...  64     0  5840    46
     2121 iprop      : .S..A...  64     0  5840    46
     3632 distcc     : .S..A...  64     0  5840    46
     6667 ircd       : .S..A...  64     0  5840    46
     6697 ircs-u     : .S..A...  64     0  5840    46
    41241            : .S..A...  64     0  5840    46
    All replies received. Done.
    Not responding ports:

    # 源地址欺骗
    root@kali:~# hping3 -c 10 -S --spoof 10.10.10.136 -p ++1 10.10.10.132

3.2.2. 全连接端口扫描

1. scapy

  1. 简介
  • syn 扫描不需要 raw packets
  • 内核认为 syn/ack 是非法包,直接发 rst 中断连接
  • 全连接扫描对 scapy 比较困难
    sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S'))

2. nmap

  1. 简介
    -sT (TCP connect()扫描)
    -sU (UDP扫描)
    -sS (TCP SYN扫描)
    -sN; -sF; -sX (TCP Null,FIN,and Xmas扫描)
  2. 端口扫描
    # 指定端口(默认1000个端口)
    root@kali:~# nmap -sT 10.10.10.132 -p 80
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:14 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00049s latency).
    PORT   STATE SERVICE
    80/tcp open  http
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

    # 指定端口范围
    root@kali:~# nmap -sT 10.10.10.132 -p 80,21,25,443
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00038s latency).
    PORT    STATE  SERVICE
    21/tcp  open   ftp
    25/tcp  open   smtp
    80/tcp  open   http
    443/tcp closed https
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

    # 指定端口范围
    root@kali:~# nmap -sT 10.10.10.132 -p 80-2000
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00029s latency).
    Not shown: 1912 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    512/tcp  open  exec
    513/tcp  open  login
    514/tcp  open  shell
    1099/tcp open  rmiregistry
    1524/tcp open  ingreslock
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

    # 指定 IP 地址列表
    root@kali:~# nmap -sT -iL ipaddr.txt  -p 80
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:16 EDT
    Nmap scan report for 10.10.10.1
    Host is up (0.0012s latency).
    PORT   STATE  SERVICE
    80/tcp closed http
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.10.10.2
    Host is up (0.00037s latency).
    PORT   STATE  SERVICE
    80/tcp closed http
    MAC Address: 00:50:56:E1:24:A1 (VMware)
    Nmap scan report for 10.10.10.132
    Host is up (0.00029s latency).

3. dmity

  1. 简介
  • 功能简单,使用简单
  • 默认 150 个最常用的端口
    root@kali:~# dmitry
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"

    Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
      -o     Save output to %host.txt or to file specified by -o file
      -i     Perform a whois lookup on the IP address of a host
      -w     Perform a whois lookup on the domain name of a host
      -n     Retrieve Netcraft.com information on a host
      -s     Perform a search for possible subdomains
      -e     Perform a search for possible email addresses
      -p     Perform a TCP port scan on a host
    * -f     Perform a TCP port scan on a host showing output reporting filtered ports
    * -b     Read in the banner received from the scanned port
    * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
    *Requires the -p flagged to be passed
  1. 端口扫描
    # 指定扫描 IP
    root@kali:~# dmitry -p 10.10.10.132
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"
    ERROR: Unable to locate Host Name for 10.10.10.132
    Continuing with limited modules
    HostIP:10.10.10.132
    HostName:
    Gathered TCP Port information for 10.10.10.132
    ---------------------------------
     Port       State
    21/tcp      open
    22/tcp      open
    23/tcp      open
    25/tcp      open
    53/tcp      open
    80/tcp      open
    111/tcp     open
    139/tcp     open
    Portscan Finished: Scanned 150 ports, 141 ports were in state closed
    All scans completed, exiting

    # 指定输出文件
    root@kali:~# dmitry -p 10.10.10.132 -o output.txt
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"
    Writing output to 'output.txt.txt'
    ERROR: Unable to locate Host Name for 10.10.10.132
    Continuing with limited modules
    HostIP:10.10.10.132
    HostName:
    Gathered TCP Port information for 10.10.10.132
    ---------------------------------
     Port       State
    21/tcp      open
    22/tcp      open
    23/tcp      open
    25/tcp      open
    53/tcp      open
    80/tcp      open
    111/tcp     open
    139/tcp     open
    Portscan Finished: Scanned 150 ports, 141 ports were in state closed

4. nc

  1. 简介
    root@kali:~# nc -h
    [v1.10-41.1]
    connect to somewhere:   nc [-options] hostname port[s] [ports] ...
    listen for inbound: nc -l -p port [-options] [hostname] [port]
    options:
        -c shell commands   as `-e'; use /bin/sh to exec [dangerous!!]
        -e filename     program to exec after connect [dangerous!!]
        -b          allow broadcasts
        -g gateway      source-routing hop point[s], up to 8
        -G num          source-routing pointer: 4, 8, 12, ...
        -h          this cruft
        -i secs         delay interval for lines sent, ports scanned
            -k                      set keepalive option on socket
        -l          listen mode, for inbound connects
        -n          numeric-only IP addresses, no DNS
        -o file         hex dump of traffic
        -p port         local port number
        -r          randomize local and remote ports
        -q secs         quit after EOF on stdin and delay of secs
        -s addr         local source address
        -T tos          set Type Of Service
        -t          answer TELNET negotiation
        -u          UDP mode
        -v          verbose [use twice to be more verbose]
        -w secs         timeout for connects and final net reads
        -C          Send CRLF as line-ending
        -z          zero-I/O mode [used for scanning]
    port numbers can be individual or ranges: lo-hi [inclusive];
    hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
  2. 端口扫描
    root@kali:~# nc -nv -w 1 -z 10.10.10.132 1-100
    (UNKNOWN) [10.10.10.132] 80 (http) open
    (UNKNOWN) [10.10.10.132] 53 (domain) open
    (UNKNOWN) [10.10.10.132] 25 (smtp) open
    (UNKNOWN) [10.10.10.132] 23 (telnet) open
    (UNKNOWN) [10.10.10.132] 22 (ssh) open
    (UNKNOWN) [10.10.10.132] 21 (ftp) open

3.2.3. 僵尸扫描

  • 利用 IPID 递增来判断主机端口是否开启

1. scapy

• i=IP()
• t=TCP()
• rz=(i/t)
• rt=(i/t)
• rz[IP].dst=IPz
• rz[TCP].dport=445
• rt[IP].src=IPz
• rt[IP].dst=IPt
• rt[TCP].dport=22
• az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz)
• az1.display() / az2.display()

2. nmap

  1. 简介
    使用脚本扫描适合做僵尸机的主机
    -sI <zombie host[:probeport]>: Idle scan
    -Pn: Treat all hosts as online -- skip host discovery
  • # 发现脚本
    root@kali:~# ls /usr/share/nmap/scripts | grep ipid

    # ipidseq: All zeros
    root@kali:~# nmap -p 445 10.10.10.132 --script=ipidseq.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00043s latency).

    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Host script results:
    |_ipidseq: All zeros

    Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

    # ipidseq: Incremental!
    root@kali:~# nmap -p 445 10.10.10.136 --script=ipidseq.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
    Nmap scan report for 10.10.10.136
    Host is up (0.00042s latency).

    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    MAC Address: 00:0C:29:35:6A:2D (VMware)

    Host script results:
    |_ipidseq: Incremental!

    Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
  1. 扫描目标
    root@kali:~# nmap 10.10.10.132 -sI 10.10.10.136 -Pn -p 0-200
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:29 EDT
    Idle scan using zombie 10.10.10.136 (10.10.10.136:80); Class: Incremental
    Nmap scan report for 10.10.10.132
    Host is up (0.047s latency).
    Not shown: 193 closed|filtered ports
    PORT    STATE SERVICE
    21/tcp  open  ftp
    22/tcp  open  ssh
    23/tcp  open  telnet
    25/tcp  open  smtp
    53/tcp  open  domain
    80/tcp  open  http
    111/tcp open  rpcbind
    139/tcp open  netbios-ssn
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds

4. 服务扫描

  • 识别开放端口上进行的应用
  • 是被目标操作系统
  • 提高攻击效率
    • Banner捕获
    • 服务识别
    • 操作系统识别
    • SNMP分析
    • 防火墙识别
  • Banner
    • 软件开发商
    • 软件名称
    • 服务类型
    • 版本号 
      • 直接发现一致的漏洞和弱点
  • 连接建立后直接获取banner
  • 另类服务识别方法
    • 特征行为和响应字段
    • 不同的响应可用于识别底层操作系统
  • SNMP
    • 简单网络管理协议
    • Community strings
    • 信息查询或重新配置
  • 识别和绕过防火墙筛选

4.1. banner

  • banner 信息抓取能力有限
  • nmap 响应特征分析识别访问 
    • 发送系列复杂的探测
    • 依据响应特征 signature

1. nc

root@kali:~# nc -nv 10.10.10.132 80
(UNKNOWN) [10.10.10.132] 80 (http) open
GET /
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

_                  _       _ _        _     _      ____ 
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                         

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>

2. socket

    • import socket
    • bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    • bangrab.connect((“1.1.1.1", 21))
    • bangrab.recv(4096)

3. dmity

  1. 简介
    root@kali:~# dmitry
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"

    Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
      -o     Save output to %host.txt or to file specified by -o file
      -i     Perform a whois lookup on the IP address of a host
      -w     Perform a whois lookup on the domain name of a host
      -n     Retrieve Netcraft.com information on a host
      -s     Perform a search for possible subdomains
      -e     Perform a search for possible email addresses
      -p     Perform a TCP port scan on a host
    * -f     Perform a TCP port scan on a host showing output reporting filtered ports
    * -b     Read in the banner received from the scanned port
    * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
    *Requires the -p flagged to be passed
  2. 服务扫描
    # 指定 tcp 端口
    root@kali:~# dmitry -p 10.10.10.132
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"
    ERROR: Unable to locate Host Name for 10.10.10.132
    Continuing with limited modules
    HostIP:10.10.10.132
    HostName:
    Gathered TCP Port information for 10.10.10.132
    ---------------------------------
     Port       State
    21/tcp      open
    22/tcp      open
    23/tcp      open
    25/tcp      open
    53/tcp      open
    80/tcp      open
    111/tcp     open
    139/tcp     open
    Portscan Finished: Scanned 150 ports, 141 ports were in state closed
    All scans completed, exiting

    # 读取 banner 信息
    root@kali:~# dmitry -pb 10.10.10.132
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"

    ERROR: Unable to locate Host Name for 10.10.10.132
    Continuing with limited modules
    HostIP:10.10.10.132
    HostName:
    Gathered TCP Port information for 10.10.10.132
    ---------------------------------
     Port       State
    21/tcp      open
    >> 220 (vsFTPd 2.3.4)
    22/tcp      open
    >> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    23/tcp      open
    >>
    25/tcp      open
    >> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
    53/tcp      open
    Portscan Finished: Scanned 150 ports, 144 ports were in state closed
    All scans completed, exiting

4. nmap

  1. 简介
    root@kali:~# cat /usr/share/nmap/scripts/banner.nse
    -sV: Probe open ports to determine service/version info
  2. 服务扫描
    # 指定脚本
    root@kali:~# nmap -sT 10.10.10.132 -p 1-100 --script=banner.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:23 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.0015s latency).
    Not shown: 94 closed ports
    PORT   STATE SERVICE
    21/tcp open  ftp
    |_banner: 220 (vsFTPd 2.3.4)
    22/tcp open  ssh
    |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
    23/tcp open  telnet
    |_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
    25/tcp open  smtp
    |_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
    53/tcp open  domain
    80/tcp open  http
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds

    # 探测打开端口以确定服务/版本信息
    root@kali:~# nmap 10.10.10.132 -p 80 -sV
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:28 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00032s latency).
    PORT   STATE SERVICE VERSION
    80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds

5. amap

  1. 简介
    root@kali:~# amap
    amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap
    Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
    Modes:
      -A         Map applications: send triggers and analyse responses (default)
      -B         Just grab banners, do not send triggers
      -P         No banner or application stuff - be a (full connect) port scanner
    Options:
      -1         Only send triggers to a port until 1st identification. Speeeeed!
      -6         Use IPv6 instead of IPv4
      -b         Print ascii banner of responses
      -i FILE    Nmap machine readable outputfile to read ports from
      -u         Ports specified on commandline are UDP (default is TCP)
      -R         Do NOT identify RPC service
      -H         Do NOT send application triggers marked as potentially harmful
      -U         Do NOT dump unrecognised responses (better for scripting)
      -d         Dump all responses
      -v         Verbose mode, use twice (or more!) for debug (not recommended :-)
      -q         Do not report closed ports, and do not print them as unidentified
      -o FILE [-m] Write output to file FILE, -m creates machine readable output
      -c CONS    Amount of parallel connections to make (default 32, max 256)
      -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
      -T SEC     Connect timeout on connection attempts in seconds (default 5)
      -t SEC     Response wait timeout in seconds (default 5)
      -p PROTO   Only send triggers for this protocol (e.g. ftp)
      TARGET PORT   The target address and port(s) to scan (additional to -i)
    amap is a tool to identify application protocols on target ports.
    Note: this version was NOT compiled with SSL support!
    Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
  2. 服务扫描
    # 指定端口扫描
    root@kali:~# amap -B 10.10.10.132 21
    amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:24:39 - BANNER mode
    Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n
    amap v5.4 finished at 2018-03-31 07:24:39

    # 指定端口范围扫描
    root@kali:~# amap -B 10.10.10.132 1-65535
    amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:25:15 - BANNER mode
    Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
    Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n
    Banner on 10.10.10.132:23/tcp :  #'
    Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n
    Banner on 10.10.10.132:512/tcp : Where are you?\n
    Banner on 10.10.10.132:1524/tcp : root@metasploitable/#
    Banner on 10.10.10.132:2121/tcp : 220 ProFTPD 1.3.1 Server (Debian) [ffff10.10.10.132]\r\n
    Banner on 10.10.10.132:3306/tcp : >\n5.0.51a-3ubuntu5yG5q^`G!,n+'#vOd-P*!c
    Banner on 10.10.10.132:5900/tcp : RFB 003.003\n
    Banner on 10.10.10.132:6667/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n
    Banner on 10.10.10.132:6697/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n
    amap v5.4 finished at 2018-03-31 07:25:21

    # 指定端口范围扫描
    root@kali:~# amap -B 10.10.10.132 20-32
    amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:26:55 - BANNER mode
    Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n
    Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
    Banner on 10.10.10.132:23/tcp :  #'
    Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n

    # 不显示关闭的端口
    root@kali:~# amap -B 10.10.10.132 20-32 -q
    amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:27:31 - BANNER mode
    Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n
    Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n
    Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
    Banner on 10.10.10.132:23/tcp :  #'
    amap v5.4 finished at 2018-03-31 07:27:31

    # 显示二进制响应
    root@kali:~# amap -B 10.10.10.132 20-32 -qb
    amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:28:27 - BANNER mode
    Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n
    Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n
    Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
    Banner on 10.10.10.132:23/tcp :  #'
    amap v5.4 finished at 2018-03-31 07:28:27

5. 操作系统识别

  • 操作系统是被技术
    • 种类繁多
    • 好产品采用多种技术结合
  • TTL 起始值
    • windows:128(65–128)
    • linux/unix:64(1-64)
    • 某些 unix:255

5.1. python

  1. 简介
    from scapy.all import *
    win="10.10.10.136"
    linu="10.10.10.132"
    aw=sr1(IP(dst=win)/ICMP())
    al=sr1(IP(dst=linu)/ICMP())
    if al[IP].ttl<=64:
        print "host is linux"
    else:
        print "host is windows"

5.2. nmap

  1. 简介
    -O: Enable OS detection
    --osscan-limit: Limit OS detection to promising targets
    --osscan-guess: Guess OS more aggressively
  2. 操作系统识别
    root@kali:~# nmap 10.10.10.132 -O
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:42 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00034s latency).
    Not shown: 977 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    23/tcp   open  telnet
    6667/tcp open  irc
    8009/tcp open  ajp13
    8180/tcp open  unknown
    MAC Address: 00:0C:29:D0:AB:2C (VMware)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Network Distance: 1 hop
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

5.3. xprobe2

  1. 简介
    # 结果有误差
    root@kali:~# xprobe2
    Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
    usage: xprobe2 [options] target
    Options:
              -v                       Be verbose
              -r                       Show route to target(traceroute)
              -p <proto:portnum:state> Specify portnumber, protocol and state.
                                       Example: tcp:23:open, UDP:53:CLOSED
              -c <configfile>          Specify config file to use.
              -h                       Print this help.
              -o <fname>               Use logfile to log everything.
              -t <time_sec>            Set initial receive timeout or roundtrip time.
              -s <send_delay>          Set packsending delay (milseconds).
              -d <debuglv>             Specify debugging level.
              -D <modnum>              Disable module number <modnum>.
              -M <modnum>              Enable module number <modnum>.
              -L                       Display modules.
              -m <numofmatches>        Specify number of matches to print.
              -T <portspec>            Enable TCP portscan for specified port(s).
                                       Example: -T21-23,53,110
              -U <portspec>            Enable UDP portscan for specified port(s).
              -f                       force fixed round-trip time (-t opt).
              -F                       Generate signature (use -o to save to a file).
              -X                       Generate XML output and save it to logfile specified with -o.
              -B                       Options forces TCP handshake module to try to guess open TCP port
              -A                       Perform analysis of sample packets gathered during portscan in
                                       order to detect suspicious traffic (i.e. transparent proxies,
                                       firewalls/NIDSs resetting connections). Use with -T.
  2. 操作系统识别
    root@kali:~# xprobe2 10.10.10.132

    Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

    [+] Target is 10.10.10.132
    [+] Loading modules.
    [+] Following modules are loaded:
    [x] [1] ping:icmp_ping  -  ICMP echo discovery module
    [x] [2] ping:tcp_ping  -  TCP-based ping discovery module
    [x] [3] ping:udp_ping  -  UDP-based ping discovery module
    [x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
    [x] [5] infogather:portscan  -  TCP and UDP PortScanner
    [x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
    [x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
    [x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
    [x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
    [x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
    [x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
    [x] [12] fingerprint:smb  -  SMB fingerprinting module
    [x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
    [+] 13 modules registered
    [+] Initializing scan engine
    [+] Running scan engine
    [-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.132. Module test failed
    [-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.132. Module test failed
    [-] No distance calculation. 10.10.10.132 appears to be dead or no ports known
    [+] Host: 10.10.10.132 is up (Guess probability: 50%)
    [+] Target: 10.10.10.132 is alive. Round-Trip Time: 0.48084 sec
    [+] Selected safe Round-Trip Time value is: 0.96167 sec
    [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
    [-] fingerprint:smb need either TCP port 139 or 445 to run
    [-] fingerprint:snmp: need UDP port 161 open
    [+] Cleaning up scan engine
    [+] Modules deinitialized
    [+] Execution completed.

5.4. p0f

  1. 简介
    结合ARP 地址欺骗识别全网 OS
  2. 被动识别

6. SNMP 扫描

  • snmp
    • 信息的金矿
    • 经常被错误配置
    • public / private / manager
  • MIB Tree.
    • SNMP Management Information Base (MIB)
    • 树形的网络设备管理功能数据库
    • 1.3.6.1.4.1.77.1.2.25

6.1. onesixone

  1. 简介
    root@kali:~# onesixtyone
    onesixtyone 0.3.2 [options] <host> <community>
      -c <communityfile> file with community names to try
      -i <inputfile>     file with target hosts
      -o <outputfile>    output log
      -d                 debug mode, use twice for more information

    -w n               wait n milliseconds (1/1000 of a second) between sending packets (default 10)
      -q                 quiet mode, do not print log to stdout, use with -l
    examples: ./s -c dict.txt 192.168.4.1 public
              ./s -c dict.txt -i hosts -o my.log -w 100
  2. SNMP 扫描
    root@kali:~# dpkg -L onesixtyone
    /usr/share/doc/onesixtyone/dict.txt
    root@kali:~# onesixtyone -c dict.txt -i ipaddr.txt -o 161output.log -w 100

6.2. snmpwalk

  1. 简介
    -v 1|2c|3       specifies SNMP version to use
    -c COMMUNITY        set the community string
  2. SNMP 扫描
    root@kali:~# snmpwalk 10.10.10.132 -c public -v 2c

6.3. snmpcheck

  1. 简介
    root@kali:~# snmpcheck -h
    Usage:  snmpcheck [-x] [-n|y] [-h] [-H] [-V NUM] [-L] [-f] [[-a] HOSTS]
      -h    Display this message.
      -a    check error log file AND hosts specified on command line.
      -p    Don't try and ping-echo the host first
      -f    Only check for things I can fix
      HOSTS check these hosts for problems.
    X Options:
      -x    forces ascii base if $DISPLAY set (instead of tk).
      -H    start in hidden mode.  (hides user interface)
      -V NUM    sets the initial verbosity level of the command log (def: 1)
      -L    Show the log window at startup
      -d    Don't start by checking anything.  Just bring up the interface.
    Ascii Options:
      -n    Don't ever try and fix the problems found.  Just list.
      -y    Always fix problems found.
  2. SNMP 扫描
    snmpcheck -t 192.168.20.199
    snmpcheck -t 192.168.20.199 -c private -v 2
    snmpcheck -t 192.168.20.199 -w

7 SMB 扫描

  • server message block 协议
  • 微软历史上出现安全问题最多的协议
  • 实现复杂
  • 默认开放
  • 文件共享
  • 空会话未身份验证 
    • 密码策略
    • 用户名
    • 组名
    • 机器名
    • 用户、组SID

7.1. nmap

  1. 简介
    -v: Increase verbosity level (use -vv or more for greater effect)
    root@kali:~# ll /usr/share/nmap/scripts/smb*
  2. SMB 扫描
    # 扫描主机开放端口
    root@kali:~# nmap -v 10.10.10.132-140 --open
    Nmap scan report for 10.10.10.136
    Host is up (0.00068s latency).
    Not shown: 994 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    2869/tcp open  icslap
    3389/tcp open  ms-wbt-server
    MAC Address: 00:0C:29:35:6A:2D (VMware)

    Nmap scan report for 10.10.10.137
    Host is up (0.0051s latency).
    Not shown: 995 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    3389/tcp open  ms-wbt-server
    MAC Address: 00:50:56:21:D2:3A (VMware)

    Read data files from: /usr/bin/../share/nmap
    Nmap done: 9 IP addresses (3 hosts up) scanned in 1.77 seconds
       Raw packets sent: 3027 (132.948KB) | Rcvd: 3003 (120.220KB)

    # 使用脚本
    root@kali:~# nmap 10.10.132 -p 139,445 --script=smb-os-discovery.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:07 EDT
    Nmap scan report for 10.10.132 (10.10.0.132)
    Host is up (0.00039s latency).

    PORT    STATE    SERVICE
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds

    Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

7.2. nbtscan

  1. 简介
    root@kali:~# nbtscan
    NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
    This is a free software and it comes with absolutely no warranty.
    You can use, distribute and modify it under terms of GNU GPL.
    Usage:
    nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
        -v      verbose output. Print all names received
                from each host
        -d      dump packets. Print whole packet contents.
        -e      Format output in /etc/hosts format.
        -l      Format output in lmhosts format.
                Cannot be used with -v, -s or -h options.
        -t timeout  wait timeout milliseconds for response.
                Default 1000.
        -b bandwidth    Output throttling. Slow down output
                so that it uses no more that bandwidth bps.
                Useful on slow links, so that ougoing queries
                don't get dropped.
        -r      use local port 137 for scans. Win95 boxes
                respond to this only.
                You need to be root to use this option on Unix.
        -q      Suppress banners and error messages,
        -s separator    Script-friendly output. Don't print
                column and record headers, separate fields with separator.
        -h      Print human-readable names for services.
                Can only be used with -v option.
        -m retransmits  Number of retransmits. Default 0.
        -f filename Take IP addresses to scan from file filename.
                -f - makes nbtscan take IP addresses from stdin.
        <scan_range>    what to scan. Can either be single IP
                like 192.168.1.1 or
                range of addresses in one of two forms:
                xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
  2. SMB 扫描
    root@kali:~# nbtscan -r 10.10.10.0/24
    Doing NBT name scan for addresses from 10.10.10.0/24
    IP address       NetBIOS Name     Server    User             MAC address     
    ------------------------------------------------------------------------------
    10.10.10.0  Sendto failed: Permission denied
    10.10.10.131     <unknown>                  <unknown>       
    10.10.10.132     METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00
    10.10.10.1       ASUS-WIN7        <server>  <unknown>        00:50:56:c0:00:08
    10.10.10.255    Sendto failed: Permission denied

7.3. enum4linux

  1. 简介
    -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
          This opion is enabled if you don't provide any other options.
  2. SMB 扫描
    root@kali:~# enum4linux -a 10.10.10.132

8. SMTP 扫描

8.1. nc

  1. 简介
    VRFY root
  2. 扫描
    root@kali:~# nc -nv 10.10.10.132 25
        (UNKNOWN) [10.10.10.132] 25 (smtp) open
        220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
    VRFY root

8.2. nmap

  1. 脚本
    root@kali:~# ll /usr/share/nmap/scripts/smtp*
    -rw-r--r-- 1 root root  4309 3月  26 08:18 /usr/share/nmap/scripts/smtp-brute.nse
    -rw-r--r-- 1 root root  4771 3月  26 08:18 /usr/share/nmap/scripts/smtp-commands.nse
    -rw-r--r-- 1 root root 12006 3月  26 08:18 /usr/share/nmap/scripts/smtp-enum-users.nse
    -rw-r--r-- 1 root root  5873 3月  26 08:18 /usr/share/nmap/scripts/smtp-ntlm-info.nse
    -rw-r--r-- 1 root root 10150 3月  26 08:18 /usr/share/nmap/scripts/smtp-open-relay.nse
    -rw-r--r-- 1 root root   716 3月  26 08:18 /usr/share/nmap/scripts/smtp-strangeport.nse
    -rw-r--r-- 1 root root 14740 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse
    -rw-r--r-- 1 root root  7661 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse
    -rw-r--r-- 1 root root  7584 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse
  2. SMTP 扫描
    # smtp-enum-users.nse
    root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-enum-users.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:19 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00028s latency).

    PORT   STATE SERVICE
    25/tcp open  smtp
    | smtp-enum-users:
    |_  Method RCPT returned a unhandled status code.
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

    # smtp-open-relay.nse
    root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-open-relay.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:20 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00022s latency).

    PORT   STATE SERVICE
    25/tcp open  smtp
    |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds

8.3. smtp-user-enum

  1. 简介
    root@kali:~# smtp-user-enum
    smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

    Usage: smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )

    options are:
            -m n     Maximum number of processes (default: 5)
        -M mode  Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
        -u user  Check if user exists on remote system
        -f addr  MAIL FROM email address.  Used only in "RCPT TO" mode (default: user@example.com)
            -D dom   Domain to append to supplied user list to make email addresses (Default: none)
                     Use this option when you want to guess valid email addresses instead of just usernames
                     e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc.  Instead of
                          simply the usernames foo and bar.
        -U file  File of usernames to check via smtp service
        -t host  Server host running smtp service
        -T file  File of hostnames running the smtp service
        -p port  TCP port on which smtp service runs (default: 25)
        -d       Debugging output
        -t n     Wait a maximum of n seconds for reply (default: 5)
        -v       Verbose
        -h       This help message

    Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.

    Examples:

    $ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
    $ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
    $ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
    $ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1
  2. SMTP 扫描
    smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1

9 防火墙识别

  • 通过检查回包,可能识别端口是否经过防火墙过滤
  • 设备多种多样,结果存在一定误差

 

9.1. nmap

  1. 简介
    -sA (TCP ACK扫描)
       这种扫描与目前为止讨论的其它扫描的不同之处在于 它不能确定open(开放的)或者 open|filtered(开放或者过滤的))端口。 它用于发现防火墙规则,确
       定它们是有状态的还是无状态的,哪些端口是被过滤的。
  2. 防火墙识别
    root@kali:~# nmap -sA 10.10.10.132 -p 22
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:30 EDT
    Nmap scan report for 10.10.10.132
    Host is up (0.00032s latency).

    PORT   STATE      SERVICE
    22/tcp unfiltered ssh
    MAC Address: 00:0C:29:D0:AB:2C (VMware)

    Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
    1. 简介
      root@kali:~# lbd
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives. 
      usage: /usr/bin/lbd domain [port] {https}
    2. 识别
      识别百度
      root@kali:~# lbd www.baidu.com
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives.
      Checking for DNS-Loadbalancing: FOUND 
      www.a.shifen.com has address 61.135.169.121 
      www.a.shifen.com has address 61.135.169.125
      Checking for HTTP-Loadbalancing [Server]: 
      bfe/1.0.8.18 
      NOT FOUND
      Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
      Checking for HTTP-Loadbalancing [Diff]: FOUND 
      < Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
      Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT 
      < ETag: “575e1f5d-115” 
      ETag: “575e1f5c-115”
      www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
      识别163邮箱
      root@kali:~# lbd mail.163.com
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives.
      Checking for DNS-Loadbalancing: FOUND 
      mail163.ntes53.netease.com has address 123.125.50.26 
      mail163.ntes53.netease.com has address 123.125.50.7 
      mail163.ntes53.netease.com has address 123.125.50.28
      Checking for HTTP-Loadbalancing [Server]: 
      nginx 
      NOT FOUND
      Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
      Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
      mail.163.com does Load-balancing. Found via Methods: DNS

10. 负载均衡识别

    1. 简介
      root@kali:~# lbd
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives. 
      usage: /usr/bin/lbd domain [port] {https}
    2. 识别
      识别百度
      root@kali:~# lbd www.baidu.com
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives.
      Checking for DNS-Loadbalancing: FOUND 
      www.a.shifen.com has address 61.135.169.121 
      www.a.shifen.com has address 61.135.169.125
      Checking for HTTP-Loadbalancing [Server]: 
      bfe/1.0.8.18 
      NOT FOUND
      Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
      Checking for HTTP-Loadbalancing [Diff]: FOUND 
      < Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
      Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT 
      < ETag: “575e1f5d-115” 
      ETag: “575e1f5c-115”
      www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
      识别163邮箱
      root@kali:~# lbd mail.163.com
      lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
      Written by Stefan Behte (http://ge.mine.nu
      Proof-of-concept! Might give false positives.
      Checking for DNS-Loadbalancing: FOUND 
      mail163.ntes53.netease.com has address 123.125.50.26 
      mail163.ntes53.netease.com has address 123.125.50.7 
      mail163.ntes53.netease.com has address 123.125.50.28
      Checking for HTTP-Loadbalancing [Server]: 
      nginx 
      NOT FOUND
      Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
      Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
      mail.163.com does Load-balancing. Found via Methods: DNS

11. WAF 识别

11.1. wafw00f

  1. 简介
    root@kali:~# wafw00f -h
    Usage: wafw00f url1 [url2 [url3 ... ]]
    example: wafw00f http://www.victim.org/

    Options:
      -h, --help            show this help message and exit
      -v, --verbose         enable verbosity - multiple -v options increase
                            verbosity
      -a, --findall         Find all WAFs, do not stop testing on the first one
      -r, --disableredirect
                            Do not follow redirections given by 3xx responses
      -t TEST, --test=TEST  Test for one specific WAF
      -l, --list            List all WAFs that we are able to detect
      -p PROXY, --proxy=PROXY
                            Use an HTTP proxy to perform requests, example:
                            http://hostname:8080, socks5://hostname:1080
      -V, --version         Print out the version
      -H HEADERSFILE, --headersfile=HEADERSFILE
                            Pass custom headers, for example to overwrite the
                            default User-Agent string
  2. 识别
    root@kali:~# wafw00f -l
    Can test for these WAFs:
    Profense
    NetContinuum
    Incapsula WAF
    CloudFlare
    NSFocus
    Safedog
    Mission Control Application Shield
    USP Secure Entry Server
    Cisco ACE XML Gateway
    Barracuda Application Firewall
    Art of Defence HyperGuard
    BinarySec
    Teros WAF
    F5 BIG-IP LTM
    F5 BIG-IP APM
    F5 BIG-IP ASM
    F5 FirePass
    F5 Trafficshield
    InfoGuard Airlock
    Citrix NetScaler
    Trustwave ModSecurity
    IBM Web Application Security
    IBM DataPower
    DenyALL WAF
    Applicure dotDefender
    Juniper WebApp Secure
    Microsoft URLScan
    Aqtronix WebKnight
    eEye Digital Security SecureIIS
    Imperva SecureSphere
    Microsoft ISA Server

11.2. nmap

  1. 简介
    root@kali:~# ll /usr/share/nmap/scripts/http-waf*
    -rw-r--r-- 1 root root  5422 3月  26 08:18 /usr/share/nmap/scripts/http-waf-detect.nse
    -rw-r--r-- 1 root root 19339 3月  26 08:18 /usr/share/nmap/scripts/http-waf-fingerprint.nse
  2. 识别
    root@kali:~# nmap www.microsoft.com --script=http-waf-detect.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:35 EDT
    Nmap scan report for www.microsoft.com (222.163.207.76)
    Host is up (0.0050s latency).
    rDNS record for 222.163.207.76: 76.207.163.222.adsl-pool.jlccptt.net.cn
    Not shown: 998 filtered ports
    PORT    STATE SERVICE
    80/tcp  open  http
    443/tcp open  https

    Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds

3. nmap 查看脚本用法

    root@kali:~# nmap --script-help=http-vuln-cve2013-0156.nse
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:36 EDT

http-vuln-cve2013-0156
    Categories: exploit vuln
    https://nmap.org/nsedoc/scripts/http-vuln-cve2013-0156.html
      Detects Ruby on Rails servers vulnerable to object injection, remote command
      executions and denial of service attacks. (CVE-2013-0156)

All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
      3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless
      YAML payloads to detect vulnerable installations. If the malformed object
      receives a status 500 response, the server is processing YAML objects and
      therefore is likely vulnerable.

References:
      * https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
      * https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
      * http://cvedetails.com/cve/2013-0156/

 

源文档 <https://blog.csdn.net/kevinhanser/article/details/79772965>

 

posted on 2018-08-05 18:37  a阿军  阅读(666)  评论(0编辑  收藏  举报

导航