八、扫描与抓包分析
获取指定主机/网段的相关信息(NMAP扫描)
nmap [扫描类型] [选项] <扫描目标 ...>
-sS,TCP SYN扫描(半开,只做前2次握手,速度更快,公司慎用) -sT,TCP 连接扫描(全开,完成握手断开流程)
-sU,UDP扫描 -sP,ICMP扫描 -A,目标系统全面分析
[root@proxy ~]# yum -y install nmap //安装软件nmap
[root@proxy ~]# nmap 192.168.4.100 //检查目标主机所开启的TCP服务
[root@proxy ~]# nmap -p 21-22 192.168.4.0/24 //检查192.168.4.0/24网段内哪些主机开启了FTP、SSH服务
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:00 CST
Nmap scan report for 192.168.4.1
Host is up (0.000025s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.88 seconds
[root@proxy ~]# nmap -sU 192.168.4.100 //检查目标主机所开启的UDP服务,指定-sU扫描UDP
53/udp open domain
111/udp open rpcbind
[root@proxy ~]# nmap -n -sP 192.168.4.0/24 //检查192.168.4.0/24网段内哪些主机可以ping通
[root@proxy ~]# nmap -A 192.168.4.100,5 //全面分析目标主机192.168.4.100和192.168.4.5的操作系统信息
Starting Nmap 5.51 ( http://nmap.org ) at 2017-05-17 18:03 CST
Nmap scan report for 192.168.4.100 //主机mail的扫描报告
Host is up (0.0016s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 1719 Aug 17 13:33 UserB.pub
| -rw-r--r-- 1 0 0 122 Aug 13 05:27 dl.txt
| drwxr-xr-x 2 14 0 4096 Aug 13 09:07 pub
| -rw-rw-r-- 1 505 505 170 Aug 17 13:18 tools-1.2.3.tar.gz
|_-rw-rw-r-- 1 505 505 287 Aug 17 13:22 tools-1.2.3.tar.gz.sig
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 86:be:d6:89:c1:2d:d9:1f:57:2f:66:d1:af:a8:d3:c6 (DSA)
|_2048 16:0a:15:01:fa:bb:91:1d:cc:ab:68:17:58:f9:49:4f (RSA)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.15 ((Red Hat))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: 302 Found
|_Did not follow redirect to https://192.168.4.100//
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: USER CAPA UIDL TOP OK(K) RESP-CODES PIPELINING STLS SASL(PLAIN)
111/tcp open rpcbind
MAC Address: 00:0C:29:74:BE:21 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=8/19%OT=21%CT=1%CU=34804%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=52
OS:11ED90%P=x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6
OS:=3890)ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Network Distance: 1 hop
Service Info: Host: mail.tarena.com; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 1.55 ms 192.168.4.100
分析FTP访问中的明文交换信息(tcpdump)
tcpdump:
监控选项如下:
-i,指定监控的网络接口,网卡
-A,转换为 ACSII 码,以方便阅读
-w,将数据包信息保存到指定文件
-r,从指定文件读取数据包信息
tcpdump的过滤条件:
类型:host(主机)、net(网段)、port(端口)、portrange(端口范围)
方向:src(源)、dst
协议:tcp、udp、ip(ip数据包)、wlan、arp(ip解析为mac地址)、……
多个条件组合:and、or、not
[root@proxy ~]# tcpdump -A host 192.168.4.100 and tcp port 21 //抓取访问192.168.4.100的21端口数据,以ASCII码显示
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
.. .. //进入等待捕获数据包的状态
[root@proxy ~]# tcpdump -A -w ftp.cap host 192.168.4.100 and tcp port 21 //抓包并保存,,默认监听eth0,使用其他网卡需-i指定
[root@proxy ~]# tcpdump -A -r ftp.cap | egrep '(USER|PASS)' //分析数据包
.. ..
18:47:27.960530 IP 192.168.4.5.novation > 192.168.4.100.ftp: Flags [P.], seq 1:14, ack 21, win 65515, length 13
E..5..@.@......x...d.*..G.\c.1BvP.......USER mickey
… …
18:47:29.657364 IP 192.168.4.5.novation > 192.168.4.100.ftp: Flags [P.], seq 14:27, ack 55, win 65481, length 13
E..5..@.@......x...d.*..G.\p.1B.P.......PASS pwd123
… …
nginx:
Authorization: Basic aGg6MTIzNDU2 //nginx抓包含账户密码行,采用base64编码
echo “123” | base64 //把123按base64格式编码
echo aGg6MTIzNDU2 | base64 -d //把编码反译为原始数据
审计监控(audit) 安全nginx mysql tomcat 补丁