主动信息收集之服务扫描

一、服务扫描

识别开放端口，上运行的应用

• 依据识别的应用找对应纰漏的漏洞 (特别是一些老版本应用)

识别目标操作系统类型，版本等

• 依据识别结果，测试是否缺少相应补丁等

方法

• Banner捕获，注意该结果不一定准确(管理员可伪造，迷惑扫描者)
• 服务识别（指纹信息）
• 操作系统识别
• SNMP分析，如配置存在问题等
• 防火墙识别

Banner 

• 软件开发商
• 软件名称
• 服务类型
• 版本号
• 直接发现已知漏洞和弱点
• 与目标系统端口建立完整连接可直接获取banner

另类服务识别方法

• 特征行为和响应字段
• 不同的响应可用于识别底层操作系统（如，Linux系统和Windows系统的ping包时不同的）

SNMP

待补……

二、服务扫描获取 banner 

1、nc

示例：

┌──(root💀kali)-[/home/kali]
└─# nc -nv  10.10.10.129 21
(UNKNOWN) [10.10.10.129] 21 (ftp) open
220 (vsFTPd 2.2.2)　　　　　　　　　　　　#vsFTPd连版本都得到了……
^C
                                                                                          
┌──(root💀kali)-[/home/kali]
└─# nc -nv  10.10.10.129 22                                                           
(UNKNOWN) [10.10.10.129] 22 (ssh) open
SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4　　　　　　#操作系统+服务
^C
                                                                                          
┌──(root💀kali)-[/home/kali]
└─# nc -nv  10.10.10.129 23                                                           
(UNKNOWN) [10.10.10.129] 23 (telnet) : Connection refused
                                                                                          

2、Python脚本

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> an=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> an.connect(("10.10.10.129",21))
>>> an.recv(4096)
b'220 (vsFTPd 2.2.2)\r\n'
>>> an.close()>>> exit()

 ban_grab.py

#!/usr/bin/python
import socket
import select
import sys

if len(sys.argv)!=4:
    print("Usage - ./banner_grab.py  [Target-IP]  [First Port]  [Last Port]")
    print("Example - ./banner_grab.py  10.10.10.1  1  100")
    print("Example will grab banners for TCP ports 1 through 100 on 10.10.10.1")
    sys.exit()
    
ip=sys.argv[1]
start=int(sys.argv[2])
end=int(sys.argv[3])

for port in range(start,end):
    try:
        bangrab = socket.socket(socket.AF_INET,socket.SOCK_STREAM)#建立TCP连接
        bangrab.connect((ip,port))
        ready = select.select([bangrab],[],[],1)#存储banner返回信息
        if ready[0]:#判断是否允许抓取banner
            print("TCP Port "+str(port)+" - "+str(bangrab.recv(4096)))
            bangrab.close()
    except:
            pass

示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# python3 ./ban_grab.py 10.10.10.129 1 100
TCP Port 21 - b'220 (vsFTPd 2.2.2)\r\n'
TCP Port 22 - b'SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4\r\n'

3、dmitry

 示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# dmitry -pb 10.10.10.129
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host Name for 10.10.10.129
Continuing with limited modules
HostIP:10.10.10.129
HostName:

Gathered TCP Port information for 10.10.10.129
---------------------------------

 Port           State

21/tcp          open
>> 220 (vsFTPd 2.2.2)

22/tcp          open
>> SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4

80/tcp          open
zsh: segmentation fault  dmitry -pb 10.10.10.129

4、nmap

 示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# nmap -sT 10.10.10.129 -p 21 --script=banner
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 09:08 EST
Nmap scan report for 10.10.10.129
Host is up (0.00046s latency).

PORT   STATE SERVICE
21/tcp open  ftp
|_banner: 220 (vsFTPd 2.2.2)
MAC Address: 00:0C:29:DE:5D:BA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# nmap -sT 10.10.10.129 -p 1-100 --script=banner.nse
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 09:09 EST
Nmap scan report for 10.10.10.129
Host is up (0.00082s latency).
Not shown: 97 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
|_banner: 220 (vsFTPd 2.2.2)
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
80/tcp open  http
MAC Address: 00:0C:29:DE:5D:BA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.35 seconds

5、amap

amap 专门用于识别指定端口上运行服务的banner信息

安装

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# apt-get install amap    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  amap
0 upgraded, 1 newly installed, 0 to remove and 135 not upgraded.
Need to get 68.2 kB of archives.
After this operation, 181 kB of additional disk space will be used.
Get:1 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 amap amd64 5.4-4kali2 [68.2 kB]
Fetched 68.2 kB in 3s (24.5 kB/s)
Selecting previously unselected package amap.
(Reading database ... 271263 files and directories currently installed.)
Preparing to unpack .../amap_5.4-4kali2_amd64.deb ...
Unpacking amap (5.4-4kali2) ...
Setting up amap (5.4-4kali2) ...
Processing triggers for kali-menu (2021.3.3) ...
Processing triggers for man-db (2.9.4-2) ...

帮助信息：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap -h
amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
Modes:
  -A         Map applications: send triggers and analyse responses (default)
  -B         Just grab banners, do not send triggers
  -P         No banner or application stuff - be a (full connect) port scanner
Options:
  -1         Only send triggers to a port until 1st identification. Speeeeed!
  -6         Use IPv6 instead of IPv4
  -b         Print ascii banner of responses
  -i FILE    Nmap machine readable outputfile to read ports from
  -u         Ports specified on commandline are UDP (default is TCP)
  -R         Do NOT identify RPC service
  -H         Do NOT send application triggers marked as potentially harmful
  -U         Do NOT dump unrecognised responses (better for scripting)
  -d         Dump all responses
  -v         Verbose mode, use twice (or more!) for debug (not recommended :-)
  -q         Do not report closed ports, and do not print them as unidentified
  -o FILE [-m] Write output to file FILE, -m creates machine readable output
  -c CONS    Amount of parallel connections to make (default 32, max 256)
  -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
  -T SEC     Connect timeout on connection attempts in seconds (default 5)
  -t SEC     Response wait timeout in seconds (default 5)
  -p PROTO   Only send triggers for this protocol (e.g. ftp)
  TARGET PORT   The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.

示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap -B 10.10.10.129 22                                                          255 ⨯
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:13:00 - BANNER mode

Banner on 10.10.10.129:22/tcp : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4\r\n

amap v5.4 finished at 2021-11-30 09:13:01
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap -B 10.10.10.129 21
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:13:07 - BANNER mode

Banner on 10.10.10.129:21/tcp : 220 (vsFTPd 2.2.2)\r\n

amap v5.4 finished at 2021-11-30 09:13:07
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap -B 10.10.10.129 1-200
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:13:30 - BANNER mode

Banner on 10.10.10.129:143/tcp : * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc.  See COPYING for distribution information.\r\n
Banner on 10.10.10.129:21/tcp : 220 (vsFTPd 2.2.2)\r\n
Banner on 10.10.10.129:22/tcp : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4\r\n

amap v5.4 finished at 2021-11-30 09:13:42

三、服务识别

Banner信息抓取能力有限

nmap响应特征分析识别服务

• 发送系列复杂的探测
• 依据响应特征signature

1、nc

 省略，同2.1

2、nmap

 示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# nmap 10.10.10.129 -p 1-200 -sV                    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 09:19 EST
Nmap scan report for 10.10.10.129
Host is up (0.00011s latency).
Not shown: 195 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.2.2
22/tcp  open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Courier Imapd (released 2008)
MAC Address: 00:0C:29:DE:5D:BA (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds

3、amap

 示例：

┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap 10.10.10.129 80    
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:19:58 - APPLICATION MAPPING mode

Protocol on 10.10.10.129:80/tcp matches http
Protocol on 10.10.10.129:80/tcp matches http-apache-2

Unidentified ports: none.

amap v5.4 finished at 2021-11-30 09:20:04
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap 10.10.10.129 20-30
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:20:20 - APPLICATION MAPPING mode

Protocol on 10.10.10.129:22/tcp matches ssh
Protocol on 10.10.10.129:22/tcp matches ssh-openssh
Protocol on 10.10.10.129:21/tcp matches ftp

Unidentified ports: 10.10.10.129:20/tcp 10.10.10.129:23/tcp 10.10.10.129:24/tcp 10.10.10.129:25/tcp 10.10.10.129:26/tcp 10.10.10.129:27/tcp 10.10.10.129:28/tcp 10.10.10.129:29/tcp 10.10.10.129:30/tcp (total 9).

amap v5.4 finished at 2021-11-30 09:20:23
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap 10.10.10.129 20-30 -q
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:20:44 - APPLICATION MAPPING mode

Protocol on 10.10.10.129:22/tcp matches ssh
Protocol on 10.10.10.129:22/tcp matches ssh-openssh
Protocol on 10.10.10.129:21/tcp matches ftp

amap v5.4 finished at 2021-11-30 09:20:50
                                                                                           
┌──(root💀kali)-[/home/kali/Desktop/Tools]
└─# amap 10.10.10.129 20-30 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2021-11-30 09:20:54 - APPLICATION MAPPING mode

Protocol on 10.10.10.129:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4\r\n
Protocol on 10.10.10.129:22/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4\r\n
Protocol on 10.10.10.129:21/tcp matches ftp - banner: 220 (vsFTPd 2.2.2)\r\n

amap v5.4 finished at 2021-11-30 09:21:01