小白日记13:kali渗透测试之服务扫描(三)-SMTB扫描、防火墙识别、负载均衡识别、WAF识别

SMTP扫描

SMTP(Simple Mail Transfer Protocol)即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则,由它来控制信件的中转方式。SMTP协议属于TCP/IP协议簇,它帮助每台计算机在发送或中转信件时找到下一个目的地。通过SMTP协议所指定的服务器,就可以把E-mail寄到收信人的服务器上了,整个过程只要几分钟。SMTP服务器则是遵循SMTP协议的发送邮件服务器,用来发送或中转发出的电子邮件。
SMB扫描针对机器去发现其漏洞,SMTP扫描为主动发现目标系统的邮件账号(被动信息收集也能收集到一些)。用途:社会工程学
初级方法
root@kali:~# nc -nv 192.168.1.107 25            #连接25端口
(UNKNOWN) [192.168.1.107] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root                                     #输入:尝试确认是否有root账号
252 2.0.0 root<strong>
</strong>
Nmap 前提:做了端口扫描知道目标主机开启25端口
扫描用户账号
root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
                               #尝试枚举账号     #指定使用什么方式,默认用root账号,也可加别的参数(指定字典)
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:06 CST
Nmap scan report for smtp.163.com (220.181.12.16)
Host is up (0.044s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.17 220.181.12.18 220.181.12.11 220.181.12.12 220.181.12.13 220.181.12.14 220.181.12.15
rDNS record for 220.181.12.16: m12-16.163.com
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users: 
|_  Couldn't find any accounts

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds
指定字典扫描邮箱账号:smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
扫描邮件开放中继:【如果开放了邮件中继,所有人都可以使用该邮件服务器】
root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:11 CST
Nmap scan report for smtp.163.com (220.181.12.15)
Host is up (0.043s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.14 220.181.12.13 220.181.12.12 220.181.12.11 220.181.12.18 220.181.12.17 220.181.12.16
rDNS record for 220.181.12.15: m12-15.163.com
PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed

Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds
注:都可以用python脚本实现
 

防火墙识别

 
尽量隐蔽的情况下,扫描出防火墙上开放的端口,通过检查回包,可能识别端口是否被防火墙过滤。【被过滤的端口,不是防火墙上的端口,而是内部主机向外发起请求的临时端口】但设备多种多样,结果存在一定误差
 
 
python脚本扫描
#!/usr/bin/python

from scapy.all import*
import logging
logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)
import sys

if len( sys.argv ) !=3:
   print "Usage - ./Firewalk_scan.py [Target.IP] [Target Port]"
   print "Example - ./Firewalk_scan.py 1.1.1.1 443"
   print "Example will determine if filtering exists on port 443 of Host 1.1.1.1"
   sys.exit()

ip = sys.argv[1]
port = int(sys.argv[2])

ACK_response = sr1(IP(dst=ip)/TCP(dport=port,flags="A"),timeout=1,verbose=0)
SYN_response = sr1(IP(dst=ip)/TCP(dport=port,flags="S"),timeout=1,verbose=0)

if ((ACK_response == None) or (SYN_response == None)):
   print "Port is either unstatefully filtered or host is down"
<strong>elif ((ACK_response == None) or (SYN_response == None)) and not ((ACK_response == None) and (SYN_response == None)):
   print "Stateful filtering in place"    #防火墙在线#此句有逻辑问题,尚未修改</strong>
elif int(SYN_response[TCP].flags) == 18:
   print "Port is unfiltered and open"
elif int(SYN_response[TCP].flags) == 20:
   print "Port is unfiltered and closed"
else:
   print "Unable to determine if the port is filtered"<strong>
</strong>

Nmap对防火墙的识别
root@kali:~# nmap -p22 192.168.1.141 -sA

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:18 CST
Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)
Host is up (0.00021s latency).
PORT   STATE      SERVICE
22/tcp unfiltered ssh
MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
根据其对SYN和ACK包的应答,去匹配上图类型
 


负载均衡识别

 
负载均衡从其应用的地理结构上分为本地负载均衡(Local Load Balance)和全局负载均衡(Global Load Balance,也叫地域负载均衡),本地负载均衡是指对本地的服务器群做负载均衡,全局负载均衡是指对分别放置在不同的地理位置、有不同网络结构的服务器群间作负载均衡。它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性。
简单来说是DNS,即同一个域名对应不同IP。
基于web的服务负载均衡经常使用Nginx、Apache应用层负载均衡
 
Lbd(直接加域名,或者加IP)
root@kali:~# lbd www.baidu.com

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (http://ge.mine.nu)
                                    Proof-of-concept! Might give false positives.

<strong>Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 14.215.177.38
www.a.shifen.com has address 14.215.177.37

Checking for HTTP-Loadbalancing [Server]:           #应用层负载均衡
 bfe/1.0.8.18
 NOT FOUND</strong>

Checking for HTTP-Loadbalancing [Date]: 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, NOT FOUND

Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:17 GMT
> Last-Modified: Mon, 13 Jun 2016 02:50:12 GMT
< ETag: "575e1f69-115"
> ETag: "575e1f64-115"

www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]<strong>
</strong>
 

WAF识别

WAF(Web Application Firewall)的中文名称叫做“Web应用防火墙”,利用国际上公认的一种说法,WAF的定义是这样的:Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。通过从上面对WAF的定义中,我们可以很清晰的了解到,WAF是一种工作在应用层的、通过特定的安全策略来专门为Web应用提供安全防护的产品。
基于规则WAF过滤【可绕过】,基于机器学习结合语法词法分析的WAF将成为主流,几乎可防止所有的SQL注入
 
wafw00f 
<strong>root@kali:~# wafw00f -l                         #列出其可检测的WAF
</strong>
                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Profense
NetContinuum
Barracuda
HyperGuard
BinarySec
Teros
F5 Trafficshield
F5 ASM
Airlock
Citrix NetScaler
ModSecurity
IBM Web Application Security
IBM DataPower
DenyALL
dotDefender
webApp.secure
BIG-IP
URLScan
WebKnight
SecureIIS
Imperva
ISA Server


<strong>root@kali:~# wafw00f http://www.microsoft.com</strong>

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Checking http://www.microsoft.com
Generic Detection results:
The site http://www.microsoft.com seems to be behind a WAF 
Reason: The server returned a different response code when a string trigged the blacklist.
Normal response code is "400", while the response code to an attack is "403"
Number of requests: 16
nmap检测WAF
root@kali:~# nmap www.microsoft.com <strong>--script=http-waf-detect.nse</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:51 CST


 
 
 
 
 
 

小白日记,未完待续……

posted on 2016-10-22 23:09  子轩非鱼  阅读(1083)  评论(0编辑  收藏  举报

导航