Kali Linux滲透測試 021 主動資訊收集
阿新 • • 發佈:2019-01-17
本文記錄 Kali Linux 2018.1 學習使用和滲透測試的詳細過程,教程為安全牛課堂裡的《Kali Linux 滲透測試》課程
1. 簡介
- 直接與目標系統互動通訊
- 無法避免留下訪問的痕跡
使用受控的第三方電腦進行探測
- 使用代理或已經被控制的主機
- 做好被封殺的準備
- 使用噪聲迷惑目標,淹沒真實的探測流量
掃描
- 傳送不同的探測,根據返回結果判斷目標狀態
2. 主機發現
1. 簡介
識別或者的主機
- 潛在的被攻擊目標
輸出一個IP地址列表
- 2、3、4層發現
2. 二層發現
優點
- 掃描速度快、可靠
缺點
- 不可路由
- ARP協議
- 抓包分析
1. arping
簡介
[email protected]:~# arping Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination -f : quit on first reply -q : be quiet -b : keep broadcasting, don't go unicast -D : duplicate address detection mode -U : Unsolicited ARP mode, update your neighbours -A : ARP answer mode, update your neighbours -V : print version and exit -c count : how many packets to send -w timeout : how long to wait for a reply -I device : which ethernet device to use -s source : source ip address destination : ask for what ip address主機掃描
# 傳送包數量 [email protected]:~# arping 10.10.10.132 -c 1 ARPING 10.10.10.132 from 10.10.10.131 eth0 Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 1.130ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) # 重複地址檢測模式 [email protected]:~# arping 10.10.10.132 -D ARPING 10.10.10.132 from 0.0.0.0 eth0 Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 0.812ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) # 輸出 MAC 地址[email protected]:~# arping -c 1 10.10.10.132 | grep "reply from" | cut -d " " -f 5 | cut -d "[" -f 2 | cut -d "]" -f 1 00:0C:29:D0:AB:2C
2. nmap
簡介
-sn: Ping掃描-禁用埠掃描 -iL <inputfilename>: 來自主機/網路列表的輸入主機掃描
# 指定 IP 地址範圍 [email protected]:~# nmap 10.10.10.1-254 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:06 EDT Nmap scan report for 10.10.10.1 Host is up (0.00020s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00058s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00025s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00036s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.0032s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00014s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.01 seconds # 建立地址列表 fo = open('/root/Desktop/ipaddr.txt','w') for i in range(1,255): fo.write('10.10.10.') fo.write(str(i)) fo.write('\n') fo.close() # 掃描地址列表 [email protected]:~# nmap -iL ipaddr.txt -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:21 EDT Nmap scan report for 10.10.10.1 Host is up (0.00071s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.0021s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00047s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00089s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00018s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00050s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 1.83 seconds
3. Netdiscover
簡介
- 專用於二層發現
- 可用於無線和交換網路環境
- 主動和被動探測
使用幫助
[email protected]:~# netdiscover -h Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool] Written by: Jaime Penalba <[email protected]> Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c] -i device: 網路裝置 -r range: 指定 IP 掃描範圍. 192.168.6.0/24,/16,/8 -l file: 指定掃描 IP 地址檔案 -p passive mode: 不傳送任何資料, 僅監聽 -m file: 掃描 MAC 地址列表 -F filter: Customize pcap filter expression (default: "arp") -s time: time to sleep between each arp request (milliseconds) -n node: last ip octet used for scanning (from 2 to 253) -c count: number of times to send each arp reques (for nets with packet loss) -f enable fastmode scan, saves a lot of time, recommended for auto -d ignore home config files for autoscan and fast mode -S enable sleep time supression between each request (hardcore mode) -P print results in a format suitable for parsing by another program -N Do not print header. Only valid when -P is enabled. -L in parsable output mode (-P), continue listening after the active scan is completed
主機掃描
-主動掃描
# 指定地址掃描 Currently scanning: Finished! | Screen View: Unique Hosts 6 Captured ARP Req/Rep packets, from 6 hosts. Total size: 360 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 1 60 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 1 60 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 1 60 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 1 60 VMware, Inc. 10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc. # 指定地址列表掃描 [email protected]:~# netdiscover -l ipaddr.txt Currently scanning: 10.10.10.0/24 | Screen View: Unique Hosts 248 Captured ARP Req/Rep packets, from 6 hosts. Total size: 14880 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 42 2520 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 42 2520 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 41 2460 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 41 2460 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 41 2460 VMware, Inc. 10.10.10.254 00:50:56:e2:6b:78 41 2460 VMware, Inc.被動掃描
# 主動 arp 容易觸發警報 [email protected]:~# netdiscover -p Currently scanning: (passive) | Screen View: Unique Hosts 12 Captured ARP Req/Rep packets, from 5 hosts. Total size: 720 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 3 180 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 2 120 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 4 240 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 2 120 VMware, Inc.
3. 三層發現
- 優點
- 可路由
- 速度比較快
缺點
- 速度比二層慢
- 經常被便捷防火牆過濾
IP、ICMP 協議
1. ping
簡介
[email protected]:~# ping -h Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] destination主機掃描
# 指定發包數量 [email protected]:~# ping 10.10.10.132 -c 2 PING 10.10.10.132 (10.10.10.132) 56(84) bytes of data. 64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=10.3 ms 64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.214 ms --- 10.10.10.132 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.214/5.302/10.390/5.088 ms # 路由追蹤 [email protected]:~# ping -R 10.10.10.132 PING 10.10.10.132 (10.10.10.132) 56(124) bytes of data. 64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=0.237 ms RR: 10.10.10.131 10.10.10.132 10.10.10.132 10.10.10.131 64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.376 ms (same route) 64 bytes from 10.10.10.132: icmp_seq=3 ttl=64 time=0.233 ms (same route) 64 bytes from 10.10.10.132: icmp_seq=4 ttl=64 time=0.227 ms (same route) [email protected]:~# traceroute 10.10.10.132 traceroute to 10.10.10.132 (10.10.10.132), 30 hops max, 60 byte packets 1 10.10.10.132 (10.10.10.132) 0.311 ms 0.199 ms 0.140 ms ping -c 1 10.10.10.132 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
2. fping
簡介
[email protected]:~# fping -h Usage: fping [options] [targets...] Probing options: -4, --ipv4 only ping IPv4 addresses -6, --ipv6 only ping IPv6 addresses -b, --size=BYTES amount of ping data to send, in bytes (default: 56) -B, --backoff=N set exponential backoff factor to N (default: 1.5) -c, --count=N count mode: send N pings to each target -f, --file=FILE read list of targets from a file ( - means stdin) -g, --generate generate target list (only if no -f specified) (give start and end IP in the target list, or a CIDR address) (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24) -H, --ttl=N set the IP TTL value (Time To Live hops) -I, --iface=IFACE bind to a particular interface -l, --loop loop mode: send pings forever -m, --all use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A -M, --dontfrag set the Don't Fragment flag -O, --tos=N set the type of service (tos) flag on the ICMP packets -p, --period=MSEC interval between ping packets to one target (in ms) (in loop and count modes, default: 1000 ms) -r, --retry=N number of retries (default: 3) -R, --random random packet data (to foil link data compression) -S, --src=IP set source address -t, --timeout=MSEC individual target initial timeout (default: 500 ms, except with -l/-c/-C, where it's the -p period up to 2000 ms) Output options: -a, --alive show targets that are alive -A, --addr show targets by address -C, --vcount=N same as -c, report results in verbose format -D, --timestamp print timestamp before each output line -e, --elapsed show elapsed time on return packets -i, --interval=MSEC interval between sending ping packets (default: 10 ms) -n, --name show targets by name (-d is equivalent) -N, --netdata output compatible for netdata (-l -Q are required) -o, --outage show the accumulated outage time (lost packets * packet interval) -q, --quiet quiet (don't show per-target/per-ping results) -Q, --squiet=SECS same as -q, but show summary every n seconds -s, --stats print final stats -u, --unreach show targets that are unreachable -v, --version show version主機掃描
# 指定發包數量 [email protected]:~# fping -c 1 10.10.10.132 | grep 0% 10.10.10.132 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.29/0.29/0.29 10.10.10.132 : [0], 84 bytes, 0.29 ms (0.29 avg, 0% loss) # 指定掃描範圍 [email protected]:~# fping -g 10.10.10.132 10.10.10.136-137 [email protected]:~# fping -g 10.10.0/24 [email protected]:~# fping -f ipaddr.txt
3. hping3
簡介
- 能夠傳送幾乎任意 TCP/IP 包
- 功能強大但每次只能掃描一個目標
主機掃描
# 指定 icmp 掃描 [email protected]:~# hping3 10.10.10.132 --icmp -c 2 HPING 10.10.10.132 (eth0 10.10.10.132): icmp mode set, 28 headers + 0 data bytes len=46 ip=10.10.10.132 ttl=64 id=33497 icmp_seq=0 rtt=4.4 ms len=46 ip=10.10.10.132 ttl=64 id=33498 icmp_seq=1 rtt=8.0 ms --- 10.10.10.132 hping statistic --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 4.4/6.2/8.0 ms
4. scapy
簡介
OSI 多層堆疊手工生成 ICMP 包 -- IP/ICMP主機掃描
ip=IP() ip.dst=“1.1.1.1” ping=ICMP() a=sr1(ip/ping) a.display() a=sr1(ip/ping,timeout=1) # Ping不存在的地址 a = sr1(IP(dst=“1.1.1.1")/ICMP(),timeout=1)
4. 四層發現
優點
- 可路由且結果可靠
- 不太可能被防火牆過濾
- 甚至可以發現所有埠都被過濾的主機
- 甚至可以發現所有埠都被過濾的主機
缺點
- 基於狀態過濾的防火牆可能過濾掃描
- 全埠掃描速度慢
TCP
- 未經請求 ACK – RST
- SYN – SYN/ACK、RET
UDP
- ICMP 埠不可達、一去不復返
ACK – TCP port – RST
i = IP() i.dst="1.1.1.1" t = TCP() t.flags='A' r = (i/t) a = sr1(r) a.display() a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1))UDP——UDP Port——ICMP(不可靠)
u = UDP() u.dport= 33333 r = (i/u) a = sr1(r,timeout=1,verbose=1)
1. nmap
簡介
-A: 啟用作業系統檢測、版本檢測、指令碼掃描和traceroute -sn: Ping Scan - disable port scan -PU: 還有一個主機發現的選項是UDP ping -PS [portlist] (TCP SYN Ping) -PA [portlist] (TCP ACK Ping) -PE; -PP; -PM (ICMP Ping Types) -PR (ARP Ping)主機掃描
# UDP ping [email protected]:~# nmap 10.10.10.1-254 -PU 53 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:13 EDT setup_target: failed to determine route to 53 (0.0.0.53) Nmap scan report for 10.10.10.1 Host is up (0.00080s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00045s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00045s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00039s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00038s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00092s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.07 seconds # ACK ping [email protected]:~# nmap 10.10.10.1-254 -PA 80 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:15 EDT setup_target: failed to determine route to 80 (0.0.0.80) Nmap scan report for 10.10.10.1 Host is up (0.00066s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.0033s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00064s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00052s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.0013s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00040s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 1.81 seconds # 指定IP地址列表 [email protected]:~# nmap -iL ipaddr.txt 10.10.10.1-254 -PA 80 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:16 EDT Nmap scan report for 10.10.10.1 Host is up (0.00089s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00058s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00050s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00049s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00043s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00031s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.14 seconds
2. hping3
簡介
-c --count count -2 --udp主機掃描
[email protected]:~# hping3 --udp 10.10.10.132 -c 1 HPING 10.10.10.132 (eth0 10.10.10.132): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from ip=10.10.10.132 name=UNKNOWN status=0 port=2770 seq=0 --- 10.10.10.132 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 55.1/55.1/55.1 ms
3. 埠掃描
- 埠對應網路都訪問及應用端程式
- 服務端程式的漏洞通過埠攻入
- 發現開放的埠
- 更具體的攻擊面
1. UDP 埠掃描
UDP 埠掃描
- 假設 ICMP port-ubreachable 響應代表埠關閉
- 目標系統不響應 port-ubreachable 時,坑你產生誤判
完整的 UDP 應用層請求
- 準確性高
- 耗時巨大
- Scapy UDP Scan
- 埠關閉:ICMP port-ubreachable
- 埠開放:沒有回包
- 瞭解每一種基於 UDP 的應用層包結構很有幫助
- 與三層相同的技術
- 誤判
1. nmap
簡介
-sU: UDP Scan -p <port ranges>: Only scan specified ports埠掃描
# (預設的1000個引數) [email protected]:~# nmap -sU 10.10.10.132 # 指定埠 [email protected]:~# nmap -sU 10.10.10.132 -p 53 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:48 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). PORT STATE SERVICE 53/udp open domain MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds # 指定 IP 地址列表 [email protected]:~# nmap -iL ipaddr.txt -sU -p 1-200
2. TCP 埠掃描
- 基於連線的協議
- 三次握手
- 隱蔽掃描
- 殭屍掃描
- 全連線掃描
- 所有的 TCP 掃描方式都是基於三次握手的變化來判斷目標埠狀態
隱蔽掃描
- 不建立完整的連線
- 應用日誌不記錄掃描行為–隱蔽
殭屍掃描
- 極度隱蔽
- 實施條件苛刻(基於IPID)
- 可偽造源地址
- 選擇殭屍機
- 閒置系統
- 系統使用遞增的IPID
- 0
- 隨機
1. 隱蔽埠掃描
1. scapy
- syn -- syn/ack -- rst
sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1)
2. nmap
簡介
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans埠掃描
# 指定掃描埠範圍 [email protected]:~# nmap -sS 10.10.10.132 -p 80,21,25,110,443 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp closed pop3 443/tcp closed https MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds # 指定掃描埠範圍 [email protected]:~# nmap -sS 10.10.10.132 -p 1-65535 --open Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT Nmap scan report for 10.10.10.132 Host is up (0.00010s latency). Not shown: 65505 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 6697/tcp open ircs-u 8009/tcp open ajp13 8180/tcp open unknown 8787/tcp open msgsrvr 37499/tcp open unknown 41241/tcp open unknown 44616/tcp open unknown 56072/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds # 指定掃描埠範圍 [email protected]:~# nmap -sS 10.10.10.132 -p- --open Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:58 EDT Nmap scan report for 10.10.10.132 Host is up (0.00027s latency). Not shown: 65505 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 6697/tcp open ircs-u 8009/tcp open ajp13 8180/tcp open unknown 8787/tcp open msgsrvr 37499/tcp open unknown 41241/tcp open unknown 44616/tcp open unknown 56072/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds # 指定 IP 地址列表 [email protected]:~# nmap -sS -iL ipaddr.txt -p 80,21,22,23 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:59 EDT Nmap scan report for 10.10.10.1 Host is up (0.0011s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp closed http MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00085s latency). PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 80/tcp filtered http MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap done: 254 IP addresses (7 hosts up) scanned in 3.48 seconds
3. hping3
簡介
-8 --scan 指定掃描埠範圍 -c --count packet count -a --spoof 欺騙源地址 -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec -M --setseq set TCP sequence number -L --setack set TCP ack -F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag -X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)埠掃描
# SYN 掃描 [email protected]:~# hping3 10.10.10.132 --scan 80 -S Scanning 10.10.10.132 (10.10.10.132), port 80 1 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 80 http : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 指定埠 SYN 掃描 [email protected]:~# hping3 10.10.10.132 --scan 801,21,25,443 -S Scanning 10.10.10.132 (10.10.10.132), port 801,21,25,443 4 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 21 ftp : .S..A... 64 0 5840 46 25 smtp : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 指定埠範圍 [email protected]:~# hping3 10.10.10.132 --scan 0-65535 -S Scanning 10.10.10.132 (10.10.10.132), port 0-65535 65536 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 21 ftp : .S..A... 64 0 5840 46 22 ssh : .S..A... 64 0 5840 46 23 telnet : .S..A... 64 0 5840 46 25 smtp : .S..A... 64 0 5840 46 53 domain : .S..A... 64 0 5840 46 80 http : .S..A... 64 0 5840 46 111 sunrpc : .S..A... 64 0 5840 46 139 netbios-ssn: .S..A... 64 0 5840 46 445 microsoft-d: .S..A... 64 0 5840 46 512 exec : .S..A... 64 0 5840 46 513 login : .S..A... 64 0 5840 46 514 shell : .S..A... 64 0 5840 46 1099 rmiregistry: .S..A... 64 0 5840 46 1524 ingreslock : .S..A... 64 0 5840 46 3306 mysql : .S..A... 64 0 5840 46 5432 postgresql : .S..A... 64 0 5840 46 5900 : .S..A... 64 0 5840 46 6000 x11 : .S..A... 64 0 5840 46 8009 : .S..A... 64 0 5840 46 8180 : .S..A... 64 0 5840 46 8787 : .S..A... 64 0 5840 46 37499 : .S..A... 64 0 5840 46 44616 : .S..A... 64 0 5840 46 56072 : .S..A... 64 0 5840 46 2049 nfs : .S..A... 64 0 5840 46 2121 iprop : .S..A... 64 0 5840 46 3632 distcc : .S..A... 64 0 5840 46 6667 ircd : .S..A... 64 0 5840 46 6697 ircs-u : .S..A... 64 0 5840 46 41241 : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 源地址欺騙 [email protected]:~# hping3 -c 10 -S --spoof 10.10.10.136 -p ++1 10.10.10.132
2. 全連線埠掃描
1. scapy
簡介
- syn 掃描不需要 raw packets
- 核心認為 syn/ack 是非法包,直接發 rst 中斷連線
全連線掃描對 scapy 比較困難
sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S'))
2. nmap
簡介
-sT (TCP connect()掃描) -sU (UDP掃描) -sS (TCP SYN掃描) -sN; -sF; -sX (TCP Null,FIN,and Xmas掃描)埠掃描
# 指定埠(預設1000個埠) [email protected]:~# nmap -sT 10.10.10.132 -p 80 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:14 EDT Nmap scan report for 10.10.10.132 Host is up (0.00049s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds # 指定埠範圍 [email protected]:~# nmap -sT 10.10.10.132 -p 80,21,25,443 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT Nmap scan report for 10.10.10.132 Host is up (0.00038s latency). PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 443/tcp closed https MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds # 指定埠範圍 [email protected]:~# nmap -sT 10.10.10.132 -p 80-2000 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT Nmap scan report for 10.10.10.132 Host is up (0.00029s latency). Not shown: 1912 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds # 指定 IP 地址列表 [email protected]:~# nmap -sT -iL ipaddr.txt -p 80 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:16 EDT Nmap scan report for 10.10.10.1 Host is up (0.0012s latency). PORT STATE SERVICE 80/tcp closed http MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00037s latency). PORT STATE SERVICE 80/tcp closed http MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00029s latency).
3. dmity
簡介
- 功能簡單,使用簡單
預設 150 個最常用的埠
[email protected]:~# dmitry Deepmagic Information Gathering Tool "There be some deep magic going on" Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host -o Save output to %host.txt or to file specified by -o file -i Perform a whois lookup on the IP address of a host -w Perform a whois lookup on the domain name of a host -n Retrieve Netcraft.com information on a host -s Perform a search for possible subdomains -e Perform a search for possible email addresses -p Perform a TCP port scan on a host * -f Perform a TCP port scan on a host showing output reporting filtered ports * -b Read in the banner received from the scanned port * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) *Requires the -p flagged to be passed
埠掃描
# 指定掃描 IP [email protected]:~# dmitry -p 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed All scans completed, exiting # 指定輸出檔案 [email protected]:~# dmitry -p 10.10.10.132 -o output.txt Deepmagic Information Gathering Tool "There be some deep magic going on" Writing output to 'output.txt.txt' ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed
4. nc
簡介
[email protected]:~# nc -h [v1.10-41.1] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -C Send CRLF as line-ending -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data').埠掃描
[email protected]:~# nc -nv -w 1 -z 10.10.10.132 1-100 (UNKNOWN) [10.10.10.132] 80 (http) open (UNKNOWN) [10.10.10.132] 53 (domain) open (UNKNOWN) [10.10.10.132] 25 (smtp) open (UNKNOWN) [10.10.10.132] 23 (telnet) open (UNKNOWN) [10.10.10.132] 22 (ssh) open (UNKNOWN) [10.10.10.132] 21 (ftp) open
3. 殭屍掃描
- 利用 IPID 遞增來判斷主機埠是否開啟
1. scapy
• i=IP()
• t=TCP()
• rz=(i/t)
• rt=(i/t)
• rz[IP].dst=IPz
• rz[TCP].dport=445
• rt[IP].src=IPz
• rt[IP].dst=IPt
• rt[TCP].dport=22
• az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz)
• az1.display() / az2.display()
2. nmap
簡介
使用指令碼掃描適合做殭屍機的主機 -sI <zombie host[:probeport]>: Idle scan -Pn: Treat all hosts as online -- skip host discovery發現殭屍機
# 發現指令碼 [email protected]:~# ls /usr/share/nmap/scripts | grep ipid # ipidseq: All zeros [email protected]:~# nmap -p 445 10.10.10.132 --script=ipidseq.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT Nmap scan report for 10.10.10.132 Host is up (0.00043s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:0C:29:D0:AB:2C (VMware) Host script results: |_ipidseq: All zeros Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds # ipidseq: Incremental! [email protected]:~# nmap -p 445 10.10.10.136 --script=ipidseq.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT Nmap scan report for 10.10.10.136 Host is up (0.00042s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:0C:29:35:6A:2D (VMware) Host script results: |_ipidseq: Incremental! Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds掃描目標
[email protected]:~# nmap 10.10.10.132 -sI 10.10.10.136 -Pn -p 0-200 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:29 EDT Idle scan using zombie 10.10.10.136 (10.10.10.136:80); Class: Incremental Nmap scan report for 10.10.10.132 Host is up (0.047s latency). Not shown: 193 closed|filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
4. 服務掃描
- 識別開放埠上進行的應用
- 是被目標作業系統
提高攻擊效率
- Banner捕獲
- 服務識別
- 作業系統識別
- SNMP分析
- 防火牆識別
Banner
- 軟體開發商
- 軟體名稱
- 服務型別
- 版本號
- 直接發現一致的漏洞和弱點
連線建立後直接獲取banner
另類服務識別方法
- 特徵行為和響應欄位
- 不同的響應可用於識別底層作業系統
SNMP
- 簡單網路管理協議
- Community strings
- 資訊查詢或重新配置
識別和繞過防火牆篩選
1. banner
- banner 資訊抓取能力有限
- nmap 響應特徵分析識別訪問
- 傳送系列複雜的探測
- 依據響應特徵 signature
1. nc
[email protected]:~# nc -nv 10.10.10.132 80
(UNKNOWN) [10.10.10.132] 80 (http) open
GET /
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
2. socket
• import socket
• bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
• bangrab.connect((“1.1.1.1", 21))
• bangrab.recv(4096)
3. dmity
簡介
[email protected]:~# dmitry Deepmagic Information Gathering Tool "There be some deep magic going on" Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host -o Save output to %host.txt or to file specified by -o file -i Perform a whois lookup on the IP address of a host -w Perform a whois lookup on the domain name of a host -n Retrieve Netcraft.com information on a host -s Perform a search for possible subdomains -e Perform a search for possible email addresses -p Perform a TCP port scan on a host * -f Perform a TCP port scan on a host showing output reporting filtered ports * -b Read in the banner received from the scanned port * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) *Requires the -p flagged to be passed服務掃描
# 指定 tcp 埠 [email protected]:~# dmitry -p 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed All scans completed, exiting # 讀取 banner 資訊 [email protected]:~# dmitry -pb 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open >> 220 (vsFTPd 2.3.4) 22/tcp open >> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open >> 25/tcp open >> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open Portscan Finished: Scanned 150 ports, 144 ports were in state closed All scans completed, exiting
4. nmap
簡介
[email protected]:~# cat /usr/share/nmap/scripts/banner.nse -sV: Probe open ports to determine service/version info服務掃描
# 指定指令碼 [email protected]:~# nmap -sT 10.10.10.132 -p 1-100 --script=banner.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:23 EDT Nmap scan report for 10.10.10.132 Host is up (0.0015s latency). Not shown: 94 closed ports PORT STATE SERVICE 21/tcp open ftp |_banner: 220 (vsFTPd 2.3.4) 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open telnet |_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD' 25/tcp open smtp |_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open domain 80/tcp open http MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds # 探測開啟埠以確定服務/版本資訊 [email protected]:~# nmap 10.10.10.132 -p 80 -sV Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:28 EDT Nmap scan report for 10.10.10.132 Host is up (0.00032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) MAC Address: 00:0C:29:D0:AB:2C (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
5. amap
簡介
[email protected]:~# amap amap v5.4 (c) 2011 by van Hauser <[email protected]> www.thc.org/thc-amap Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] Modes: -A Map applications: send triggers and analyse responses (default) -B Just grab banners, do not send triggers -P No banner or application stuff - be a (full connect) port scanner Options: -1 Only send triggers to a port until 1st identification. Speeeeed! -6 Use IPv6 instead of IPv4 -b Print ascii banner of responses -i FILE Nmap machine readable outputfile to read ports from -u Ports specified on commandline are UDP (default is TCP) -R Do NOT identify RPC service -H Do NOT send application triggers marked as potentially harmful -U Do NOT dump unrecognised responses (better for scripting) -d Dump all responses -v Verbose mode, use twice (or more!) for debug (not recommended :-) -q Do not report closed ports, and do not print them as unidentified -o FILE [-m] Write output to file FILE, -m creates machine readable output -c CONS Amount of parallel connections to make (default 32, max 256) -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3) -T SEC Connect timeout on connection attempts in seconds (default 5) -t SEC Response wait timeout in seconds (default 5) -p PROTO Only send triggers for this protocol (e.g. ftp) TARGET PORT The target address and port(s) to scan (additional to -i) amap is a tool to identify application protocols on target ports. Note: this version was NOT compiled with SSL support! Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.服務掃描
# 指定埠掃描 [email protected]:~# amap -B 10.10.10.132 21 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:24:39 - BANNER mode Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n amap v5.4 finished at 2018-03-31 07:24:39 # 指定埠範圍掃描 [email protected]:~# amap -B 10.10.10.132 1-65535 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:25:15 - BANNER mode Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:23/tcp : #' Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:512/tcp : Where are you?\n Banner on 10.10.10.132:1524/tcp : [email protected]/# Banner on 10.10.10.132:2121/tcp : 220 ProFTPD 1.3.1 Server (Debian) [ffff10.10.10.132]\r\n Banner on 10.10.10.132:3306/tcp : >\n5.0.51a-3ubuntu5yG5q^`G!,n+'#vOd-P*!c Banner on 10.10.10.132:5900/tcp : RFB 003.003\n Banner on 10.10.10.132:6667/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n Banner on 10.10.10.132:6697/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n amap v5.4 finished at 2018-03-31 07:25:21 # 指定埠範圍掃描 [email protected]:~# amap -B 10.10.10.132 20-32 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:26:55 - BANNER mode Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n # 不顯示關閉的埠 [email protected]:~# amap -B 10.10.10.132 20-32 -q amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:27:31 - BANNER mode Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' amap v5.4 finished at 2018-03-31 07:27:31 # 顯示二進位制響應 [email protected]:~# amap -B 10.10.10.132 20-32 -qb amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:28:27 - BANNER mode Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' amap v5.4 finished at 2018-03-31 07:28:27
5. 作業系統識別
作業系統是被技術
- 種類繁多
- 好產品採用多種技術結合
TTL 起始值
- windows:128(65–128)
- linux/unix:64(1-64)
- 某些 unix:255
1. python
簡介
from scapy.all import * win="10.10.10.136" linu="10.10.10.132" aw=sr1(IP(dst=win)/ICMP()) al=sr1(IP(dst=linu)/ICMP()) if al[IP].ttl<=64: print "host is linux" else: print "host is windows"
2. nmap
簡介
-O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively作業系統識別
[email protected]:~# nmap 10.10.10.132 -O Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:42 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
3. xprobe2
簡介
# 結果有誤差 [email protected]:~# xprobe2 Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected] usage: xprobe2 [options] target Options: -v Be verbose -r Show route to target(traceroute) -p <proto:portnum:state> Specify portnumber, protocol and state. Example: tcp:23:open, UDP:53:CLOSED -c <configfile> Specify config file to use. -h Print this help. -o <fname> Use logfile to log everything. -t <time_sec> Set initial receive timeout or roundtrip time. -s <send_delay> Set packsending delay (milseconds). -d <debuglv> Specify debugging level. -D <modnum> Disable module number <modnum>. -M <modnum> Enable module number <modnum>. -L Display modules. -m <numofmatches> Specify number of matches to print. -T <portspec> Enable TCP portscan for specified port(s). Example: -T21-23,53,110 -U <portspec> Enable UDP portscan for specified port(s). -f force fixed round-trip time (-t opt). -F Generate signature (use -o to save to a file). -X Generate XML output and save it to logfile specified with -o. -B Options forces TCP handshake module to try to guess open TCP port -A Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections). Use with -T.作業系統識別
[email protected]:~# xprobe2 10.10.10.132 Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected] [+] Target is 10.10.10.132 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.132. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.132. Module test failed [-] No distance calculation. 10.10.10.132 appears to be dead or no ports known [+] Host: 10.10.10.132 is up (Guess probability: 50%) [+] Target: 10.10.10.132 is alive. Round-Trip Time: 0.48084 sec [+] Selected safe Round-Trip Time value is: 0.96167 sec [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
4. p0f
簡介
結合ARP 地址欺騙識別全網 OS被動識別
5. SNMP 掃描
snmp
- 資訊的金礦
- 經常被錯誤配置
- public / private / manager
MIB Tree.
- SNMP Management Information Base (MIB)
- 樹形的網路裝置管理功能資料庫
- 1.3.6.1.4.1.77.1.2.25
1. onesixone
簡介
[email protected]:~# onesixtyone onesixtyone 0.3.2 [options] <host> <community> -c <communityfile> file with community names to try -i <inputfile> file with target hosts -o <outputfile> output log -d debug mode, use twice for more information -w n wait n milliseconds (1/1000 of a second) between sending packets (default 10) -q quiet mode, do not print log to stdout, use with -l examples: ./s -c dict.txt 192.168.4.1 public ./s -c dict.txt -i hosts -o my.log -w 100SNMP 掃描
[email protected]:~# dpkg -L onesixtyone /usr/share/doc/onesixtyone/dict.txt [email protected]:~# onesixtyone -c dict.txt -i ipaddr.txt -o 161output.log -w 100
2. snmpwalk
簡介
-v 1|2c|3 specifies SNMP version to use -c COMMUNITY set the community stringSNMP 掃描
[email protected]:~# snmpwalk 1