zoukankan      html  css  js  c++  java
  • kali学习-主动信息收集

    一. 简介

     

    • 直接与目标系统交互通信
    • 无法避免留下访问的痕迹
    • 使用受控的第三方电脑进行探测
      • 使用代理或已经被控制的主机
      • 做好被封杀的准备
      • 使用噪声迷惑目标,淹没真实的探测流量
    • 扫描
      • 发送不同的探测,根据返回结果判断目标状态
    • 识别或者的主机
      • 潜在的被攻击目标
    • 输出一个IP地址列表
    • 2、3、4层发现
    • 优点
      • 扫描速度快、可靠
    • 缺点
      • 不可路由
    • ARP协议 
      • 抓包分析

    二. 主机发现

     1. 简介

    2. 二层发现

    2.1. arping

    1. 简介
      root@kali:~# arping
      Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
        -f : quit on first reply
        -q : be quiet
        -b : keep broadcasting, don't go unicast
        -D : duplicate address detection mode
        -U : Unsolicited ARP mode, update your neighbours
        -A : ARP answer mode, update your neighbours
        -V : print version and exit
        -c count : how many packets to send
        -w timeout : how long to wait for a reply
        -I device : which ethernet device to use
        -s source : source ip address
        destination : ask for what ip address
    2. # 发送包数量
      root@kali:~# arping 10.10.10.132 -c 1
      ARPING 10.10.10.132 from 10.10.10.131 eth0
      Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C]  1.130ms
      Sent 1 probes (1 broadcast(s))
      Received 1 response(s)

      # 重复地址检测模式
      root@kali:~# arping 10.10.10.132 -D
      ARPING 10.10.10.132 from 0.0.0.0 eth0
      Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C]  0.812ms
      Sent 1 probes (1 broadcast(s))
      Received 1 response(s)

      # 输出 MAC 地址
      root@kali:~# arping -c 1 10.10.10.132 | grep "reply from" | cut -d " " -f 5 | cut -d "[" -f 2 | cut -d "]" -f 1
      00:0C:29:D0:AB:2C

    2.2. nmap

    1. 简介
      -sn: Ping扫描-禁用端口扫描
      -iL <inputfilename>: 来自主机/网络列表的输入
    2. 主机扫描
      # 指定 IP 地址范围
      root@kali:~# nmap 10.10.10.1-254 -sn
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:06 EDT
      Nmap scan report for 10.10.10.1
      Host is up (0.00020s latency).
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.00058s latency).
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00025s latency).
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap scan report for 10.10.10.136
      Host is up (0.00036s latency).
      MAC Address: 00:0C:29:35:6A:2D (VMware)
      Nmap scan report for 10.10.10.137
      Host is up (0.0032s latency).
      MAC Address: 00:50:56:21:D2:3A (VMware)
      Nmap scan report for 10.10.10.254
      Host is up (0.00014s latency).
      MAC Address: 00:50:56:E2:6B:78 (VMware)
      Nmap scan report for 10.10.10.131
      Host is up.
      Nmap done: 254 IP addresses (7 hosts up) scanned in 2.01 seconds

      # 创建地址列表
      fo = open('/root/Desktop/ipaddr.txt','w')
      for i in range(1,255):
          fo.write('10.10.10.')
          fo.write(str(i))
          fo.write(' ')
      fo.close()

      # 扫描地址列表
      root@kali:~# nmap -iL ipaddr.txt -sn
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:21 EDT
      Nmap scan report for 10.10.10.1
      Host is up (0.00071s latency).
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.0021s latency).
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00047s latency).
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap scan report for 10.10.10.136
      Host is up (0.00089s latency).
      MAC Address: 00:0C:29:35:6A:2D (VMware)
      Nmap scan report for 10.10.10.137
      Host is up (0.00018s latency).
      MAC Address: 00:50:56:21:D2:3A (VMware)
      Nmap scan report for 10.10.10.254
      Host is up (0.00050s latency).
      MAC Address: 00:50:56:E2:6B:78 (VMware)
      Nmap scan report for 10.10.10.131
      Host is up.
      Nmap done: 254 IP addresses (7 hosts up) scanned in 1.83 seconds

    2.3. Netdiscover

    1. 简介
    • 专用于二层发现
    • 可用于无线和交换网络环境
    • 主动和被动探测
    • 使用帮助
      root@kali:~# netdiscover -h
      Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool]
      Written by: Jaime Penalba <jpenalbae@gmail.com>

      Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c]
        -i device: 网络设备
        -r range: 指定 IP 扫描范围. 192.168.6.0/24,/16,/8
        -l file: 指定扫描 IP 地址文件
        -p passive mode: 不发送任何数据, 仅监听
        -m file: 扫描 MAC 地址列表
        -F filter: Customize pcap filter expression (default: "arp")
        -s time: time to sleep between each arp request (milliseconds)
        -n node: last ip octet used for scanning (from 2 to 253)
        -c count: number of times to send each arp reques (for nets with packet loss)
        -f enable fastmode scan, saves a lot of time, recommended for auto
        -d ignore home config files for autoscan and fast mode
        -S enable sleep time supression between each request (hardcore mode)
        -P print results in a format suitable for parsing by another program
        -N Do not print header. Only valid when -P is enabled.
        -L in parsable output mode (-P), continue listening after the active scan is completed
    1. 主机扫描
      -主动扫描
          # 指定地址扫描
          Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                                                                          
           6 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 360                                                                                     
           _____________________________________________________________________________
             IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
           -----------------------------------------------------------------------------
           10.10.10.1      00:50:56:c0:00:08      1      60  VMware, Inc.                                                                                     
           10.10.10.2      00:50:56:e1:24:a1      1      60  VMware, Inc.                                                                                     
           10.10.10.132    00:0c:29:d0:ab:2c      1      60  VMware, Inc.                                                                                     
           10.10.10.136    00:0c:29:35:6a:2d      1      60  VMware, Inc.                                                                                     
           10.10.10.137    00:50:56:21:d2:3a      1      60  VMware, Inc.                                                                                      
           10.10.10.254    00:50:56:e2:6b:78      1      60  VMware, Inc.

      # 指定地址列表扫描
          root@kali:~# netdiscover -l ipaddr.txt
          Currently scanning: 10.10.10.0/24   |   Screen View: Unique Hosts                                                                                   

      248 Captured ARP Req/Rep packets, from 6 hosts.   Total size: 14880                                                                                
           _____________________________________________________________________________
             IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
           -----------------------------------------------------------------------------
           10.10.10.1      00:50:56:c0:00:08     42    2520  VMware, Inc.                                                                                     
           10.10.10.2      00:50:56:e1:24:a1     42    2520  VMware, Inc.                                                                                      
           10.10.10.132    00:0c:29:d0:ab:2c     41    2460  VMware, Inc.                                                                                     
           10.10.10.136    00:0c:29:35:6a:2d     41    2460  VMware, Inc.                                                                                      
           10.10.10.137    00:50:56:21:d2:3a     41    2460  VMware, Inc.                                                                                     
           10.10.10.254    00:50:56:e2:6b:78     41    2460  VMware, Inc.
    • 被动扫描
      # 主动 arp 容易触发警报
      root@kali:~# netdiscover -p
      Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                      

      12 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 720                                                                                   
       _____________________________________________________________________________
         IP            At MAC Address     Count     Len  MAC Vendor / Hostname     
       -----------------------------------------------------------------------------
       10.10.10.254    00:50:56:e2:6b:78      1      60  VMware, Inc.                                                                                     
       10.10.10.2      00:50:56:e1:24:a1      3     180  VMware, Inc.                                                                                     
       10.10.10.137    00:50:56:21:d2:3a      2     120  VMware, Inc.                                                                                      
       10.10.10.132    00:0c:29:d0:ab:2c      4     240  VMware, Inc.                                                                                     
       10.10.10.136    00:0c:29:35:6a:2d      2     120  VMware, Inc.

    3. 三层发现

    • 优点 
      • 可路由
      • 速度比较快
    • 缺点
      • 速度比二层慢
      • 经常被便捷防火墙过滤
    • IP、ICMP 协议

    3.1. ping

    1. 简介
      root@kali:~# ping -h
      Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
                  [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
                  [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
                  [-w deadline] [-W timeout] [hop1 ...] destination
      Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
                   [-l preload] [-m mark] [-M pmtudisc_option]
                   [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
                   [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
                   [-W timeout] destination
    2. 主机扫描
      # 指定发包数量
      root@kali:~# ping 10.10.10.132 -c 2
      PING 10.10.10.132 (10.10.10.132) 56(84) bytes of data.
      64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=10.3 ms
      64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.214 ms

      --- 10.10.10.132 ping statistics ---
      2 packets transmitted, 2 received, 0% packet loss, time 1002ms
      rtt min/avg/max/mdev = 0.214/5.302/10.390/5.088 ms

      # 路由追踪
      root@kali:~# ping -R 10.10.10.132
      PING 10.10.10.132 (10.10.10.132) 56(124) bytes of data.
      64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=0.237 ms
      RR:     10.10.10.131
          10.10.10.132
          10.10.10.132
          10.10.10.131

      64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.376 ms (same route)
      64 bytes from 10.10.10.132: icmp_seq=3 ttl=64 time=0.233 ms (same route)
      64 bytes from 10.10.10.132: icmp_seq=4 ttl=64 time=0.227 ms (same route)

      root@kali:~# traceroute 10.10.10.132
      traceroute to 10.10.10.132 (10.10.10.132), 30 hops max, 60 byte packets
       1  10.10.10.132 (10.10.10.132)  0.311 ms  0.199 ms  0.140 ms

      ping -c 1 10.10.10.132 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1

    3.2. fping

    1. 简介
      root@kali:~# fping -h
      Usage: fping [options] [targets...]

      Probing options:
         -4, --ipv4         only ping IPv4 addresses
         -6, --ipv6         only ping IPv6 addresses
         -b, --size=BYTES   amount of ping data to send, in bytes (default: 56)
         -B, --backoff=N    set exponential backoff factor to N (default: 1.5)
         -c, --count=N      count mode: send N pings to each target
         -f, --file=FILE    read list of targets from a file ( - means stdin)
         -g, --generate     generate target list (only if no -f specified)
                            (give start and end IP in the target list, or a CIDR address)
                            (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
         -H, --ttl=N        set the IP TTL value (Time To Live hops)
         -I, --iface=IFACE  bind to a particular interface
         -l, --loop         loop mode: send pings forever
         -m, --all          use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A
         -M, --dontfrag     set the Don't Fragment flag
         -O, --tos=N        set the type of service (tos) flag on the ICMP packets
         -p, --period=MSEC  interval between ping packets to one target (in ms)
                            (in loop and count modes, default: 1000 ms)
         -r, --retry=N      number of retries (default: 3)
         -R, --random       random packet data (to foil link data compression)
         -S, --src=IP       set source address
         -t, --timeout=MSEC individual target initial timeout (default: 500 ms,
                            except with -l/-c/-C, where it's the -p period up to 2000 ms)

      Output options:
         -a, --alive        show targets that are alive
         -A, --addr         show targets by address
         -C, --vcount=N     same as -c, report results in verbose format
         -D, --timestamp    print timestamp before each output line
         -e, --elapsed      show elapsed time on return packets
         -i, --interval=MSEC  interval between sending ping packets (default: 10 ms)
         -n, --name         show targets by name (-d is equivalent)
         -N, --netdata      output compatible for netdata (-l -Q are required)
         -o, --outage       show the accumulated outage time (lost packets * packet interval)
         -q, --quiet        quiet (don't show per-target/per-ping results)
         -Q, --squiet=SECS  same as -q, but show summary every n seconds
         -s, --stats        print final stats
         -u, --unreach      show targets that are unreachable
         -v, --version      show version
    2. 主机扫描
      # 指定发包数量
      root@kali:~# fping -c 1 10.10.10.132 | grep 0%
      10.10.10.132 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.29/0.29/0.29
      10.10.10.132 : [0], 84 bytes, 0.29 ms (0.29 avg, 0% loss)

      # 指定扫描范围
      root@kali:~# fping -g 10.10.10.132 10.10.10.136-137
      root@kali:~# fping -g 10.10.0/24
      root@kali:~# fping -f ipaddr.txt

    3.3. hping3

    1. 简介
    • 能够发送几乎任意 TCP/IP 包
    • 功能强大但每次只能扫描一个目标
    1. 主机扫描
      # 指定 icmp 扫描
      root@kali:~# hping3 10.10.10.132 --icmp -c 2
      HPING 10.10.10.132 (eth0 10.10.10.132): icmp mode set, 28 headers + 0 data bytes
      len=46 ip=10.10.10.132 ttl=64 id=33497 icmp_seq=0 rtt=4.4 ms
      len=46 ip=10.10.10.132 ttl=64 id=33498 icmp_seq=1 rtt=8.0 ms

      --- 10.10.10.132 hping statistic ---
      2 packets transmitted, 2 packets received, 0% packet loss
      round-trip min/avg/max = 4.4/6.2/8.0 ms

    3.4. scapy

    1. 简介
      OSI 多层堆叠手工生成 ICMP 包 --  IP/ICMP
    2. 主机扫描
      ip=IP()
      ip.dst=“1.1.1.1”
      ping=ICMP()
      a=sr1(ip/ping)
      a.display()
      a=sr1(ip/ping,timeout=1)    # Ping不存在的地址
      a = sr1(IP(dst=“1.1.1.1")/ICMP(),timeout=1)

    4. 四层发现

    • 优点
      • 可路由且结果可靠
      • 不太可能被防火墙过滤
      • 甚至可以发现所有端口都被过滤的主机
      • 甚至可以发现所有端口都被过滤的主机
    • 缺点
      • 基于状态过滤的防火墙可能过滤扫描
      • 全端口扫描速度慢
    • TCP
      • 未经请求 ACK – RST
      • SYN – SYN/ACK、RET
    • UDP
      • ICMP 端口不可达、一去不复返
    • ACK – TCP port – RST
      i = IP()
      i.dst="1.1.1.1"
      t = TCP()
      t.flags='A'
      r = (i/t)
      a = sr1(r)
      a.display()
      a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1))
    • UDP——UDP Port——ICMP(不可靠)
      u = UDP()
      u.dport= 33333
      r = (i/u)
      a = sr1(r,timeout=1,verbose=1)

    4.1. nmap

    1. 简介
      -A: 启用操作系统检测、版本检测、脚本扫描和traceroute
      -sn: Ping Scan - disable port scan
      -PU: 还有一个主机发现的选项是UDP ping
      -PS [portlist] (TCP SYN Ping)
      -PA [portlist] (TCP ACK Ping)
      -PE; -PP; -PM (ICMP Ping Types)
      -PR (ARP Ping)
    2. 主机扫描
      # UDP ping
      root@kali:~# nmap 10.10.10.1-254 -PU 53 -sn
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:13 EDT
      setup_target: failed to determine route to 53 (0.0.0.53)
      Nmap scan report for 10.10.10.1
      Host is up (0.00080s latency).
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.00045s latency).
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00045s latency).
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap scan report for 10.10.10.136
      Host is up (0.00039s latency).
      MAC Address: 00:0C:29:35:6A:2D (VMware)
      Nmap scan report for 10.10.10.137
      Host is up (0.00038s latency).
      MAC Address: 00:50:56:21:D2:3A (VMware)
      Nmap scan report for 10.10.10.254
      Host is up (0.00092s latency).
      MAC Address: 00:50:56:E2:6B:78 (VMware)
      Nmap scan report for 10.10.10.131
      Host is up.
      Nmap done: 254 IP addresses (7 hosts up) scanned in 2.07 seconds

      # ACK ping
      root@kali:~# nmap 10.10.10.1-254 -PA 80 -sn
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:15 EDT
      setup_target: failed to determine route to 80 (0.0.0.80)
      Nmap scan report for 10.10.10.1
      Host is up (0.00066s latency).
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.0033s latency).
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00064s latency).
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap scan report for 10.10.10.136
      Host is up (0.00052s latency).
      MAC Address: 00:0C:29:35:6A:2D (VMware)
      Nmap scan report for 10.10.10.137
      Host is up (0.0013s latency).
      MAC Address: 00:50:56:21:D2:3A (VMware)
      Nmap scan report for 10.10.10.254
      Host is up (0.00040s latency).
      MAC Address: 00:50:56:E2:6B:78 (VMware)
      Nmap scan report for 10.10.10.131
      Host is up.
      Nmap done: 254 IP addresses (7 hosts up) scanned in 1.81 seconds

      # 指定IP地址列表
      root@kali:~# nmap -iL ipaddr.txt 10.10.10.1-254 -PA 80 -sn
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:16 EDT
      Nmap scan report for 10.10.10.1
      Host is up (0.00089s latency).
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.00058s latency).
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00050s latency).
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap scan report for 10.10.10.136
      Host is up (0.00049s latency).
      MAC Address: 00:0C:29:35:6A:2D (VMware)
      Nmap scan report for 10.10.10.137
      Host is up (0.00043s latency).
      MAC Address: 00:50:56:21:D2:3A (VMware)
      Nmap scan report for 10.10.10.254
      Host is up (0.00031s latency).
      MAC Address: 00:50:56:E2:6B:78 (VMware)
      Nmap scan report for 10.10.10.131
      Host is up.
      Nmap done: 254 IP addresses (7 hosts up) scanned in 2.14 seconds

    4.2. hping3

    1. 简介
      -c --count count
      -2 --udp
    2. 主机扫描
      root@kali:~# hping3 --udp 10.10.10.132 -c 1
      HPING 10.10.10.132 (eth0 10.10.10.132): udp mode set, 28 headers + 0 data bytes
      ICMP Port Unreachable from ip=10.10.10.132 name=UNKNOWN  
      status=0 port=2770 seq=0

      --- 10.10.10.132 hping statistic ---
      1 packets transmitted, 1 packets received, 0% packet loss
      round-trip min/avg/max = 55.1/55.1/55.1 ms

    3. 端口扫描

    • 端口对应网路都访问及应用端程序
    • 服务端程序的漏洞通过端口攻入
    • 发现开放的端口
    • 更具体的攻击面

    3.1. UDP 端口扫描

    • UDP 端口扫描
      • 假设 ICMP port-ubreachable 响应代表端口关闭
      • 目标系统不响应 port-ubreachable 时,坑你产生误判
    • 完整的 UDP 应用层请求
      • 准确性高
      • 耗时巨大
    • Scapy UDP Scan 
      • 端口关闭:ICMP port-ubreachable
      • 端口开放:没有回包
      • 了解每一种基于 UDP 的应用层包结构很有帮助
      • 与三层相同的技术
      • 误判

    3.1.1. nmap

    1. 简介
      -sU: UDP Scan
      -p <port ranges>: Only scan specified ports
    2. 端口扫描
      # (默认的1000个参数)
      root@kali:~# nmap -sU 10.10.10.132

      # 指定端口
      root@kali:~# nmap -sU 10.10.10.132 -p 53
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:48 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00034s latency).
      PORT   STATE SERVICE
      53/udp open  domain
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

      # 指定 IP 地址列表
      root@kali:~# nmap -iL ipaddr.txt -sU -p 1-200

    3.2. TCP 端口扫描

    • 基于连接的协议
    • 三次握手
    • 隐蔽扫描
    • 僵尸扫描
    • 全连接扫描
    • 所有的 TCP 扫描方式都是基于三次握手的变化来判断目标端口状态
    • 隐蔽扫描
      • 不建立完整的连接
      • 应用日志不记录扫描行为–隐蔽
    • 僵尸扫描
      • 极度隐蔽
      • 实施条件苛刻(基于IPID)
      • 可伪造源地址
      • 选择僵尸机 
        • 闲置系统
        • 系统使用递增的IPID 
          • 0
          • 随机

     

    3.2.1. 隐蔽端口扫描

    1. scapy

    - syn -- syn/ack -- rst

    sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1)

    2. nmap

    1. 简介
      -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    2. 端口扫描
      # 指定扫描端口范围
      root@kali:~# nmap -sS 10.10.10.132 -p 80,21,25,110,443
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00034s latency).
      PORT    STATE  SERVICE
      21/tcp  open   ftp
      25/tcp  open   smtp
      80/tcp  open   http
      110/tcp closed pop3
      443/tcp closed https
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

      # 指定扫描端口范围
      root@kali:~# nmap -sS 10.10.10.132 -p 1-65535 --open
       Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00010s latency).
      Not shown: 65505 closed ports
      PORT      STATE SERVICE
      21/tcp    open  ftp
      22/tcp    open  ssh
      23/tcp    open  telnet
      25/tcp    open  smtp
      53/tcp    open  domain
      80/tcp    open  http
      111/tcp   open  rpcbind
      139/tcp   open  netbios-ssn
      445/tcp   open  microsoft-ds
      512/tcp   open  exec
      513/tcp   open  login
      514/tcp   open  shell
      1099/tcp  open  rmiregistry
      1524/tcp  open  ingreslock
      2049/tcp  open  nfs
      2121/tcp  open  ccproxy-ftp
      3306/tcp  open  mysql
      3632/tcp  open  distccd
      5432/tcp  open  postgresql
      5900/tcp  open  vnc
      6000/tcp  open  X11
      6667/tcp  open  irc
      6697/tcp  open  ircs-u
      8009/tcp  open  ajp13
      8180/tcp  open  unknown
      8787/tcp  open  msgsrvr
      37499/tcp open  unknown
      41241/tcp open  unknown
      44616/tcp open  unknown
      56072/tcp open  unknown
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds

      # 指定扫描端口范围
      root@kali:~# nmap -sS 10.10.10.132 -p- --open
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:58 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00027s latency).
      Not shown: 65505 closed ports
      PORT      STATE SERVICE
      21/tcp    open  ftp
      22/tcp    open  ssh
      23/tcp    open  telnet
      25/tcp    open  smtp
      53/tcp    open  domain
      80/tcp    open  http
      111/tcp   open  rpcbind
      139/tcp   open  netbios-ssn
      445/tcp   open  microsoft-ds
      512/tcp   open  exec
      513/tcp   open  login
      514/tcp   open  shell
      1099/tcp  open  rmiregistry
      1524/tcp  open  ingreslock
      2049/tcp  open  nfs
      2121/tcp  open  ccproxy-ftp
      3306/tcp  open  mysql
      3632/tcp  open  distccd
      5432/tcp  open  postgresql
      5900/tcp  open  vnc
      6000/tcp  open  X11
      6667/tcp  open  irc
      6697/tcp  open  ircs-u
      8009/tcp  open  ajp13
      8180/tcp  open  unknown
      8787/tcp  open  msgsrvr
      37499/tcp open  unknown
      41241/tcp open  unknown
      44616/tcp open  unknown
      56072/tcp open  unknown
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds

      # 指定 IP 地址列表
      root@kali:~# nmap -sS -iL ipaddr.txt -p 80,21,22,23
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:59 EDT
      Nmap scan report for 10.10.10.1
      Host is up (0.0011s latency).

      PORT   STATE  SERVICE
      21/tcp closed ftp
      22/tcp closed ssh
      23/tcp closed telnet
      80/tcp closed http
      MAC Address: 00:50:56:C0:00:08 (VMware)

      Nmap scan report for 10.10.10.254
      Host is up (0.00085s latency).

      PORT   STATE    SERVICE
      21/tcp filtered ftp
      22/tcp filtered ssh
      23/tcp filtered telnet
      80/tcp filtered http
      MAC Address: 00:50:56:E2:6B:78 (VMware)

      Nmap done: 254 IP addresses (7 hosts up) scanned in 3.48 seconds

    3. hping3

    1. 简介
      -8  --scan       指定扫描端口范围
      -c  --count      packet count
      -a  --spoof      欺骗源地址
      -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
      -M  --setseq     set TCP sequence number
      -L  --setack     set TCP ack
      -F  --fin        set FIN flag
      -S  --syn        set SYN flag
      -R  --rst        set RST flag
      -P  --push       set PUSH flag
      -A  --ack        set ACK flag
      -U  --urg        set URG flag
      -X  --xmas       set X unused flag (0x40)
      -Y  --ymas       set Y unused flag (0x80)
    2. 端口扫描
      # SYN 扫描
      root@kali:~# hping3 10.10.10.132 --scan 80 -S
      Scanning 10.10.10.132 (10.10.10.132), port 80
      1 ports to scan, use -V to see all the replies
      +----+-----------+---------+---+-----+-----+-----+
      |port| serv name |  flags  |ttl| id  | win | len |
      +----+-----------+---------+---+-----+-----+-----+
         80 http       : .S..A...  64     0  5840    46
      All replies received. Done.
      Not responding ports:

      # 指定端口 SYN 扫描
      root@kali:~# hping3 10.10.10.132 --scan 801,21,25,443 -S
      Scanning 10.10.10.132 (10.10.10.132), port 801,21,25,443
      4 ports to scan, use -V to see all the replies
      +----+-----------+---------+---+-----+-----+-----+
      |port| serv name |  flags  |ttl| id  | win | len |
      +----+-----------+---------+---+-----+-----+-----+
         21 ftp        : .S..A...  64     0  5840    46
         25 smtp       : .S..A...  64     0  5840    46
      All replies received. Done.
      Not responding ports:

      # 指定端口范围
      root@kali:~# hping3 10.10.10.132 --scan 0-65535 -S
      Scanning 10.10.10.132 (10.10.10.132), port 0-65535
      65536 ports to scan, use -V to see all the replies
      +----+-----------+---------+---+-----+-----+-----+
      |port| serv name |  flags  |ttl| id  | win | len |
      +----+-----------+---------+---+-----+-----+-----+
         21 ftp        : .S..A...  64     0  5840    46
         22 ssh        : .S..A...  64     0  5840    46
         23 telnet     : .S..A...  64     0  5840    46
         25 smtp       : .S..A...  64     0  5840    46
         53 domain     : .S..A...  64     0  5840    46
         80 http       : .S..A...  64     0  5840    46
        111 sunrpc     : .S..A...  64     0  5840    46
        139 netbios-ssn: .S..A...  64     0  5840    46
        445 microsoft-d: .S..A...  64     0  5840    46
        512 exec       : .S..A...  64     0  5840    46
        513 login      : .S..A...  64     0  5840    46
        514 shell      : .S..A...  64     0  5840    46
       1099 rmiregistry: .S..A...  64     0  5840    46
       1524 ingreslock : .S..A...  64     0  5840    46
       3306 mysql      : .S..A...  64     0  5840    46
       5432 postgresql : .S..A...  64     0  5840    46
       5900            : .S..A...  64     0  5840    46
       6000 x11        : .S..A...  64     0  5840    46
       8009            : .S..A...  64     0  5840    46
       8180            : .S..A...  64     0  5840    46
       8787            : .S..A...  64     0  5840    46
      37499            : .S..A...  64     0  5840    46
      44616            : .S..A...  64     0  5840    46
      56072            : .S..A...  64     0  5840    46
       2049 nfs        : .S..A...  64     0  5840    46
       2121 iprop      : .S..A...  64     0  5840    46
       3632 distcc     : .S..A...  64     0  5840    46
       6667 ircd       : .S..A...  64     0  5840    46
       6697 ircs-u     : .S..A...  64     0  5840    46
      41241            : .S..A...  64     0  5840    46
      All replies received. Done.
      Not responding ports:

      # 源地址欺骗
      root@kali:~# hping3 -c 10 -S --spoof 10.10.10.136 -p ++1 10.10.10.132

    3.2.2. 全连接端口扫描

    1. scapy

    1. 简介
    • syn 扫描不需要 raw packets
    • 内核认为 syn/ack 是非法包,直接发 rst 中断连接
    • 全连接扫描对 scapy 比较困难
      sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S'))

    2. nmap

    1. 简介
      -sT (TCP connect()扫描)
      -sU (UDP扫描)
      -sS (TCP SYN扫描)
      -sN; -sF; -sX (TCP Null,FIN,and Xmas扫描)
    2. 端口扫描
      # 指定端口(默认1000个端口)
      root@kali:~# nmap -sT 10.10.10.132 -p 80
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:14 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00049s latency).
      PORT   STATE SERVICE
      80/tcp open  http
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

      # 指定端口范围
      root@kali:~# nmap -sT 10.10.10.132 -p 80,21,25,443
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00038s latency).
      PORT    STATE  SERVICE
      21/tcp  open   ftp
      25/tcp  open   smtp
      80/tcp  open   http
      443/tcp closed https
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

      # 指定端口范围
      root@kali:~# nmap -sT 10.10.10.132 -p 80-2000
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00029s latency).
      Not shown: 1912 closed ports
      PORT     STATE SERVICE
      80/tcp   open  http
      111/tcp  open  rpcbind
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      512/tcp  open  exec
      513/tcp  open  login
      514/tcp  open  shell
      1099/tcp open  rmiregistry
      1524/tcp open  ingreslock
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

      # 指定 IP 地址列表
      root@kali:~# nmap -sT -iL ipaddr.txt  -p 80
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:16 EDT
      Nmap scan report for 10.10.10.1
      Host is up (0.0012s latency).
      PORT   STATE  SERVICE
      80/tcp closed http
      MAC Address: 00:50:56:C0:00:08 (VMware)
      Nmap scan report for 10.10.10.2
      Host is up (0.00037s latency).
      PORT   STATE  SERVICE
      80/tcp closed http
      MAC Address: 00:50:56:E1:24:A1 (VMware)
      Nmap scan report for 10.10.10.132
      Host is up (0.00029s latency).

    3. dmity

    1. 简介
    • 功能简单,使用简单
    • 默认 150 个最常用的端口
      root@kali:~# dmitry
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"

      Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
        -o     Save output to %host.txt or to file specified by -o file
        -i     Perform a whois lookup on the IP address of a host
        -w     Perform a whois lookup on the domain name of a host
        -n     Retrieve Netcraft.com information on a host
        -s     Perform a search for possible subdomains
        -e     Perform a search for possible email addresses
        -p     Perform a TCP port scan on a host
      * -f     Perform a TCP port scan on a host showing output reporting filtered ports
      * -b     Read in the banner received from the scanned port
      * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
      *Requires the -p flagged to be passed
    1. 端口扫描
      # 指定扫描 IP
      root@kali:~# dmitry -p 10.10.10.132
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"
      ERROR: Unable to locate Host Name for 10.10.10.132
      Continuing with limited modules
      HostIP:10.10.10.132
      HostName:
      Gathered TCP Port information for 10.10.10.132
      ---------------------------------
       Port       State
      21/tcp      open
      22/tcp      open
      23/tcp      open
      25/tcp      open
      53/tcp      open
      80/tcp      open
      111/tcp     open
      139/tcp     open
      Portscan Finished: Scanned 150 ports, 141 ports were in state closed
      All scans completed, exiting

      # 指定输出文件
      root@kali:~# dmitry -p 10.10.10.132 -o output.txt
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"
      Writing output to 'output.txt.txt'
      ERROR: Unable to locate Host Name for 10.10.10.132
      Continuing with limited modules
      HostIP:10.10.10.132
      HostName:
      Gathered TCP Port information for 10.10.10.132
      ---------------------------------
       Port       State
      21/tcp      open
      22/tcp      open
      23/tcp      open
      25/tcp      open
      53/tcp      open
      80/tcp      open
      111/tcp     open
      139/tcp     open
      Portscan Finished: Scanned 150 ports, 141 ports were in state closed

    4. nc

    1. 简介
      root@kali:~# nc -h
      [v1.10-41.1]
      connect to somewhere:   nc [-options] hostname port[s] [ports] ...
      listen for inbound: nc -l -p port [-options] [hostname] [port]
      options:
          -c shell commands   as `-e'; use /bin/sh to exec [dangerous!!]
          -e filename     program to exec after connect [dangerous!!]
          -b          allow broadcasts
          -g gateway      source-routing hop point[s], up to 8
          -G num          source-routing pointer: 4, 8, 12, ...
          -h          this cruft
          -i secs         delay interval for lines sent, ports scanned
              -k                      set keepalive option on socket
          -l          listen mode, for inbound connects
          -n          numeric-only IP addresses, no DNS
          -o file         hex dump of traffic
          -p port         local port number
          -r          randomize local and remote ports
          -q secs         quit after EOF on stdin and delay of secs
          -s addr         local source address
          -T tos          set Type Of Service
          -t          answer TELNET negotiation
          -u          UDP mode
          -v          verbose [use twice to be more verbose]
          -w secs         timeout for connects and final net reads
          -C          Send CRLF as line-ending
          -z          zero-I/O mode [used for scanning]
      port numbers can be individual or ranges: lo-hi [inclusive];
      hyphens in port names must be backslash escaped (e.g. 'ftp-data').
    2. 端口扫描
      root@kali:~# nc -nv -w 1 -z 10.10.10.132 1-100
      (UNKNOWN) [10.10.10.132] 80 (http) open
      (UNKNOWN) [10.10.10.132] 53 (domain) open
      (UNKNOWN) [10.10.10.132] 25 (smtp) open
      (UNKNOWN) [10.10.10.132] 23 (telnet) open
      (UNKNOWN) [10.10.10.132] 22 (ssh) open
      (UNKNOWN) [10.10.10.132] 21 (ftp) open

    3.2.3. 僵尸扫描

    • 利用 IPID 递增来判断主机端口是否开启

    1. scapy

    • i=IP()
    • t=TCP()
    • rz=(i/t)
    • rt=(i/t)
    • rz[IP].dst=IPz
    • rz[TCP].dport=445
    • rt[IP].src=IPz
    • rt[IP].dst=IPt
    • rt[TCP].dport=22
    • az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz)
    • az1.display() / az2.display()

    2. nmap

    1. 简介
      使用脚本扫描适合做僵尸机的主机
      -sI <zombie host[:probeport]>: Idle scan
      -Pn: Treat all hosts as online -- skip host discovery
    • # 发现脚本
      root@kali:~# ls /usr/share/nmap/scripts | grep ipid

      # ipidseq: All zeros
      root@kali:~# nmap -p 445 10.10.10.132 --script=ipidseq.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00043s latency).

      PORT    STATE SERVICE
      445/tcp open  microsoft-ds
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Host script results:
      |_ipidseq: All zeros

      Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

      # ipidseq: Incremental!
      root@kali:~# nmap -p 445 10.10.10.136 --script=ipidseq.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
      Nmap scan report for 10.10.10.136
      Host is up (0.00042s latency).

      PORT    STATE SERVICE
      445/tcp open  microsoft-ds
      MAC Address: 00:0C:29:35:6A:2D (VMware)

      Host script results:
      |_ipidseq: Incremental!

      Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
    1. 扫描目标
      root@kali:~# nmap 10.10.10.132 -sI 10.10.10.136 -Pn -p 0-200
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:29 EDT
      Idle scan using zombie 10.10.10.136 (10.10.10.136:80); Class: Incremental
      Nmap scan report for 10.10.10.132
      Host is up (0.047s latency).
      Not shown: 193 closed|filtered ports
      PORT    STATE SERVICE
      21/tcp  open  ftp
      22/tcp  open  ssh
      23/tcp  open  telnet
      25/tcp  open  smtp
      53/tcp  open  domain
      80/tcp  open  http
      111/tcp open  rpcbind
      139/tcp open  netbios-ssn
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds

    4. 服务扫描

    • 识别开放端口上进行的应用
    • 是被目标操作系统
    • 提高攻击效率
      • Banner捕获
      • 服务识别
      • 操作系统识别
      • SNMP分析
      • 防火墙识别
    • Banner
      • 软件开发商
      • 软件名称
      • 服务类型
      • 版本号 
        • 直接发现一致的漏洞和弱点
    • 连接建立后直接获取banner
    • 另类服务识别方法
      • 特征行为和响应字段
      • 不同的响应可用于识别底层操作系统
    • SNMP
      • 简单网络管理协议
      • Community strings
      • 信息查询或重新配置
    • 识别和绕过防火墙筛选

    4.1. banner

    • banner 信息抓取能力有限
    • nmap 响应特征分析识别访问 
      • 发送系列复杂的探测
      • 依据响应特征 signature

    1. nc

    root@kali:~# nc -nv 10.10.10.132 80
    (UNKNOWN) [10.10.10.132] 80 (http) open
    GET /
    <html><head><title>Metasploitable2 - Linux</title></head><body>
    <pre>

    _                  _       _ _        _     _      ____ 
     _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___
    | '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ __) |
    | | | | | |  __/ || (_| \__ |_) | | (_) | | || (_| | |_) | |  __// __/
    |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                                |_|                                         

    Warning: Never expose this VM to an untrusted network!

    Contact: msfdev[at]metasploit.com

    Login with msfadmin/msfadmin to get started

    </pre>
    <ul>
    <li><a href="/twiki/">TWiki</a></li>
    <li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
    <li><a href="/mutillidae/">Mutillidae</a></li>
    <li><a href="/dvwa/">DVWA</a></li>
    <li><a href="/dav/">WebDAV</a></li>
    </ul>
    </body>
    </html>

    2. socket

        • import socket
        • bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        • bangrab.connect((“1.1.1.1", 21))
        • bangrab.recv(4096)

    3. dmity

    1. 简介
      root@kali:~# dmitry
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"

      Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
        -o     Save output to %host.txt or to file specified by -o file
        -i     Perform a whois lookup on the IP address of a host
        -w     Perform a whois lookup on the domain name of a host
        -n     Retrieve Netcraft.com information on a host
        -s     Perform a search for possible subdomains
        -e     Perform a search for possible email addresses
        -p     Perform a TCP port scan on a host
      * -f     Perform a TCP port scan on a host showing output reporting filtered ports
      * -b     Read in the banner received from the scanned port
      * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
      *Requires the -p flagged to be passed
    2. 服务扫描
      # 指定 tcp 端口
      root@kali:~# dmitry -p 10.10.10.132
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"
      ERROR: Unable to locate Host Name for 10.10.10.132
      Continuing with limited modules
      HostIP:10.10.10.132
      HostName:
      Gathered TCP Port information for 10.10.10.132
      ---------------------------------
       Port       State
      21/tcp      open
      22/tcp      open
      23/tcp      open
      25/tcp      open
      53/tcp      open
      80/tcp      open
      111/tcp     open
      139/tcp     open
      Portscan Finished: Scanned 150 ports, 141 ports were in state closed
      All scans completed, exiting

      # 读取 banner 信息
      root@kali:~# dmitry -pb 10.10.10.132
      Deepmagic Information Gathering Tool
      "There be some deep magic going on"

      ERROR: Unable to locate Host Name for 10.10.10.132
      Continuing with limited modules
      HostIP:10.10.10.132
      HostName:
      Gathered TCP Port information for 10.10.10.132
      ---------------------------------
       Port       State
      21/tcp      open
      >> 220 (vsFTPd 2.3.4)
      22/tcp      open
      >> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      23/tcp      open
      >>
      25/tcp      open
      >> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      53/tcp      open
      Portscan Finished: Scanned 150 ports, 144 ports were in state closed
      All scans completed, exiting

    4. nmap

    1. 简介
      root@kali:~# cat /usr/share/nmap/scripts/banner.nse
      -sV: Probe open ports to determine service/version info
    2. 服务扫描
      # 指定脚本
      root@kali:~# nmap -sT 10.10.10.132 -p 1-100 --script=banner.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:23 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.0015s latency).
      Not shown: 94 closed ports
      PORT   STATE SERVICE
      21/tcp open  ftp
      |_banner: 220 (vsFTPd 2.3.4)
      22/tcp open  ssh
      |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      23/tcp open  telnet
      |_banner: xFFxFDx18xFFxFD xFFxFD#xFFxFD'
      25/tcp open  smtp
      |_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      53/tcp open  domain
      80/tcp open  http
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds

      # 探测打开端口以确定服务/版本信息
      root@kali:~# nmap 10.10.10.132 -p 80 -sV
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:28 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00032s latency).
      PORT   STATE SERVICE VERSION
      80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds

    5. amap

    1. 简介
      root@kali:~# amap
      amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap
      Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
      Modes:
        -A         Map applications: send triggers and analyse responses (default)
        -B         Just grab banners, do not send triggers
        -P         No banner or application stuff - be a (full connect) port scanner
      Options:
        -1         Only send triggers to a port until 1st identification. Speeeeed!
        -6         Use IPv6 instead of IPv4
        -b         Print ascii banner of responses
        -i FILE    Nmap machine readable outputfile to read ports from
        -u         Ports specified on commandline are UDP (default is TCP)
        -R         Do NOT identify RPC service
        -H         Do NOT send application triggers marked as potentially harmful
        -U         Do NOT dump unrecognised responses (better for scripting)
        -d         Dump all responses
        -v         Verbose mode, use twice (or more!) for debug (not recommended :-)
        -q         Do not report closed ports, and do not print them as unidentified
        -o FILE [-m] Write output to file FILE, -m creates machine readable output
        -c CONS    Amount of parallel connections to make (default 32, max 256)
        -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
        -T SEC     Connect timeout on connection attempts in seconds (default 5)
        -t SEC     Response wait timeout in seconds (default 5)
        -p PROTO   Only send triggers for this protocol (e.g. ftp)
        TARGET PORT   The target address and port(s) to scan (additional to -i)
      amap is a tool to identify application protocols on target ports.
      Note: this version was NOT compiled with SSL support!
      Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
    2. 服务扫描
      # 指定端口扫描
      root@kali:~# amap -B 10.10.10.132 21
      amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:24:39 - BANNER mode
      Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
      amap v5.4 finished at 2018-03-31 07:24:39

      # 指定端口范围扫描
      root@kali:~# amap -B 10.10.10.132 1-65535
      amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:25:15 - BANNER mode
      Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
      Banner on 10.10.10.132:23/tcp :  #'
      Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      Banner on 10.10.10.132:512/tcp : Where are you?
      Banner on 10.10.10.132:1524/tcp : root@metasploitable/#
      Banner on 10.10.10.132:2121/tcp : 220 ProFTPD 1.3.1 Server (Debian) [ffff10.10.10.132]
      Banner on 10.10.10.132:3306/tcp : > 5.0.51a-3ubuntu5yG5q^`G!,n+'#vOd-P*!c
      Banner on 10.10.10.132:5900/tcp : RFB 003.003
      Banner on 10.10.10.132:6667/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...
      Banner on 10.10.10.132:6697/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...
      amap v5.4 finished at 2018-03-31 07:25:21

      # 指定端口范围扫描
      root@kali:~# amap -B 10.10.10.132 20-32
      amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:26:55 - BANNER mode
      Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
      Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      Banner on 10.10.10.132:23/tcp :  #'
      Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

      # 不显示关闭的端口
      root@kali:~# amap -B 10.10.10.132 20-32 -q
      amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:27:31 - BANNER mode
      Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
      Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      Banner on 10.10.10.132:23/tcp :  #'
      amap v5.4 finished at 2018-03-31 07:27:31

      # 显示二进制响应
      root@kali:~# amap -B 10.10.10.132 20-32 -qb
      amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:28:27 - BANNER mode
      Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
      Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
      Banner on 10.10.10.132:23/tcp :  #'
      amap v5.4 finished at 2018-03-31 07:28:27

    5. 操作系统识别

    • 操作系统是被技术
      • 种类繁多
      • 好产品采用多种技术结合
    • TTL 起始值
      • windows:128(65–128)
      • linux/unix:64(1-64)
      • 某些 unix:255

    5.1. python

    1. 简介
      from scapy.all import *
      win="10.10.10.136"
      linu="10.10.10.132"
      aw=sr1(IP(dst=win)/ICMP())
      al=sr1(IP(dst=linu)/ICMP())
      if al[IP].ttl<=64:
          print "host is linux"
      else:
          print "host is windows"

    5.2. nmap

    1. 简介
      -O: Enable OS detection
      --osscan-limit: Limit OS detection to promising targets
      --osscan-guess: Guess OS more aggressively
    2. 操作系统识别
      root@kali:~# nmap 10.10.10.132 -O
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:42 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00034s latency).
      Not shown: 977 closed ports
      PORT     STATE SERVICE
      21/tcp   open  ftp
      22/tcp   open  ssh
      23/tcp   open  telnet
      6667/tcp open  irc
      8009/tcp open  ajp13
      8180/tcp open  unknown
      MAC Address: 00:0C:29:D0:AB:2C (VMware)
      Device type: general purpose
      Running: Linux 2.6.X
      OS CPE: cpe:/o:linux:linux_kernel:2.6
      OS details: Linux 2.6.9 - 2.6.33
      Network Distance: 1 hop
      OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

    5.3. xprobe2

    1. 简介
      # 结果有误差
      root@kali:~# xprobe2
      Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
      usage: xprobe2 [options] target
      Options:
                -v                       Be verbose
                -r                       Show route to target(traceroute)
                -p <proto:portnum:state> Specify portnumber, protocol and state.
                                         Example: tcp:23:open, UDP:53:CLOSED
                -c <configfile>          Specify config file to use.
                -h                       Print this help.
                -o <fname>               Use logfile to log everything.
                -t <time_sec>            Set initial receive timeout or roundtrip time.
                -s <send_delay>          Set packsending delay (milseconds).
                -d <debuglv>             Specify debugging level.
                -D <modnum>              Disable module number <modnum>.
                -M <modnum>              Enable module number <modnum>.
                -L                       Display modules.
                -m <numofmatches>        Specify number of matches to print.
                -T <portspec>            Enable TCP portscan for specified port(s).
                                         Example: -T21-23,53,110
                -U <portspec>            Enable UDP portscan for specified port(s).
                -f                       force fixed round-trip time (-t opt).
                -F                       Generate signature (use -o to save to a file).
                -X                       Generate XML output and save it to logfile specified with -o.
                -B                       Options forces TCP handshake module to try to guess open TCP port
                -A                       Perform analysis of sample packets gathered during portscan in
                                         order to detect suspicious traffic (i.e. transparent proxies,
                                         firewalls/NIDSs resetting connections). Use with -T.
    2. 操作系统识别
      root@kali:~# xprobe2 10.10.10.132

      Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

      [+] Target is 10.10.10.132
      [+] Loading modules.
      [+] Following modules are loaded:
      [x] [1] ping:icmp_ping  -  ICMP echo discovery module
      [x] [2] ping:tcp_ping  -  TCP-based ping discovery module
      [x] [3] ping:udp_ping  -  UDP-based ping discovery module
      [x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
      [x] [5] infogather:portscan  -  TCP and UDP PortScanner
      [x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
      [x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
      [x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
      [x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
      [x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
      [x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
      [x] [12] fingerprint:smb  -  SMB fingerprinting module
      [x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
      [+] 13 modules registered
      [+] Initializing scan engine
      [+] Running scan engine
      [-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.132. Module test failed
      [-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.132. Module test failed
      [-] No distance calculation. 10.10.10.132 appears to be dead or no ports known
      [+] Host: 10.10.10.132 is up (Guess probability: 50%)
      [+] Target: 10.10.10.132 is alive. Round-Trip Time: 0.48084 sec
      [+] Selected safe Round-Trip Time value is: 0.96167 sec
      [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
      [-] fingerprint:smb need either TCP port 139 or 445 to run
      [-] fingerprint:snmp: need UDP port 161 open
      [+] Cleaning up scan engine
      [+] Modules deinitialized
      [+] Execution completed.

    5.4. p0f

    1. 简介
      结合ARP 地址欺骗识别全网 OS
    2. 被动识别

    6. SNMP 扫描

    • snmp
      • 信息的金矿
      • 经常被错误配置
      • public / private / manager
    • MIB Tree.
      • SNMP Management Information Base (MIB)
      • 树形的网络设备管理功能数据库
      • 1.3.6.1.4.1.77.1.2.25

    6.1. onesixone

    1. 简介
      root@kali:~# onesixtyone
      onesixtyone 0.3.2 [options] <host> <community>
        -c <communityfile> file with community names to try
        -i <inputfile>     file with target hosts
        -o <outputfile>    output log
        -d                 debug mode, use twice for more information

      -w n               wait n milliseconds (1/1000 of a second) between sending packets (default 10)
        -q                 quiet mode, do not print log to stdout, use with -l
      examples: ./s -c dict.txt 192.168.4.1 public
                ./s -c dict.txt -i hosts -o my.log -w 100
    2. SNMP 扫描
      root@kali:~# dpkg -L onesixtyone
      /usr/share/doc/onesixtyone/dict.txt
      root@kali:~# onesixtyone -c dict.txt -i ipaddr.txt -o 161output.log -w 100

    6.2. snmpwalk

    1. 简介
      -v 1|2c|3       specifies SNMP version to use
      -c COMMUNITY        set the community string
    2. SNMP 扫描
      root@kali:~# snmpwalk 10.10.10.132 -c public -v 2c

    6.3. snmpcheck

    1. 简介
      root@kali:~# snmpcheck -h
      Usage:  snmpcheck [-x] [-n|y] [-h] [-H] [-V NUM] [-L] [-f] [[-a] HOSTS]
        -h    Display this message.
        -a    check error log file AND hosts specified on command line.
        -p    Don't try and ping-echo the host first
        -f    Only check for things I can fix
        HOSTS check these hosts for problems.
      X Options:
        -x    forces ascii base if $DISPLAY set (instead of tk).
        -H    start in hidden mode.  (hides user interface)
        -V NUM    sets the initial verbosity level of the command log (def: 1)
        -L    Show the log window at startup
        -d    Don't start by checking anything.  Just bring up the interface.
      Ascii Options:
        -n    Don't ever try and fix the problems found.  Just list.
        -y    Always fix problems found.
    2. SNMP 扫描
      snmpcheck -t 192.168.20.199
      snmpcheck -t 192.168.20.199 -c private -v 2
      snmpcheck -t 192.168.20.199 -w

    7 SMB 扫描

    • server message block 协议
    • 微软历史上出现安全问题最多的协议
    • 实现复杂
    • 默认开放
    • 文件共享
    • 空会话未身份验证 
      • 密码策略
      • 用户名
      • 组名
      • 机器名
      • 用户、组SID

    7.1. nmap

    1. 简介
      -v: Increase verbosity level (use -vv or more for greater effect)
      root@kali:~# ll /usr/share/nmap/scripts/smb*
    2. SMB 扫描
      # 扫描主机开放端口
      root@kali:~# nmap -v 10.10.10.132-140 --open
      Nmap scan report for 10.10.10.136
      Host is up (0.00068s latency).
      Not shown: 994 closed ports
      PORT     STATE SERVICE
      21/tcp   open  ftp
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      2869/tcp open  icslap
      3389/tcp open  ms-wbt-server
      MAC Address: 00:0C:29:35:6A:2D (VMware)

      Nmap scan report for 10.10.10.137
      Host is up (0.0051s latency).
      Not shown: 995 closed ports
      PORT     STATE SERVICE
      21/tcp   open  ftp
      135/tcp  open  msrpc
      139/tcp  open  netbios-ssn
      445/tcp  open  microsoft-ds
      3389/tcp open  ms-wbt-server
      MAC Address: 00:50:56:21:D2:3A (VMware)

      Read data files from: /usr/bin/../share/nmap
      Nmap done: 9 IP addresses (3 hosts up) scanned in 1.77 seconds
         Raw packets sent: 3027 (132.948KB) | Rcvd: 3003 (120.220KB)

      # 使用脚本
      root@kali:~# nmap 10.10.132 -p 139,445 --script=smb-os-discovery.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:07 EDT
      Nmap scan report for 10.10.132 (10.10.0.132)
      Host is up (0.00039s latency).

      PORT    STATE    SERVICE
      139/tcp filtered netbios-ssn
      445/tcp filtered microsoft-ds

      Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

    7.2. nbtscan

    1. 简介
      root@kali:~# nbtscan
      NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
      This is a free software and it comes with absolutely no warranty.
      You can use, distribute and modify it under terms of GNU GPL.
      Usage:
      nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
          -v      verbose output. Print all names received
                  from each host
          -d      dump packets. Print whole packet contents.
          -e      Format output in /etc/hosts format.
          -l      Format output in lmhosts format.
                  Cannot be used with -v, -s or -h options.
          -t timeout  wait timeout milliseconds for response.
                  Default 1000.
          -b bandwidth    Output throttling. Slow down output
                  so that it uses no more that bandwidth bps.
                  Useful on slow links, so that ougoing queries
                  don't get dropped.
          -r      use local port 137 for scans. Win95 boxes
                  respond to this only.
                  You need to be root to use this option on Unix.
          -q      Suppress banners and error messages,
          -s separator    Script-friendly output. Don't print
                  column and record headers, separate fields with separator.
          -h      Print human-readable names for services.
                  Can only be used with -v option.
          -m retransmits  Number of retransmits. Default 0.
          -f filename Take IP addresses to scan from file filename.
                  -f - makes nbtscan take IP addresses from stdin.
          <scan_range>    what to scan. Can either be single IP
                  like 192.168.1.1 or
                  range of addresses in one of two forms:
                  xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
    2. SMB 扫描
      root@kali:~# nbtscan -r 10.10.10.0/24
      Doing NBT name scan for addresses from 10.10.10.0/24
      IP address       NetBIOS Name     Server    User             MAC address     
      ------------------------------------------------------------------------------
      10.10.10.0  Sendto failed: Permission denied
      10.10.10.131     <unknown>                  <unknown>       
      10.10.10.132     METASPLOITABLE   <server>  METASPLOITABLE   00:00:00:00:00:00
      10.10.10.1       ASUS-WIN7        <server>  <unknown>        00:50:56:c0:00:08
      10.10.10.255    Sendto failed: Permission denied

    7.3. enum4linux

    1. 简介
      -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
            This opion is enabled if you don't provide any other options.
    2. SMB 扫描
      root@kali:~# enum4linux -a 10.10.10.132

    8. SMTP 扫描

    8.1. nc

    1. 简介
      VRFY root
    2. 扫描
      root@kali:~# nc -nv 10.10.10.132 25
          (UNKNOWN) [10.10.10.132] 25 (smtp) open
          220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
      VRFY root

    8.2. nmap

    1. 脚本
      root@kali:~# ll /usr/share/nmap/scripts/smtp*
      -rw-r--r-- 1 root root  4309 3月  26 08:18 /usr/share/nmap/scripts/smtp-brute.nse
      -rw-r--r-- 1 root root  4771 3月  26 08:18 /usr/share/nmap/scripts/smtp-commands.nse
      -rw-r--r-- 1 root root 12006 3月  26 08:18 /usr/share/nmap/scripts/smtp-enum-users.nse
      -rw-r--r-- 1 root root  5873 3月  26 08:18 /usr/share/nmap/scripts/smtp-ntlm-info.nse
      -rw-r--r-- 1 root root 10150 3月  26 08:18 /usr/share/nmap/scripts/smtp-open-relay.nse
      -rw-r--r-- 1 root root   716 3月  26 08:18 /usr/share/nmap/scripts/smtp-strangeport.nse
      -rw-r--r-- 1 root root 14740 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse
      -rw-r--r-- 1 root root  7661 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse
      -rw-r--r-- 1 root root  7584 3月  26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse
    2. SMTP 扫描
      # smtp-enum-users.nse
      root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-enum-users.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:19 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00028s latency).

      PORT   STATE SERVICE
      25/tcp open  smtp
      | smtp-enum-users:
      |_  Method RCPT returned a unhandled status code.
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

      # smtp-open-relay.nse
      root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-open-relay.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:20 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00022s latency).

      PORT   STATE SERVICE
      25/tcp open  smtp
      |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds

    8.3. smtp-user-enum

    1. 简介
      root@kali:~# smtp-user-enum
      smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

      Usage: smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )

      options are:
              -m n     Maximum number of processes (default: 5)
          -M mode  Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
          -u user  Check if user exists on remote system
          -f addr  MAIL FROM email address.  Used only in "RCPT TO" mode (default: user@example.com)
              -D dom   Domain to append to supplied user list to make email addresses (Default: none)
                       Use this option when you want to guess valid email addresses instead of just usernames
                       e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc.  Instead of
                            simply the usernames foo and bar.
          -U file  File of usernames to check via smtp service
          -t host  Server host running smtp service
          -T file  File of hostnames running the smtp service
          -p port  TCP port on which smtp service runs (default: 25)
          -d       Debugging output
          -t n     Wait a maximum of n seconds for reply (default: 5)
          -v       Verbose
          -h       This help message

      Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.

      Examples:

      $ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
      $ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
      $ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
      $ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1
    2. SMTP 扫描
      smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1

    9 防火墙识别

    • 通过检查回包,可能识别端口是否经过防火墙过滤
    • 设备多种多样,结果存在一定误差

     

    9.1. nmap

    1. 简介
      -sA (TCP ACK扫描)
         这种扫描与目前为止讨论的其它扫描的不同之处在于 它不能确定open(开放的)或者 open|filtered(开放或者过滤的))端口。 它用于发现防火墙规则,确
         定它们是有状态的还是无状态的,哪些端口是被过滤的。
    2. 防火墙识别
      root@kali:~# nmap -sA 10.10.10.132 -p 22
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:30 EDT
      Nmap scan report for 10.10.10.132
      Host is up (0.00032s latency).

      PORT   STATE      SERVICE
      22/tcp unfiltered ssh
      MAC Address: 00:0C:29:D0:AB:2C (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
      1. 简介
        root@kali:~# lbd
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives. 
        usage: /usr/bin/lbd domain [port] {https}
      2. 识别
        识别百度
        root@kali:~# lbd www.baidu.com
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives.
        Checking for DNS-Loadbalancing: FOUND 
        www.a.shifen.com has address 61.135.169.121 
        www.a.shifen.com has address 61.135.169.125
        Checking for HTTP-Loadbalancing [Server]: 
        bfe/1.0.8.18 
        NOT FOUND
        Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
        Checking for HTTP-Loadbalancing [Diff]: FOUND 
        < Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
        Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT 
        < ETag: “575e1f5d-115” 
        ETag: “575e1f5c-115”
        www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
        识别163邮箱
        root@kali:~# lbd mail.163.com
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives.
        Checking for DNS-Loadbalancing: FOUND 
        mail163.ntes53.netease.com has address 123.125.50.26 
        mail163.ntes53.netease.com has address 123.125.50.7 
        mail163.ntes53.netease.com has address 123.125.50.28
        Checking for HTTP-Loadbalancing [Server]: 
        nginx 
        NOT FOUND
        Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
        Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
        mail.163.com does Load-balancing. Found via Methods: DNS

    10. 负载均衡识别

      1. 简介
        root@kali:~# lbd
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives. 
        usage: /usr/bin/lbd domain [port] {https}
      2. 识别
        识别百度
        root@kali:~# lbd www.baidu.com
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives.
        Checking for DNS-Loadbalancing: FOUND 
        www.a.shifen.com has address 61.135.169.121 
        www.a.shifen.com has address 61.135.169.125
        Checking for HTTP-Loadbalancing [Server]: 
        bfe/1.0.8.18 
        NOT FOUND
        Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
        Checking for HTTP-Loadbalancing [Diff]: FOUND 
        < Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
        Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT 
        < ETag: “575e1f5d-115” 
        ETag: “575e1f5c-115”
        www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
        识别163邮箱
        root@kali:~# lbd mail.163.com
        lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing. 
        Written by Stefan Behte (http://ge.mine.nu
        Proof-of-concept! Might give false positives.
        Checking for DNS-Loadbalancing: FOUND 
        mail163.ntes53.netease.com has address 123.125.50.26 
        mail163.ntes53.netease.com has address 123.125.50.7 
        mail163.ntes53.netease.com has address 123.125.50.28
        Checking for HTTP-Loadbalancing [Server]: 
        nginx 
        NOT FOUND
        Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
        Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
        mail.163.com does Load-balancing. Found via Methods: DNS

    11. WAF 识别

    11.1. wafw00f

    1. 简介
      root@kali:~# wafw00f -h
      Usage: wafw00f url1 [url2 [url3 ... ]]
      example: wafw00f http://www.victim.org/

      Options:
        -h, --help            show this help message and exit
        -v, --verbose         enable verbosity - multiple -v options increase
                              verbosity
        -a, --findall         Find all WAFs, do not stop testing on the first one
        -r, --disableredirect
                              Do not follow redirections given by 3xx responses
        -t TEST, --test=TEST  Test for one specific WAF
        -l, --list            List all WAFs that we are able to detect
        -p PROXY, --proxy=PROXY
                              Use an HTTP proxy to perform requests, example:
                              http://hostname:8080, socks5://hostname:1080
        -V, --version         Print out the version
        -H HEADERSFILE, --headersfile=HEADERSFILE
                              Pass custom headers, for example to overwrite the
                              default User-Agent string
    2. 识别
      root@kali:~# wafw00f -l
      Can test for these WAFs:
      Profense
      NetContinuum
      Incapsula WAF
      CloudFlare
      NSFocus
      Safedog
      Mission Control Application Shield
      USP Secure Entry Server
      Cisco ACE XML Gateway
      Barracuda Application Firewall
      Art of Defence HyperGuard
      BinarySec
      Teros WAF
      F5 BIG-IP LTM
      F5 BIG-IP APM
      F5 BIG-IP ASM
      F5 FirePass
      F5 Trafficshield
      InfoGuard Airlock
      Citrix NetScaler
      Trustwave ModSecurity
      IBM Web Application Security
      IBM DataPower
      DenyALL WAF
      Applicure dotDefender
      Juniper WebApp Secure
      Microsoft URLScan
      Aqtronix WebKnight
      eEye Digital Security SecureIIS
      Imperva SecureSphere
      Microsoft ISA Server

    11.2. nmap

    1. 简介
      root@kali:~# ll /usr/share/nmap/scripts/http-waf*
      -rw-r--r-- 1 root root  5422 3月  26 08:18 /usr/share/nmap/scripts/http-waf-detect.nse
      -rw-r--r-- 1 root root 19339 3月  26 08:18 /usr/share/nmap/scripts/http-waf-fingerprint.nse
    2. 识别
      root@kali:~# nmap www.microsoft.com --script=http-waf-detect.nse
      Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:35 EDT
      Nmap scan report for www.microsoft.com (222.163.207.76)
      Host is up (0.0050s latency).
      rDNS record for 222.163.207.76: 76.207.163.222.adsl-pool.jlccptt.net.cn
      Not shown: 998 filtered ports
      PORT    STATE SERVICE
      80/tcp  open  http
      443/tcp open  https

      Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds

    3. nmap 查看脚本用法

        root@kali:~# nmap --script-help=http-vuln-cve2013-0156.nse
        Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:36 EDT

    http-vuln-cve2013-0156
        Categories: exploit vuln
        https://nmap.org/nsedoc/scripts/http-vuln-cve2013-0156.html
          Detects Ruby on Rails servers vulnerable to object injection, remote command
          executions and denial of service attacks. (CVE-2013-0156)

    All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
          3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless
          YAML payloads to detect vulnerable installations. If the malformed object
          receives a status 500 response, the server is processing YAML objects and
          therefore is likely vulnerable.

    References:
          * https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
          * https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
          * http://cvedetails.com/cve/2013-0156/

     

    源文档 <https://blog.csdn.net/kevinhanser/article/details/79772965>

    人的痛苦源于对自己无能的愤怒!
  • 相关阅读:
    「POJ 2699」The Maximum Number of Strong Kings
    「HNOI 2013」切糕
    「PKUSC 2018」真实排名
    「国家集训队 2009」最大收益
    「TJOI2015」线性代数
    「BZOJ 3280」小R的烦恼
    「SDOI 2017」新生舞会
    「六省联考 2017」寿司餐厅
    「TJOI 2013」循环格
    「TJOI 2013」攻击装置
  • 原文地址:https://www.cnblogs.com/cx-ajun/p/9426707.html
Copyright © 2011-2022 走看看