一. 简介
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测
- 使用代理或已经被控制的主机
- 做好被封杀的准备
- 使用噪声迷惑目标,淹没真实的探测流量
- 扫描
- 发送不同的探测,根据返回结果判断目标状态
- 识别或者的主机
- 潜在的被攻击目标
- 输出一个IP地址列表
- 2、3、4层发现
- 优点
- 扫描速度快、可靠
- 缺点
- 不可路由
- ARP协议
- 抓包分析
二. 主机发现
1. 简介
2. 二层发现
2.1. arping
- 简介
root@kali:~# arping
Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don't go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use
-s source : source ip address
destination : ask for what ip address - # 发送包数量
root@kali:~# arping 10.10.10.132 -c 1
ARPING 10.10.10.132 from 10.10.10.131 eth0
Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 1.130ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
# 重复地址检测模式
root@kali:~# arping 10.10.10.132 -D
ARPING 10.10.10.132 from 0.0.0.0 eth0
Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 0.812ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
# 输出 MAC 地址
root@kali:~# arping -c 1 10.10.10.132 | grep "reply from" | cut -d " " -f 5 | cut -d "[" -f 2 | cut -d "]" -f 1
00:0C:29:D0:AB:2C
2.2. nmap
- 简介
-sn: Ping扫描-禁用端口扫描
-iL <inputfilename>: 来自主机/网络列表的输入 - 主机扫描
# 指定 IP 地址范围
root@kali:~# nmap 10.10.10.1-254 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:06 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00058s latency).
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00025s latency).
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap scan report for 10.10.10.136
Host is up (0.00036s latency).
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.0032s latency).
MAC Address: 00:50:56:21:D2:3A (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00014s latency).
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap scan report for 10.10.10.131
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 2.01 seconds
# 创建地址列表
fo = open('/root/Desktop/ipaddr.txt','w')
for i in range(1,255):
fo.write('10.10.10.')
fo.write(str(i))
fo.write(' ')
fo.close()
# 扫描地址列表
root@kali:~# nmap -iL ipaddr.txt -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:21 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00071s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.0021s latency).
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00047s latency).
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap scan report for 10.10.10.136
Host is up (0.00089s latency).
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.00018s latency).
MAC Address: 00:50:56:21:D2:3A (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00050s latency).
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap scan report for 10.10.10.131
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 1.83 seconds
2.3. Netdiscover
- 简介
- 专用于二层发现
- 可用于无线和交换网络环境
- 主动和被动探测
- 使用帮助
root@kali:~# netdiscover -h
Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool]
Written by: Jaime Penalba <jpenalbae@gmail.com>
Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c]
-i device: 网络设备
-r range: 指定 IP 扫描范围. 192.168.6.0/24,/16,/8
-l file: 指定扫描 IP 地址文件
-p passive mode: 不发送任何数据, 仅监听
-m file: 扫描 MAC 地址列表
-F filter: Customize pcap filter expression (default: "arp")
-s time: time to sleep between each arp request (milliseconds)
-n node: last ip octet used for scanning (from 2 to 253)
-c count: number of times to send each arp reques (for nets with packet loss)
-f enable fastmode scan, saves a lot of time, recommended for auto
-d ignore home config files for autoscan and fast mode
-S enable sleep time supression between each request (hardcore mode)
-P print results in a format suitable for parsing by another program
-N Do not print header. Only valid when -P is enabled.
-L in parsable output mode (-P), continue listening after the active scan is completed
- 主机扫描
-主动扫描
# 指定地址扫描
Currently scanning: Finished! | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 6 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc.
10.10.10.2 00:50:56:e1:24:a1 1 60 VMware, Inc.
10.10.10.132 00:0c:29:d0:ab:2c 1 60 VMware, Inc.
10.10.10.136 00:0c:29:35:6a:2d 1 60 VMware, Inc.
10.10.10.137 00:50:56:21:d2:3a 1 60 VMware, Inc.
10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc.
# 指定地址列表扫描
root@kali:~# netdiscover -l ipaddr.txt
Currently scanning: 10.10.10.0/24 | Screen View: Unique Hosts
248 Captured ARP Req/Rep packets, from 6 hosts. Total size: 14880
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.1 00:50:56:c0:00:08 42 2520 VMware, Inc.
10.10.10.2 00:50:56:e1:24:a1 42 2520 VMware, Inc.
10.10.10.132 00:0c:29:d0:ab:2c 41 2460 VMware, Inc.
10.10.10.136 00:0c:29:35:6a:2d 41 2460 VMware, Inc.
10.10.10.137 00:50:56:21:d2:3a 41 2460 VMware, Inc.
10.10.10.254 00:50:56:e2:6b:78 41 2460 VMware, Inc.
- 被动扫描
# 主动 arp 容易触发警报
root@kali:~# netdiscover -p
Currently scanning: (passive) | Screen View: Unique Hosts
12 Captured ARP Req/Rep packets, from 5 hosts. Total size: 720
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc.
10.10.10.2 00:50:56:e1:24:a1 3 180 VMware, Inc.
10.10.10.137 00:50:56:21:d2:3a 2 120 VMware, Inc.
10.10.10.132 00:0c:29:d0:ab:2c 4 240 VMware, Inc.
10.10.10.136 00:0c:29:35:6a:2d 2 120 VMware, Inc.
3. 三层发现
- 优点
- 可路由
- 速度比较快
- 缺点
- 速度比二层慢
- 经常被便捷防火墙过滤
- IP、ICMP 协议
3.1. ping
- 简介
root@kali:~# ping -h
Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
[-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
[-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
[-w deadline] [-W timeout] [hop1 ...] destination
Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
[-l preload] [-m mark] [-M pmtudisc_option]
[-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
[-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
[-W timeout] destination - 主机扫描
# 指定发包数量
root@kali:~# ping 10.10.10.132 -c 2
PING 10.10.10.132 (10.10.10.132) 56(84) bytes of data.
64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=10.3 ms
64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.214 ms
--- 10.10.10.132 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.214/5.302/10.390/5.088 ms
# 路由追踪
root@kali:~# ping -R 10.10.10.132
PING 10.10.10.132 (10.10.10.132) 56(124) bytes of data.
64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=0.237 ms
RR: 10.10.10.131
10.10.10.132
10.10.10.132
10.10.10.131
64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.376 ms (same route)
64 bytes from 10.10.10.132: icmp_seq=3 ttl=64 time=0.233 ms (same route)
64 bytes from 10.10.10.132: icmp_seq=4 ttl=64 time=0.227 ms (same route)
root@kali:~# traceroute 10.10.10.132
traceroute to 10.10.10.132 (10.10.10.132), 30 hops max, 60 byte packets
1 10.10.10.132 (10.10.10.132) 0.311 ms 0.199 ms 0.140 ms
ping -c 1 10.10.10.132 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
3.2. fping
- 简介
root@kali:~# fping -h
Usage: fping [options] [targets...]
Probing options:
-4, --ipv4 only ping IPv4 addresses
-6, --ipv6 only ping IPv6 addresses
-b, --size=BYTES amount of ping data to send, in bytes (default: 56)
-B, --backoff=N set exponential backoff factor to N (default: 1.5)
-c, --count=N count mode: send N pings to each target
-f, --file=FILE read list of targets from a file ( - means stdin)
-g, --generate generate target list (only if no -f specified)
(give start and end IP in the target list, or a CIDR address)
(ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
-H, --ttl=N set the IP TTL value (Time To Live hops)
-I, --iface=IFACE bind to a particular interface
-l, --loop loop mode: send pings forever
-m, --all use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A
-M, --dontfrag set the Don't Fragment flag
-O, --tos=N set the type of service (tos) flag on the ICMP packets
-p, --period=MSEC interval between ping packets to one target (in ms)
(in loop and count modes, default: 1000 ms)
-r, --retry=N number of retries (default: 3)
-R, --random random packet data (to foil link data compression)
-S, --src=IP set source address
-t, --timeout=MSEC individual target initial timeout (default: 500 ms,
except with -l/-c/-C, where it's the -p period up to 2000 ms)
Output options:
-a, --alive show targets that are alive
-A, --addr show targets by address
-C, --vcount=N same as -c, report results in verbose format
-D, --timestamp print timestamp before each output line
-e, --elapsed show elapsed time on return packets
-i, --interval=MSEC interval between sending ping packets (default: 10 ms)
-n, --name show targets by name (-d is equivalent)
-N, --netdata output compatible for netdata (-l -Q are required)
-o, --outage show the accumulated outage time (lost packets * packet interval)
-q, --quiet quiet (don't show per-target/per-ping results)
-Q, --squiet=SECS same as -q, but show summary every n seconds
-s, --stats print final stats
-u, --unreach show targets that are unreachable
-v, --version show version - 主机扫描
# 指定发包数量
root@kali:~# fping -c 1 10.10.10.132 | grep 0%
10.10.10.132 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.29/0.29/0.29
10.10.10.132 : [0], 84 bytes, 0.29 ms (0.29 avg, 0% loss)
# 指定扫描范围
root@kali:~# fping -g 10.10.10.132 10.10.10.136-137
root@kali:~# fping -g 10.10.0/24
root@kali:~# fping -f ipaddr.txt
3.3. hping3
- 简介
- 能够发送几乎任意 TCP/IP 包
- 功能强大但每次只能扫描一个目标
- 主机扫描
# 指定 icmp 扫描
root@kali:~# hping3 10.10.10.132 --icmp -c 2
HPING 10.10.10.132 (eth0 10.10.10.132): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.10.132 ttl=64 id=33497 icmp_seq=0 rtt=4.4 ms
len=46 ip=10.10.10.132 ttl=64 id=33498 icmp_seq=1 rtt=8.0 ms
--- 10.10.10.132 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.4/6.2/8.0 ms
3.4. scapy
- 简介
OSI 多层堆叠手工生成 ICMP 包 -- IP/ICMP - 主机扫描
ip=IP()
ip.dst=“1.1.1.1”
ping=ICMP()
a=sr1(ip/ping)
a.display()
a=sr1(ip/ping,timeout=1) # Ping不存在的地址
a = sr1(IP(dst=“1.1.1.1")/ICMP(),timeout=1)
4. 四层发现
- 优点
- 可路由且结果可靠
- 不太可能被防火墙过滤
- 甚至可以发现所有端口都被过滤的主机
- 甚至可以发现所有端口都被过滤的主机
- 缺点
- 基于状态过滤的防火墙可能过滤扫描
- 全端口扫描速度慢
- TCP
- 未经请求 ACK – RST
- SYN – SYN/ACK、RET
- UDP
- ICMP 端口不可达、一去不复返
- ACK – TCP port – RST
i = IP()
i.dst="1.1.1.1"
t = TCP()
t.flags='A'
r = (i/t)
a = sr1(r)
a.display()
a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1)) - UDP——UDP Port——ICMP(不可靠)
u = UDP()
u.dport= 33333
r = (i/u)
a = sr1(r,timeout=1,verbose=1)
4.1. nmap
- 简介
-A: 启用操作系统检测、版本检测、脚本扫描和traceroute
-sn: Ping Scan - disable port scan
-PU: 还有一个主机发现的选项是UDP ping
-PS [portlist] (TCP SYN Ping)
-PA [portlist] (TCP ACK Ping)
-PE; -PP; -PM (ICMP Ping Types)
-PR (ARP Ping) - 主机扫描
# UDP ping
root@kali:~# nmap 10.10.10.1-254 -PU 53 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:13 EDT
setup_target: failed to determine route to 53 (0.0.0.53)
Nmap scan report for 10.10.10.1
Host is up (0.00080s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00045s latency).
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00045s latency).
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap scan report for 10.10.10.136
Host is up (0.00039s latency).
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.00038s latency).
MAC Address: 00:50:56:21:D2:3A (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00092s latency).
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap scan report for 10.10.10.131
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 2.07 seconds
# ACK ping
root@kali:~# nmap 10.10.10.1-254 -PA 80 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:15 EDT
setup_target: failed to determine route to 80 (0.0.0.80)
Nmap scan report for 10.10.10.1
Host is up (0.00066s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.0033s latency).
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00064s latency).
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap scan report for 10.10.10.136
Host is up (0.00052s latency).
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.0013s latency).
MAC Address: 00:50:56:21:D2:3A (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00040s latency).
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap scan report for 10.10.10.131
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 1.81 seconds
# 指定IP地址列表
root@kali:~# nmap -iL ipaddr.txt 10.10.10.1-254 -PA 80 -sn
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:16 EDT
Nmap scan report for 10.10.10.1
Host is up (0.00089s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00058s latency).
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00050s latency).
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap scan report for 10.10.10.136
Host is up (0.00049s latency).
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.00043s latency).
MAC Address: 00:50:56:21:D2:3A (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00031s latency).
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap scan report for 10.10.10.131
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 2.14 seconds
4.2. hping3
- 简介
-c --count count
-2 --udp - 主机扫描
root@kali:~# hping3 --udp 10.10.10.132 -c 1
HPING 10.10.10.132 (eth0 10.10.10.132): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.10.10.132 name=UNKNOWN
status=0 port=2770 seq=0
--- 10.10.10.132 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 55.1/55.1/55.1 ms
3. 端口扫描
- 端口对应网路都访问及应用端程序
- 服务端程序的漏洞通过端口攻入
- 发现开放的端口
- 更具体的攻击面
3.1. UDP 端口扫描
- UDP 端口扫描
- 假设 ICMP port-ubreachable 响应代表端口关闭
- 目标系统不响应 port-ubreachable 时,坑你产生误判
- 完整的 UDP 应用层请求
- 准确性高
- 耗时巨大
- Scapy UDP Scan
- 端口关闭:ICMP port-ubreachable
- 端口开放:没有回包
- 了解每一种基于 UDP 的应用层包结构很有帮助
- 与三层相同的技术
- 误判
3.1.1. nmap
- 简介
-sU: UDP Scan
-p <port ranges>: Only scan specified ports - 端口扫描
# (默认的1000个参数)
root@kali:~# nmap -sU 10.10.10.132
# 指定端口
root@kali:~# nmap -sU 10.10.10.132 -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:48 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00034s latency).
PORT STATE SERVICE
53/udp open domain
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
# 指定 IP 地址列表
root@kali:~# nmap -iL ipaddr.txt -sU -p 1-200
3.2. TCP 端口扫描
- 基于连接的协议
- 三次握手
- 隐蔽扫描
- 僵尸扫描
- 全连接扫描
- 所有的 TCP 扫描方式都是基于三次握手的变化来判断目标端口状态
- 隐蔽扫描
- 不建立完整的连接
- 应用日志不记录扫描行为–隐蔽
- 僵尸扫描
- 极度隐蔽
- 实施条件苛刻(基于IPID)
- 可伪造源地址
- 选择僵尸机
- 闲置系统
- 系统使用递增的IPID
- 0
- 随机
3.2.1. 隐蔽端口扫描
1. scapy
- syn -- syn/ack -- rst
sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1)
2. nmap
- 简介
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans - 端口扫描
# 指定扫描端口范围
root@kali:~# nmap -sS 10.10.10.132 -p 80,21,25,110,443
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00034s latency).
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp closed pop3
443/tcp closed https
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
# 指定扫描端口范围
root@kali:~# nmap -sS 10.10.10.132 -p 1-65535 --open
Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00010s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open ircs-u
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open msgsrvr
37499/tcp open unknown
41241/tcp open unknown
44616/tcp open unknown
56072/tcp open unknown
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds
# 指定扫描端口范围
root@kali:~# nmap -sS 10.10.10.132 -p- --open
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:58 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00027s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
6697/tcp open ircs-u
8009/tcp open ajp13
8180/tcp open unknown
8787/tcp open msgsrvr
37499/tcp open unknown
41241/tcp open unknown
44616/tcp open unknown
56072/tcp open unknown
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds
# 指定 IP 地址列表
root@kali:~# nmap -sS -iL ipaddr.txt -p 80,21,22,23
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:59 EDT
Nmap scan report for 10.10.10.1
Host is up (0.0011s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp closed http
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00085s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp filtered http
MAC Address: 00:50:56:E2:6B:78 (VMware)
Nmap done: 254 IP addresses (7 hosts up) scanned in 3.48 seconds
3. hping3
- 简介
-8 --scan 指定扫描端口范围
-c --count packet count
-a --spoof 欺骗源地址
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80) - 端口扫描
# SYN 扫描
root@kali:~# hping3 10.10.10.132 --scan 80 -S
Scanning 10.10.10.132 (10.10.10.132), port 80
1 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
80 http : .S..A... 64 0 5840 46
All replies received. Done.
Not responding ports:
# 指定端口 SYN 扫描
root@kali:~# hping3 10.10.10.132 --scan 801,21,25,443 -S
Scanning 10.10.10.132 (10.10.10.132), port 801,21,25,443
4 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
21 ftp : .S..A... 64 0 5840 46
25 smtp : .S..A... 64 0 5840 46
All replies received. Done.
Not responding ports:
# 指定端口范围
root@kali:~# hping3 10.10.10.132 --scan 0-65535 -S
Scanning 10.10.10.132 (10.10.10.132), port 0-65535
65536 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
21 ftp : .S..A... 64 0 5840 46
22 ssh : .S..A... 64 0 5840 46
23 telnet : .S..A... 64 0 5840 46
25 smtp : .S..A... 64 0 5840 46
53 domain : .S..A... 64 0 5840 46
80 http : .S..A... 64 0 5840 46
111 sunrpc : .S..A... 64 0 5840 46
139 netbios-ssn: .S..A... 64 0 5840 46
445 microsoft-d: .S..A... 64 0 5840 46
512 exec : .S..A... 64 0 5840 46
513 login : .S..A... 64 0 5840 46
514 shell : .S..A... 64 0 5840 46
1099 rmiregistry: .S..A... 64 0 5840 46
1524 ingreslock : .S..A... 64 0 5840 46
3306 mysql : .S..A... 64 0 5840 46
5432 postgresql : .S..A... 64 0 5840 46
5900 : .S..A... 64 0 5840 46
6000 x11 : .S..A... 64 0 5840 46
8009 : .S..A... 64 0 5840 46
8180 : .S..A... 64 0 5840 46
8787 : .S..A... 64 0 5840 46
37499 : .S..A... 64 0 5840 46
44616 : .S..A... 64 0 5840 46
56072 : .S..A... 64 0 5840 46
2049 nfs : .S..A... 64 0 5840 46
2121 iprop : .S..A... 64 0 5840 46
3632 distcc : .S..A... 64 0 5840 46
6667 ircd : .S..A... 64 0 5840 46
6697 ircs-u : .S..A... 64 0 5840 46
41241 : .S..A... 64 0 5840 46
All replies received. Done.
Not responding ports:
# 源地址欺骗
root@kali:~# hping3 -c 10 -S --spoof 10.10.10.136 -p ++1 10.10.10.132
3.2.2. 全连接端口扫描
1. scapy
- 简介
- syn 扫描不需要 raw packets
- 内核认为 syn/ack 是非法包,直接发 rst 中断连接
- 全连接扫描对 scapy 比较困难
sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S'))
2. nmap
- 简介
-sT (TCP connect()扫描)
-sU (UDP扫描)
-sS (TCP SYN扫描)
-sN; -sF; -sX (TCP Null,FIN,and Xmas扫描) - 端口扫描
# 指定端口(默认1000个端口)
root@kali:~# nmap -sT 10.10.10.132 -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:14 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00049s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
# 指定端口范围
root@kali:~# nmap -sT 10.10.10.132 -p 80,21,25,443
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00038s latency).
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
443/tcp closed https
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
# 指定端口范围
root@kali:~# nmap -sT 10.10.10.132 -p 80-2000
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00029s latency).
Not shown: 1912 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
# 指定 IP 地址列表
root@kali:~# nmap -sT -iL ipaddr.txt -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:16 EDT
Nmap scan report for 10.10.10.1
Host is up (0.0012s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00037s latency).
PORT STATE SERVICE
80/tcp closed http
MAC Address: 00:50:56:E1:24:A1 (VMware)
Nmap scan report for 10.10.10.132
Host is up (0.00029s latency).
3. dmity
- 简介
- 功能简单,使用简单
- 默认 150 个最常用的端口
root@kali:~# dmitry
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
- 端口扫描
# 指定扫描 IP
root@kali:~# dmitry -p 10.10.10.132
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 10.10.10.132
Continuing with limited modules
HostIP:10.10.10.132
HostName:
Gathered TCP Port information for 10.10.10.132
---------------------------------
Port State
21/tcp open
22/tcp open
23/tcp open
25/tcp open
53/tcp open
80/tcp open
111/tcp open
139/tcp open
Portscan Finished: Scanned 150 ports, 141 ports were in state closed
All scans completed, exiting
# 指定输出文件
root@kali:~# dmitry -p 10.10.10.132 -o output.txt
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Writing output to 'output.txt.txt'
ERROR: Unable to locate Host Name for 10.10.10.132
Continuing with limited modules
HostIP:10.10.10.132
HostName:
Gathered TCP Port information for 10.10.10.132
---------------------------------
Port State
21/tcp open
22/tcp open
23/tcp open
25/tcp open
53/tcp open
80/tcp open
111/tcp open
139/tcp open
Portscan Finished: Scanned 150 ports, 141 ports were in state closed
4. nc
- 简介
root@kali:~# nc -h
[v1.10-41.1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp-data'). - 端口扫描
root@kali:~# nc -nv -w 1 -z 10.10.10.132 1-100
(UNKNOWN) [10.10.10.132] 80 (http) open
(UNKNOWN) [10.10.10.132] 53 (domain) open
(UNKNOWN) [10.10.10.132] 25 (smtp) open
(UNKNOWN) [10.10.10.132] 23 (telnet) open
(UNKNOWN) [10.10.10.132] 22 (ssh) open
(UNKNOWN) [10.10.10.132] 21 (ftp) open
3.2.3. 僵尸扫描
- 利用 IPID 递增来判断主机端口是否开启
1. scapy
• i=IP()
• t=TCP()
• rz=(i/t)
• rt=(i/t)
• rz[IP].dst=IPz
• rz[TCP].dport=445
• rt[IP].src=IPz
• rt[IP].dst=IPt
• rt[TCP].dport=22
• az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz)
• az1.display() / az2.display()
2. nmap
- 简介
使用脚本扫描适合做僵尸机的主机
-sI <zombie host[:probeport]>: Idle scan
-Pn: Treat all hosts as online -- skip host discovery
- # 发现脚本
root@kali:~# ls /usr/share/nmap/scripts | grep ipid
# ipidseq: All zeros
root@kali:~# nmap -p 445 10.10.10.132 --script=ipidseq.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00043s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Host script results:
|_ipidseq: All zeros
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
# ipidseq: Incremental!
root@kali:~# nmap -p 445 10.10.10.136 --script=ipidseq.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT
Nmap scan report for 10.10.10.136
Host is up (0.00042s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:35:6A:2D (VMware)
Host script results:
|_ipidseq: Incremental!
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
- 扫描目标
root@kali:~# nmap 10.10.10.132 -sI 10.10.10.136 -Pn -p 0-200
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:29 EDT
Idle scan using zombie 10.10.10.136 (10.10.10.136:80); Class: Incremental
Nmap scan report for 10.10.10.132
Host is up (0.047s latency).
Not shown: 193 closed|filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
4. 服务扫描
- 识别开放端口上进行的应用
- 是被目标操作系统
- 提高攻击效率
- Banner捕获
- 服务识别
- 操作系统识别
- SNMP分析
- 防火墙识别
- Banner
- 软件开发商
- 软件名称
- 服务类型
- 版本号
- 直接发现一致的漏洞和弱点
- 连接建立后直接获取banner
- 另类服务识别方法
- 特征行为和响应字段
- 不同的响应可用于识别底层操作系统
- SNMP
- 简单网络管理协议
- Community strings
- 信息查询或重新配置
- 识别和绕过防火墙筛选
4.1. banner
- banner 信息抓取能力有限
- nmap 响应特征分析识别访问
- 发送系列复杂的探测
- 依据响应特征 signature
1. nc
root@kali:~# nc -nv
10.10.10.132 80
(UNKNOWN) [10.10.10.132] 80 (http) open
GET /
<html><head><title>Metasploitable2 -
Linux</title></head><body>
<pre>
_ _ _ _ _
_ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _|
|__ | | ___|___
| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ __) |
| | | | | | __/ || (_| \__ |_) | | (_)
| | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a
href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a
href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
2. socket
• import socket
• bangrab =
socket.socket(socket.AF_INET, socket.SOCK_STREAM)
• bangrab.connect((“1.1.1.1",
21))
• bangrab.recv(4096)
3. dmity
- 简介
root@kali:~# dmitry
Deepmagic Information Gathering Tool
"There be some deep magic going on"
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed - 服务扫描
# 指定 tcp 端口
root@kali:~# dmitry -p 10.10.10.132
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 10.10.10.132
Continuing with limited modules
HostIP:10.10.10.132
HostName:
Gathered TCP Port information for 10.10.10.132
---------------------------------
Port State
21/tcp open
22/tcp open
23/tcp open
25/tcp open
53/tcp open
80/tcp open
111/tcp open
139/tcp open
Portscan Finished: Scanned 150 ports, 141 ports were in state closed
All scans completed, exiting
# 读取 banner 信息
root@kali:~# dmitry -pb 10.10.10.132
Deepmagic Information Gathering Tool
"There be some deep magic going on"
ERROR: Unable to locate Host Name for 10.10.10.132
Continuing with limited modules
HostIP:10.10.10.132
HostName:
Gathered TCP Port information for 10.10.10.132
---------------------------------
Port State
21/tcp open
>> 220 (vsFTPd 2.3.4)
22/tcp open
>> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp open
>>
25/tcp open
>> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
53/tcp open
Portscan Finished: Scanned 150 ports, 144 ports were in state closed
All scans completed, exiting
4. nmap
- 简介
root@kali:~# cat /usr/share/nmap/scripts/banner.nse
-sV: Probe open ports to determine service/version info - 服务扫描
# 指定脚本
root@kali:~# nmap -sT 10.10.10.132 -p 1-100 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:23 EDT
Nmap scan report for 10.10.10.132
Host is up (0.0015s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp open telnet
|_banner: xFFxFDx18xFFxFD xFFxFD#xFFxFD'
25/tcp open smtp
|_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
53/tcp open domain
80/tcp open http
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds
# 探测打开端口以确定服务/版本信息
root@kali:~# nmap 10.10.10.132 -p 80 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:28 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
5. amap
- 简介
root@kali:~# amap
amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff - be a (full connect) port scanner
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks. - 服务扫描
# 指定端口扫描
root@kali:~# amap -B 10.10.10.132 21
amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:24:39 - BANNER mode
Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
amap v5.4 finished at 2018-03-31 07:24:39
# 指定端口范围扫描
root@kali:~# amap -B 10.10.10.132 1-65535
amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:25:15 - BANNER mode
Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
Banner on 10.10.10.132:23/tcp : #'
Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
Banner on 10.10.10.132:512/tcp : Where are you?
Banner on 10.10.10.132:1524/tcp : root@metasploitable/#
Banner on 10.10.10.132:2121/tcp : 220 ProFTPD 1.3.1 Server (Debian) [ffff10.10.10.132]
Banner on 10.10.10.132:3306/tcp : > 5.0.51a-3ubuntu5yG5q^`G!,n+'#vOd-P*!c
Banner on 10.10.10.132:5900/tcp : RFB 003.003
Banner on 10.10.10.132:6667/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...
Banner on 10.10.10.132:6697/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...
amap v5.4 finished at 2018-03-31 07:25:21
# 指定端口范围扫描
root@kali:~# amap -B 10.10.10.132 20-32
amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:26:55 - BANNER mode
Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
Banner on 10.10.10.132:23/tcp : #'
Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
# 不显示关闭的端口
root@kali:~# amap -B 10.10.10.132 20-32 -q
amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:27:31 - BANNER mode
Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
Banner on 10.10.10.132:23/tcp : #'
amap v5.4 finished at 2018-03-31 07:27:31
# 显示二进制响应
root@kali:~# amap -B 10.10.10.132 20-32 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:28:27 - BANNER mode
Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)
Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
Banner on 10.10.10.132:23/tcp : #'
amap v5.4 finished at 2018-03-31 07:28:27
5. 操作系统识别
- 操作系统是被技术
- 种类繁多
- 好产品采用多种技术结合
- TTL 起始值
- windows:128(65–128)
- linux/unix:64(1-64)
- 某些 unix:255
5.1. python
- 简介
from scapy.all import *
win="10.10.10.136"
linu="10.10.10.132"
aw=sr1(IP(dst=win)/ICMP())
al=sr1(IP(dst=linu)/ICMP())
if al[IP].ttl<=64:
print "host is linux"
else:
print "host is windows"
5.2. nmap
- 简介
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively - 操作系统识别
root@kali:~# nmap 10.10.10.132 -O
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:42 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00034s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
5.3. xprobe2
- 简介
# 结果有误差
root@kali:~# xprobe2
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
usage: xprobe2 [options] target
Options:
-v Be verbose
-r Show route to target(traceroute)
-p <proto:portnum:state> Specify portnumber, protocol and state.
Example: tcp:23:open, UDP:53:CLOSED
-c <configfile> Specify config file to use.
-h Print this help.
-o <fname> Use logfile to log everything.
-t <time_sec> Set initial receive timeout or roundtrip time.
-s <send_delay> Set packsending delay (milseconds).
-d <debuglv> Specify debugging level.
-D <modnum> Disable module number <modnum>.
-M <modnum> Enable module number <modnum>.
-L Display modules.
-m <numofmatches> Specify number of matches to print.
-T <portspec> Enable TCP portscan for specified port(s).
Example: -T21-23,53,110
-U <portspec> Enable UDP portscan for specified port(s).
-f force fixed round-trip time (-t opt).
-F Generate signature (use -o to save to a file).
-X Generate XML output and save it to logfile specified with -o.
-B Options forces TCP handshake module to try to guess open TCP port
-A Perform analysis of sample packets gathered during portscan in
order to detect suspicious traffic (i.e. transparent proxies,
firewalls/NIDSs resetting connections). Use with -T. - 操作系统识别
root@kali:~# xprobe2 10.10.10.132
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is 10.10.10.132
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.132. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.132. Module test failed
[-] No distance calculation. 10.10.10.132 appears to be dead or no ports known
[+] Host: 10.10.10.132 is up (Guess probability: 50%)
[+] Target: 10.10.10.132 is alive. Round-Trip Time: 0.48084 sec
[+] Selected safe Round-Trip Time value is: 0.96167 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
5.4. p0f
- 简介
结合ARP 地址欺骗识别全网 OS - 被动识别
6. SNMP 扫描
- snmp
- 信息的金矿
- 经常被错误配置
- public / private / manager
- MIB Tree.
- SNMP Management Information Base (MIB)
- 树形的网络设备管理功能数据库
- 1.3.6.1.4.1.77.1.2.25
6.1. onesixone
- 简介
root@kali:~# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100 - SNMP 扫描
root@kali:~# dpkg -L onesixtyone
/usr/share/doc/onesixtyone/dict.txt
root@kali:~# onesixtyone -c dict.txt -i ipaddr.txt -o 161output.log -w 100
6.2. snmpwalk
- 简介
-v 1|2c|3 specifies SNMP version to use
-c COMMUNITY set the community string - SNMP 扫描
root@kali:~# snmpwalk 10.10.10.132 -c public -v 2c
6.3. snmpcheck
- 简介
root@kali:~# snmpcheck -h
Usage: snmpcheck [-x] [-n|y] [-h] [-H] [-V NUM] [-L] [-f] [[-a] HOSTS]
-h Display this message.
-a check error log file AND hosts specified on command line.
-p Don't try and ping-echo the host first
-f Only check for things I can fix
HOSTS check these hosts for problems.
X Options:
-x forces ascii base if $DISPLAY set (instead of tk).
-H start in hidden mode. (hides user interface)
-V NUM sets the initial verbosity level of the command log (def: 1)
-L Show the log window at startup
-d Don't start by checking anything. Just bring up the interface.
Ascii Options:
-n Don't ever try and fix the problems found. Just list.
-y Always fix problems found. - SNMP 扫描
snmpcheck -t 192.168.20.199
snmpcheck -t 192.168.20.199 -c private -v 2
snmpcheck -t 192.168.20.199 -w
7 SMB 扫描
- server message block 协议
- 微软历史上出现安全问题最多的协议
- 实现复杂
- 默认开放
- 文件共享
- 空会话未身份验证
- 密码策略
- 用户名
- 组名
- 机器名
- 用户、组SID
7.1. nmap
- 简介
-v: Increase verbosity level (use -vv or more for greater effect)
root@kali:~# ll /usr/share/nmap/scripts/smb* - SMB 扫描
# 扫描主机开放端口
root@kali:~# nmap -v 10.10.10.132-140 --open
Nmap scan report for 10.10.10.136
Host is up (0.00068s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp open icslap
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:35:6A:2D (VMware)
Nmap scan report for 10.10.10.137
Host is up (0.0051s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
MAC Address: 00:50:56:21:D2:3A (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 9 IP addresses (3 hosts up) scanned in 1.77 seconds
Raw packets sent: 3027 (132.948KB) | Rcvd: 3003 (120.220KB)
# 使用脚本
root@kali:~# nmap 10.10.132 -p 139,445 --script=smb-os-discovery.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:07 EDT
Nmap scan report for 10.10.132 (10.10.0.132)
Host is up (0.00039s latency).
PORT STATE SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
7.2. nbtscan
- 简介
root@kali:~# nbtscan
NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and it comes with absolutely no warranty.
You can use, distribute and modify it under terms of GNU GPL.
Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>)
-v verbose output. Print all names received
from each host
-d dump packets. Print whole packet contents.
-e Format output in /etc/hosts format.
-l Format output in lmhosts format.
Cannot be used with -v, -s or -h options.
-t timeout wait timeout milliseconds for response.
Default 1000.
-b bandwidth Output throttling. Slow down output
so that it uses no more that bandwidth bps.
Useful on slow links, so that ougoing queries
don't get dropped.
-r use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix.
-q Suppress banners and error messages,
-s separator Script-friendly output. Don't print
column and record headers, separate fields with separator.
-h Print human-readable names for services.
Can only be used with -v option.
-m retransmits Number of retransmits. Default 0.
-f filename Take IP addresses to scan from file filename.
-f - makes nbtscan take IP addresses from stdin.
<scan_range> what to scan. Can either be single IP
like 192.168.1.1 or
range of addresses in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx. - SMB 扫描
root@kali:~# nbtscan -r 10.10.10.0/24
Doing NBT name scan for addresses from 10.10.10.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
10.10.10.0 Sendto failed: Permission denied
10.10.10.131 <unknown> <unknown>
10.10.10.132 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00
10.10.10.1 ASUS-WIN7 <server> <unknown> 00:50:56:c0:00:08
10.10.10.255 Sendto failed: Permission denied
7.3. enum4linux
- 简介
-a Do all simple enumeration (-U -S -G -P -r -o -n -i).
This opion is enabled if you don't provide any other options. - SMB 扫描
root@kali:~# enum4linux -a 10.10.10.132
8. SMTP 扫描
8.1. nc
- 简介
VRFY root - 扫描
root@kali:~# nc -nv 10.10.10.132 25
(UNKNOWN) [10.10.10.132] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root
8.2. nmap
- 脚本
root@kali:~# ll /usr/share/nmap/scripts/smtp*
-rw-r--r-- 1 root root 4309 3月 26 08:18 /usr/share/nmap/scripts/smtp-brute.nse
-rw-r--r-- 1 root root 4771 3月 26 08:18 /usr/share/nmap/scripts/smtp-commands.nse
-rw-r--r-- 1 root root 12006 3月 26 08:18 /usr/share/nmap/scripts/smtp-enum-users.nse
-rw-r--r-- 1 root root 5873 3月 26 08:18 /usr/share/nmap/scripts/smtp-ntlm-info.nse
-rw-r--r-- 1 root root 10150 3月 26 08:18 /usr/share/nmap/scripts/smtp-open-relay.nse
-rw-r--r-- 1 root root 716 3月 26 08:18 /usr/share/nmap/scripts/smtp-strangeport.nse
-rw-r--r-- 1 root root 14740 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse
-rw-r--r-- 1 root root 7661 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse
-rw-r--r-- 1 root root 7584 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse - SMTP 扫描
# smtp-enum-users.nse
root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-enum-users.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:19 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00028s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
|_ Method RCPT returned a unhandled status code.
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
# smtp-open-relay.nse
root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-open-relay.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:20 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00022s latency).
PORT STATE SERVICE
25/tcp open smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds
8.3. smtp-user-enum
- 简介
root@kali:~# smtp-user-enum
smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
Usage: smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )
options are:
-m n Maximum number of processes (default: 5)
-M mode Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
-u user Check if user exists on remote system
-f addr MAIL FROM email address. Used only in "RCPT TO" mode (default: user@example.com)
-D dom Domain to append to supplied user list to make email addresses (Default: none)
Use this option when you want to guess valid email addresses instead of just usernames
e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc. Instead of
simply the usernames foo and bar.
-U file File of usernames to check via smtp service
-t host Server host running smtp service
-T file File of hostnames running the smtp service
-p port TCP port on which smtp service runs (default: 25)
-d Debugging output
-t n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.
Examples:
$ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
$ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
$ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
$ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1 - SMTP 扫描
smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
9 防火墙识别
- 通过检查回包,可能识别端口是否经过防火墙过滤
- 设备多种多样,结果存在一定误差
9.1. nmap
- 简介
-sA (TCP ACK扫描)
这种扫描与目前为止讨论的其它扫描的不同之处在于 它不能确定open(开放的)或者 open|filtered(开放或者过滤的))端口。 它用于发现防火墙规则,确
定它们是有状态的还是无状态的,哪些端口是被过滤的。 - 防火墙识别
root@kali:~# nmap -sA 10.10.10.132 -p 22
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:30 EDT
Nmap scan report for 10.10.10.132
Host is up (0.00032s latency).
PORT STATE SERVICE
22/tcp unfiltered ssh
MAC Address: 00:0C:29:D0:AB:2C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds- 简介
root@kali:~# lbd
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
usage: /usr/bin/lbd domain [port] {https} - 识别
识别百度
root@kali:~# lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 61.135.169.121
www.a.shifen.com has address 61.135.169.125
Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT
< ETag: “575e1f5d-115”
ETag: “575e1f5c-115”
www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
识别163邮箱
root@kali:~# lbd mail.163.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
mail163.ntes53.netease.com has address 123.125.50.26
mail163.ntes53.netease.com has address 123.125.50.7
mail163.ntes53.netease.com has address 123.125.50.28
Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
mail.163.com does Load-balancing. Found via Methods: DNS
- 简介
10. 负载均衡识别
- 简介
root@kali:~# lbd
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
usage: /usr/bin/lbd domain [port] {https} - 识别
识别百度
root@kali:~# lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 61.135.169.121
www.a.shifen.com has address 61.135.169.125
Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:04 GMT
< ETag: “575e1f5d-115”
ETag: “575e1f5c-115”
www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
识别163邮箱
root@kali:~# lbd mail.163.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
mail163.ntes53.netease.com has address 123.125.50.26
mail163.ntes53.netease.com has address 123.125.50.7
mail163.ntes53.netease.com has address 123.125.50.28
Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
mail.163.com does Load-balancing. Found via Methods: DNS
11. WAF 识别
11.1. wafw00f
- 简介
root@kali:~# wafw00f -h
Usage: wafw00f url1 [url2 [url3 ... ]]
example: wafw00f http://www.victim.org/
Options:
-h, --help show this help message and exit
-v, --verbose enable verbosity - multiple -v options increase
verbosity
-a, --findall Find all WAFs, do not stop testing on the first one
-r, --disableredirect
Do not follow redirections given by 3xx responses
-t TEST, --test=TEST Test for one specific WAF
-l, --list List all WAFs that we are able to detect
-p PROXY, --proxy=PROXY
Use an HTTP proxy to perform requests, example:
http://hostname:8080, socks5://hostname:1080
-V, --version Print out the version
-H HEADERSFILE, --headersfile=HEADERSFILE
Pass custom headers, for example to overwrite the
default User-Agent string - 识别
root@kali:~# wafw00f -l
Can test for these WAFs:
Profense
NetContinuum
Incapsula WAF
CloudFlare
NSFocus
Safedog
Mission Control Application Shield
USP Secure Entry Server
Cisco ACE XML Gateway
Barracuda Application Firewall
Art of Defence HyperGuard
BinarySec
Teros WAF
F5 BIG-IP LTM
F5 BIG-IP APM
F5 BIG-IP ASM
F5 FirePass
F5 Trafficshield
InfoGuard Airlock
Citrix NetScaler
Trustwave ModSecurity
IBM Web Application Security
IBM DataPower
DenyALL WAF
Applicure dotDefender
Juniper WebApp Secure
Microsoft URLScan
Aqtronix WebKnight
eEye Digital Security SecureIIS
Imperva SecureSphere
Microsoft ISA Server
11.2. nmap
- 简介
root@kali:~# ll /usr/share/nmap/scripts/http-waf*
-rw-r--r-- 1 root root 5422 3月 26 08:18 /usr/share/nmap/scripts/http-waf-detect.nse
-rw-r--r-- 1 root root 19339 3月 26 08:18 /usr/share/nmap/scripts/http-waf-fingerprint.nse - 识别
root@kali:~# nmap www.microsoft.com --script=http-waf-detect.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:35 EDT
Nmap scan report for www.microsoft.com (222.163.207.76)
Host is up (0.0050s latency).
rDNS record for 222.163.207.76: 76.207.163.222.adsl-pool.jlccptt.net.cn
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds
3. nmap 查看脚本用法
root@kali:~# nmap
--script-help=http-vuln-cve2013-0156.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:36 EDT
http-vuln-cve2013-0156
Categories: exploit vuln
https://nmap.org/nsedoc/scripts/http-vuln-cve2013-0156.html
Detects Ruby on Rails servers
vulnerable to object injection, remote command
executions and denial of service
attacks. (CVE-2013-0156)
All Ruby on Rails
versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
3.1.10, and 3.2.x before 3.2.11 are
vulnerable. This script sends 3 harmless
YAML payloads to detect vulnerable
installations. If the malformed object
receives a status 500 response, the
server is processing YAML objects and
therefore is likely vulnerable.
References:
* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/
源文档 <https://blog.csdn.net/kevinhanser/article/details/79772965>