小白日记13：kali渗透测试之服务扫描（三）-SMTB扫描、防火墙识别、负载均衡识别、WAF识别

SMTP扫描

SMTP（Simple Mail Transfer Protocol）即简单邮件传输协议,它是一组用于由源地址到目的地址传送邮件的规则，由它来控制信件的中转方式。SMTP协议属于TCP/IP协议簇，它帮助每台计算机在发送或中转信件时找到下一个目的地。通过SMTP协议所指定的服务器,就可以把E-mail寄到收信人的服务器上了，整个过程只要几分钟。SMTP服务器则是遵循SMTP协议的发送邮件服务器，用来发送或中转发出的电子邮件。

SMB扫描针对机器去发现其漏洞，SMTP扫描为主动发现目标系统的邮件账号（被动信息收集也能收集到一些）。用途：社会工程学

初级方法

root@kali:~# nc -nv 192.168.1.107 25            #连接25端口
(UNKNOWN) [192.168.1.107] 25 (smtp) open
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
VRFY root                                     #输入：尝试确认是否有root账号
252 2.0.0 root<strong>
</strong>

Nmap 前提：做了端口扫描知道目标主机开启25端口

扫描用户账号

root@kali:~# nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enum-users.methods={VRFY}
                               #尝试枚举账号     #指定使用什么方式，默认用root账号，也可加别的参数（指定字典）
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:06 CST
Nmap scan report for smtp.163.com (220.181.12.16)
Host is up (0.044s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.17 220.181.12.18 220.181.12.11 220.181.12.12 220.181.12.13 220.181.12.14 220.181.12.15
rDNS record for 220.181.12.16: m12-16.163.com
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-enum-users: 
|_  Couldn't find any accounts

Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds

指定字典扫描邮箱账号：smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
扫描邮件开放中继：【如果开放了邮件中继，所有人都可以使用该邮件服务器】

root@kali:~# nmap smtp.163.com -p25 --script=smtp-open-relay.nse

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 21:11 CST
Nmap scan report for smtp.163.com (220.181.12.15)
Host is up (0.043s latency).
Other addresses for smtp.163.com (not scanned): 220.181.12.14 220.181.12.13 220.181.12.12 220.181.12.11 220.181.12.18 220.181.12.17 220.181.12.16
rDNS record for 220.181.12.15: m12-15.163.com
PORT   STATE SERVICE
25/tcp open  smtp
|_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed

Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds

注：都可以用python脚本实现

 

防火墙识别

 

尽量隐蔽的情况下，扫描出防火墙上开放的端口，通过检查回包，可能识别端口是否被防火墙过滤。【被过滤的端口，不是防火墙上的端口，而是内部主机向外发起请求的临时端口】但设备多种多样，结果存在一定误差

 

如何判断四种情况：http://img.blog.csdn.net/20160912224355136?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast

 

python脚本扫描

#!/usr/bin/python

from scapy.all import*
import logging
logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)
import sys

if len( sys.argv ) !=3:
   print "Usage - ./Firewalk_scan.py [Target.IP] [Target Port]"
   print "Example - ./Firewalk_scan.py 1.1.1.1 443"
   print "Example will determine if filtering exists on port 443 of Host 1.1.1.1"
   sys.exit()

ip = sys.argv[1]
port = int(sys.argv[2])

ACK_response = sr1(IP(dst=ip)/TCP(dport=port,flags="A"),timeout=1,verbose=0)
SYN_response = sr1(IP(dst=ip)/TCP(dport=port,flags="S"),timeout=1,verbose=0)

if ((ACK_response == None) or (SYN_response == None)):
   print "Port is either unstatefully filtered or host is down"
<strong>elif ((ACK_response == None) or (SYN_response == None)) and not ((ACK_response == None) and (SYN_response == None)):
   print "Stateful filtering in place"    #防火墙在线#此句有逻辑问题，尚未修改</strong>
elif int(SYN_response[TCP].flags) == 18:
   print "Port is unfiltered and open"
elif int(SYN_response[TCP].flags) == 20:
   print "Port is unfiltered and closed"
else:
   print "Unable to determine if the port is filtered"<strong>
</strong>

Nmap对防火墙的识别

root@kali:~# nmap -p22 192.168.1.141 -sA

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:18 CST
Nmap scan report for DESKTOP-TA5DCRJ (192.168.1.141)
Host is up (0.00021s latency).
PORT   STATE      SERVICE
22/tcp unfiltered ssh
MAC Address: 2C:6E:85:C4:0D:5B (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

根据其对SYN和ACK包的应答，去匹配上图类型

 

负载均衡识别

 

负载均衡从其应用的地理结构上分为本地负载均衡(Local Load Balance)和全局负载均衡(Global Load Balance，也叫地域负载均衡)，本地负载均衡是指对本地的服务器群做负载均衡，全局负载均衡是指对分别放置在不同的地理位置、有不同网络结构的服务器群间作负载均衡。它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性。

简单来说是DNS，即同一个域名对应不同IP。

分类：http://lusongsong.com/reed/158.html

基于web的服务负载均衡经常使用Nginx、Apache应用层负载均衡

 

Lbd（直接加域名，或者加IP）

root@kali:~# lbd www.baidu.com

lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (http://ge.mine.nu)
                                    Proof-of-concept! Might give false positives.

<strong>Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 14.215.177.38
www.a.shifen.com has address 14.215.177.37

Checking for HTTP-Loadbalancing [Server]:           #应用层负载均衡
 bfe/1.0.8.18
 NOT FOUND</strong>

Checking for HTTP-Loadbalancing [Date]: 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:24, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:25, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:26, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, 15:36:27, NOT FOUND

Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:17 GMT
> Last-Modified: Mon, 13 Jun 2016 02:50:12 GMT
< ETag: "575e1f69-115"
> ETag: "575e1f64-115"

www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]<strong>
</strong>

 

WAF识别

WAF（Web Application Firewall）的中文名称叫做“Web应用防火墙”，利用国际上公认的一种说法，WAF的定义是这样的：Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。通过从上面对WAF的定义中，我们可以很清晰的了解到，WAF是一种工作在应用层的、通过特定的安全策略来专门为Web应用提供安全防护的产品。

WAF攻防实战：http://secsky.sinaapp.com/216.html

基于规则WAF过滤【可绕过】，基于机器学习结合语法词法分析的WAF将成为主流，几乎可防止所有的SQL注入

 

wafw00f 

<strong>root@kali:~# wafw00f -l                         #列出其可检测的WAF
</strong>
                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.'  / __////7/ /,'  ,'  / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Can test for these WAFs:

Profense
NetContinuum
Barracuda
HyperGuard
BinarySec
Teros
F5 Trafficshield
F5 ASM
Airlock
Citrix NetScaler
ModSecurity
IBM Web Application Security
IBM DataPower
DenyALL
dotDefender
webApp.secure
BIG-IP
URLScan
WebKnight
SecureIIS
Imperva
ISA Server

<strong>root@kali:~# wafw00f http://www.microsoft.com</strong>

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.'  / __////7/ /,'  ,'  / __/
      | V V // o // _/ | V V // 0 // 0 // _/  
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/    
                                <   
                                 ...'
                                 
    WAFW00F - Web Application Firewall Detection Tool
    
    By Sandro Gauci && Wendel G. Henrique

Checking http://www.microsoft.com
Generic Detection results:
The site http://www.microsoft.com seems to be behind a WAF 
Reason: The server returned a different response code when a string trigged the blacklist.
Normal response code is "400", while the response code to an attack is "403"
Number of requests: 16

nmap检测WAF

root@kali:~# nmap www.microsoft.com <strong>--script=http-waf-detect.nse</strong>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-12 23:51 CST

 

 

 

 

 

 

小白日记，未完待续……