本文记录 Kali Linux 2018.1 学习使用和渗透测试的详细过程,教程为安全牛课堂里的《Kali Linux 渗透测试》课程
1. 简介
- 直接与目标系统交互通信
- 无法避免留下访问的痕迹
使用受控的第三方电脑进行探测
- 使用代理或已经被控制的主机
- 做好被封杀的准备
- 使用噪声迷惑目标,淹没真实的探测流量
扫描
- 发送不同的探测,根据返回结果判断目标状态
2. 主机发现
1. 简介
识别或者的主机
- 潜在的被攻击目标
输出一个IP地址列表
- 2、3、4层发现
2. 二层发现
优点
- 扫描速度快、可靠
缺点
- 不可路由
- ARP协议
- 抓包分析
1. arping
简介
root@kali:~# arping Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination -f : quit on first reply -q : be quiet -b : keep broadcasting, don't go unicast -D : duplicate address detection mode -U : Unsolicited ARP mode, update your neighbours -A : ARP answer mode, update your neighbours -V : print version and exit -c count : how many packets to send -w timeout : how long to wait for a reply -I device : which ethernet device to use -s source : source ip address destination : ask for what ip address
主机扫描
# 发送包数量 root@kali:~# arping 10.10.10.132 -c 1 ARPING 10.10.10.132 from 10.10.10.131 eth0 Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 1.130ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) # 重复地址检测模式 root@kali:~# arping 10.10.10.132 -D ARPING 10.10.10.132 from 0.0.0.0 eth0 Unicast reply from 10.10.10.132 [00:0C:29:D0:AB:2C] 0.812ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) # 输出 MAC 地址 root@kali:~# arping -c 1 10.10.10.132 | grep "reply from" | cut -d " " -f 5 | cut -d "[" -f 2 | cut -d "]" -f 1 00:0C:29:D0:AB:2C
2. nmap
简介
-sn: Ping扫描-禁用端口扫描 -iL <inputfilename>: 来自主机/网络列表的输入
主机扫描
# 指定 IP 地址范围 root@kali:~# nmap 10.10.10.1-254 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:06 EDT Nmap scan report for 10.10.10.1 Host is up (0.00020s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00058s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00025s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00036s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.0032s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00014s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.01 seconds # 创建地址列表 fo = open('/root/Desktop/ipaddr.txt','w') for i in range(1,255): fo.write('10.10.10.') fo.write(str(i)) fo.write('\n') fo.close() # 扫描地址列表 root@kali:~# nmap -iL ipaddr.txt -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 04:21 EDT Nmap scan report for 10.10.10.1 Host is up (0.00071s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.0021s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00047s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00089s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00018s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00050s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 1.83 seconds
3. Netdiscover
简介
- 专用于二层发现
- 可用于无线和交换网络环境
- 主动和被动探测
使用帮助
root@kali:~# netdiscover -h Netdiscover 0.3-pre-beta7 [Active/passive arp reconnaissance tool] Written by: Jaime Penalba <jpenalbae@gmail.com> Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-c] -i device: 网络设备 -r range: 指定 IP 扫描范围. 192.168.6.0/24,/16,/8 -l file: 指定扫描 IP 地址文件 -p passive mode: 不发送任何数据, 仅监听 -m file: 扫描 MAC 地址列表 -F filter: Customize pcap filter expression (default: "arp") -s time: time to sleep between each arp request (milliseconds) -n node: last ip octet used for scanning (from 2 to 253) -c count: number of times to send each arp reques (for nets with packet loss) -f enable fastmode scan, saves a lot of time, recommended for auto -d ignore home config files for autoscan and fast mode -S enable sleep time supression between each request (hardcore mode) -P print results in a format suitable for parsing by another program -N Do not print header. Only valid when -P is enabled. -L in parsable output mode (-P), continue listening after the active scan is completed
主机扫描
-主动扫描
# 指定地址扫描 Currently scanning: Finished! | Screen View: Unique Hosts 6 Captured ARP Req/Rep packets, from 6 hosts. Total size: 360 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 1 60 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 1 60 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 1 60 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 1 60 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 1 60 VMware, Inc. 10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc. # 指定地址列表扫描 root@kali:~# netdiscover -l ipaddr.txt Currently scanning: 10.10.10.0/24 | Screen View: Unique Hosts 248 Captured ARP Req/Rep packets, from 6 hosts. Total size: 14880 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.1 00:50:56:c0:00:08 42 2520 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 42 2520 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 41 2460 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 41 2460 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 41 2460 VMware, Inc. 10.10.10.254 00:50:56:e2:6b:78 41 2460 VMware, Inc.
被动扫描
# 主动 arp 容易触发警报 root@kali:~# netdiscover -p Currently scanning: (passive) | Screen View: Unique Hosts 12 Captured ARP Req/Rep packets, from 5 hosts. Total size: 720 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.10.10.254 00:50:56:e2:6b:78 1 60 VMware, Inc. 10.10.10.2 00:50:56:e1:24:a1 3 180 VMware, Inc. 10.10.10.137 00:50:56:21:d2:3a 2 120 VMware, Inc. 10.10.10.132 00:0c:29:d0:ab:2c 4 240 VMware, Inc. 10.10.10.136 00:0c:29:35:6a:2d 2 120 VMware, Inc.
3. 三层发现
- 优点
- 可路由
- 速度比较快
缺点
- 速度比二层慢
- 经常被便捷防火墙过滤
IP、ICMP 协议
1. ping
简介
root@kali:~# ping -h Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface] [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] [hop1 ...] destination Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] destination
主机扫描
# 指定发包数量 root@kali:~# ping 10.10.10.132 -c 2 PING 10.10.10.132 (10.10.10.132) 56(84) bytes of data. 64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=10.3 ms 64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.214 ms --- 10.10.10.132 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.214/5.302/10.390/5.088 ms # 路由追踪 root@kali:~# ping -R 10.10.10.132 PING 10.10.10.132 (10.10.10.132) 56(124) bytes of data. 64 bytes from 10.10.10.132: icmp_seq=1 ttl=64 time=0.237 ms RR: 10.10.10.131 10.10.10.132 10.10.10.132 10.10.10.131 64 bytes from 10.10.10.132: icmp_seq=2 ttl=64 time=0.376 ms (same route) 64 bytes from 10.10.10.132: icmp_seq=3 ttl=64 time=0.233 ms (same route) 64 bytes from 10.10.10.132: icmp_seq=4 ttl=64 time=0.227 ms (same route) root@kali:~# traceroute 10.10.10.132 traceroute to 10.10.10.132 (10.10.10.132), 30 hops max, 60 byte packets 1 10.10.10.132 (10.10.10.132) 0.311 ms 0.199 ms 0.140 ms ping -c 1 10.10.10.132 | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1
2. fping
简介
root@kali:~# fping -h Usage: fping [options] [targets...] Probing options: -4, --ipv4 only ping IPv4 addresses -6, --ipv6 only ping IPv6 addresses -b, --size=BYTES amount of ping data to send, in bytes (default: 56) -B, --backoff=N set exponential backoff factor to N (default: 1.5) -c, --count=N count mode: send N pings to each target -f, --file=FILE read list of targets from a file ( - means stdin) -g, --generate generate target list (only if no -f specified) (give start and end IP in the target list, or a CIDR address) (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24) -H, --ttl=N set the IP TTL value (Time To Live hops) -I, --iface=IFACE bind to a particular interface -l, --loop loop mode: send pings forever -m, --all use all IPs of provided hostnames (e.g. IPv4 and IPv6), use with -A -M, --dontfrag set the Don't Fragment flag -O, --tos=N set the type of service (tos) flag on the ICMP packets -p, --period=MSEC interval between ping packets to one target (in ms) (in loop and count modes, default: 1000 ms) -r, --retry=N number of retries (default: 3) -R, --random random packet data (to foil link data compression) -S, --src=IP set source address -t, --timeout=MSEC individual target initial timeout (default: 500 ms, except with -l/-c/-C, where it's the -p period up to 2000 ms) Output options: -a, --alive show targets that are alive -A, --addr show targets by address -C, --vcount=N same as -c, report results in verbose format -D, --timestamp print timestamp before each output line -e, --elapsed show elapsed time on return packets -i, --interval=MSEC interval between sending ping packets (default: 10 ms) -n, --name show targets by name (-d is equivalent) -N, --netdata output compatible for netdata (-l -Q are required) -o, --outage show the accumulated outage time (lost packets * packet interval) -q, --quiet quiet (don't show per-target/per-ping results) -Q, --squiet=SECS same as -q, but show summary every n seconds -s, --stats print final stats -u, --unreach show targets that are unreachable -v, --version show version
主机扫描
# 指定发包数量 root@kali:~# fping -c 1 10.10.10.132 | grep 0% 10.10.10.132 : xmt/rcv/%loss = 1/1/0%, min/avg/max = 0.29/0.29/0.29 10.10.10.132 : [0], 84 bytes, 0.29 ms (0.29 avg, 0% loss) # 指定扫描范围 root@kali:~# fping -g 10.10.10.132 10.10.10.136-137 root@kali:~# fping -g 10.10.0/24 root@kali:~# fping -f ipaddr.txt
3. hping3
简介
- 能够发送几乎任意 TCP/IP 包
- 功能强大但每次只能扫描一个目标
主机扫描
# 指定 icmp 扫描 root@kali:~# hping3 10.10.10.132 --icmp -c 2 HPING 10.10.10.132 (eth0 10.10.10.132): icmp mode set, 28 headers + 0 data bytes len=46 ip=10.10.10.132 ttl=64 id=33497 icmp_seq=0 rtt=4.4 ms len=46 ip=10.10.10.132 ttl=64 id=33498 icmp_seq=1 rtt=8.0 ms --- 10.10.10.132 hping statistic --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 4.4/6.2/8.0 ms
4. scapy
简介
OSI 多层堆叠手工生成 ICMP 包 -- IP/ICMP
主机扫描
ip=IP() ip.dst=“1.1.1.1” ping=ICMP() a=sr1(ip/ping) a.display() a=sr1(ip/ping,timeout=1) # Ping不存在的地址 a = sr1(IP(dst=“1.1.1.1")/ICMP(),timeout=1)
4. 四层发现
优点
- 可路由且结果可靠
- 不太可能被防火墙过滤
- 甚至可以发现所有端口都被过滤的主机
- 甚至可以发现所有端口都被过滤的主机
缺点
- 基于状态过滤的防火墙可能过滤扫描
- 全端口扫描速度慢
TCP
- 未经请求 ACK – RST
- SYN – SYN/ACK、RET
UDP
- ICMP 端口不可达、一去不复返
ACK – TCP port – RST
i = IP() i.dst="1.1.1.1" t = TCP() t.flags='A' r = (i/t) a = sr1(r) a.display() a = sr1(IP(dst="1.1.1.1")/TCP(dport=80,flags='A') ,timeout=1))
UDP——UDP Port——ICMP(不可靠)
u = UDP() u.dport= 33333 r = (i/u) a = sr1(r,timeout=1,verbose=1)
1. nmap
简介
-A: 启用操作系统检测、版本检测、脚本扫描和traceroute -sn: Ping Scan - disable port scan -PU: 还有一个主机发现的选项是UDP ping -PS [portlist] (TCP SYN Ping) -PA [portlist] (TCP ACK Ping) -PE; -PP; -PM (ICMP Ping Types) -PR (ARP Ping)
主机扫描
# UDP ping root@kali:~# nmap 10.10.10.1-254 -PU 53 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:13 EDT setup_target: failed to determine route to 53 (0.0.0.53) Nmap scan report for 10.10.10.1 Host is up (0.00080s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00045s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00045s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00039s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00038s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00092s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.07 seconds # ACK ping root@kali:~# nmap 10.10.10.1-254 -PA 80 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:15 EDT setup_target: failed to determine route to 80 (0.0.0.80) Nmap scan report for 10.10.10.1 Host is up (0.00066s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.0033s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00064s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00052s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.0013s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00040s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 1.81 seconds # 指定IP地址列表 root@kali:~# nmap -iL ipaddr.txt 10.10.10.1-254 -PA 80 -sn Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:16 EDT Nmap scan report for 10.10.10.1 Host is up (0.00089s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00058s latency). MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00050s latency). MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap scan report for 10.10.10.136 Host is up (0.00049s latency). MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.00043s latency). MAC Address: 00:50:56:21:D2:3A (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00031s latency). MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap scan report for 10.10.10.131 Host is up. Nmap done: 254 IP addresses (7 hosts up) scanned in 2.14 seconds
2. hping3
简介
-c --count count -2 --udp
主机扫描
root@kali:~# hping3 --udp 10.10.10.132 -c 1 HPING 10.10.10.132 (eth0 10.10.10.132): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from ip=10.10.10.132 name=UNKNOWN status=0 port=2770 seq=0 --- 10.10.10.132 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 55.1/55.1/55.1 ms
3. 端口扫描
- 端口对应网路都访问及应用端程序
- 服务端程序的漏洞通过端口攻入
- 发现开放的端口
- 更具体的攻击面
1. UDP 端口扫描
UDP 端口扫描
- 假设 ICMP port-ubreachable 响应代表端口关闭
- 目标系统不响应 port-ubreachable 时,坑你产生误判
完整的 UDP 应用层请求
- 准确性高
- 耗时巨大
- Scapy UDP Scan
- 端口关闭:ICMP port-ubreachable
- 端口开放:没有回包
- 了解每一种基于 UDP 的应用层包结构很有帮助
- 与三层相同的技术
- 误判
1. nmap
简介
-sU: UDP Scan -p <port ranges>: Only scan specified ports
端口扫描
# (默认的1000个参数) root@kali:~# nmap -sU 10.10.10.132 # 指定端口 root@kali:~# nmap -sU 10.10.10.132 -p 53 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:48 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). PORT STATE SERVICE 53/udp open domain MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds # 指定 IP 地址列表 root@kali:~# nmap -iL ipaddr.txt -sU -p 1-200
2. TCP 端口扫描
- 基于连接的协议
- 三次握手
- 隐蔽扫描
- 僵尸扫描
- 全连接扫描
- 所有的 TCP 扫描方式都是基于三次握手的变化来判断目标端口状态
隐蔽扫描
- 不建立完整的连接
- 应用日志不记录扫描行为–隐蔽
僵尸扫描
- 极度隐蔽
- 实施条件苛刻(基于IPID)
- 可伪造源地址
- 选择僵尸机
- 闲置系统
- 系统使用递增的IPID
- 0
- 随机
1. 隐蔽端口扫描
1. scapy
- syn -- syn/ack -- rst
sr1(IP(dst="192.168.60.3")/TCP(dport=80),timeout=1,verbose=1)
2. nmap
简介
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
端口扫描
# 指定扫描端口范围 root@kali:~# nmap -sS 10.10.10.132 -p 80,21,25,110,443 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp closed pop3 443/tcp closed https MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds # 指定扫描端口范围 root@kali:~# nmap -sS 10.10.10.132 -p 1-65535 --open Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:57 EDT Nmap scan report for 10.10.10.132 Host is up (0.00010s latency). Not shown: 65505 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 6697/tcp open ircs-u 8009/tcp open ajp13 8180/tcp open unknown 8787/tcp open msgsrvr 37499/tcp open unknown 41241/tcp open unknown 44616/tcp open unknown 56072/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.27 seconds # 指定扫描端口范围 root@kali:~# nmap -sS 10.10.10.132 -p- --open Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:58 EDT Nmap scan report for 10.10.10.132 Host is up (0.00027s latency). Not shown: 65505 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 6697/tcp open ircs-u 8009/tcp open ajp13 8180/tcp open unknown 8787/tcp open msgsrvr 37499/tcp open unknown 41241/tcp open unknown 44616/tcp open unknown 56072/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds # 指定 IP 地址列表 root@kali:~# nmap -sS -iL ipaddr.txt -p 80,21,22,23 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 05:59 EDT Nmap scan report for 10.10.10.1 Host is up (0.0011s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp closed http MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.254 Host is up (0.00085s latency). PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 80/tcp filtered http MAC Address: 00:50:56:E2:6B:78 (VMware) Nmap done: 254 IP addresses (7 hosts up) scanned in 3.48 seconds
3. hping3
简介
-8 --scan 指定扫描端口范围 -c --count packet count -a --spoof 欺骗源地址 -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec -M --setseq set TCP sequence number -L --setack set TCP ack -F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag -X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)
端口扫描
# SYN 扫描 root@kali:~# hping3 10.10.10.132 --scan 80 -S Scanning 10.10.10.132 (10.10.10.132), port 80 1 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 80 http : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 指定端口 SYN 扫描 root@kali:~# hping3 10.10.10.132 --scan 801,21,25,443 -S Scanning 10.10.10.132 (10.10.10.132), port 801,21,25,443 4 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 21 ftp : .S..A... 64 0 5840 46 25 smtp : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 指定端口范围 root@kali:~# hping3 10.10.10.132 --scan 0-65535 -S Scanning 10.10.10.132 (10.10.10.132), port 0-65535 65536 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 21 ftp : .S..A... 64 0 5840 46 22 ssh : .S..A... 64 0 5840 46 23 telnet : .S..A... 64 0 5840 46 25 smtp : .S..A... 64 0 5840 46 53 domain : .S..A... 64 0 5840 46 80 http : .S..A... 64 0 5840 46 111 sunrpc : .S..A... 64 0 5840 46 139 netbios-ssn: .S..A... 64 0 5840 46 445 microsoft-d: .S..A... 64 0 5840 46 512 exec : .S..A... 64 0 5840 46 513 login : .S..A... 64 0 5840 46 514 shell : .S..A... 64 0 5840 46 1099 rmiregistry: .S..A... 64 0 5840 46 1524 ingreslock : .S..A... 64 0 5840 46 3306 mysql : .S..A... 64 0 5840 46 5432 postgresql : .S..A... 64 0 5840 46 5900 : .S..A... 64 0 5840 46 6000 x11 : .S..A... 64 0 5840 46 8009 : .S..A... 64 0 5840 46 8180 : .S..A... 64 0 5840 46 8787 : .S..A... 64 0 5840 46 37499 : .S..A... 64 0 5840 46 44616 : .S..A... 64 0 5840 46 56072 : .S..A... 64 0 5840 46 2049 nfs : .S..A... 64 0 5840 46 2121 iprop : .S..A... 64 0 5840 46 3632 distcc : .S..A... 64 0 5840 46 6667 ircd : .S..A... 64 0 5840 46 6697 ircs-u : .S..A... 64 0 5840 46 41241 : .S..A... 64 0 5840 46 All replies received. Done. Not responding ports: # 源地址欺骗 root@kali:~# hping3 -c 10 -S --spoof 10.10.10.136 -p ++1 10.10.10.132
2. 全连接端口扫描
1. scapy
简介
- syn 扫描不需要 raw packets
- 内核认为 syn/ack 是非法包,直接发 rst 中断连接
全连接扫描对 scapy 比较困难
sr1(IP(dst="192.168.20.2")/TCP(dport=22,flags='S'))
2. nmap
简介
-sT (TCP connect()扫描) -sU (UDP扫描) -sS (TCP SYN扫描) -sN; -sF; -sX (TCP Null,FIN,and Xmas扫描)
端口扫描
# 指定端口(默认1000个端口) root@kali:~# nmap -sT 10.10.10.132 -p 80 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:14 EDT Nmap scan report for 10.10.10.132 Host is up (0.00049s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds # 指定端口范围 root@kali:~# nmap -sT 10.10.10.132 -p 80,21,25,443 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT Nmap scan report for 10.10.10.132 Host is up (0.00038s latency). PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 443/tcp closed https MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds # 指定端口范围 root@kali:~# nmap -sT 10.10.10.132 -p 80-2000 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:15 EDT Nmap scan report for 10.10.10.132 Host is up (0.00029s latency). Not shown: 1912 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds # 指定 IP 地址列表 root@kali:~# nmap -sT -iL ipaddr.txt -p 80 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:16 EDT Nmap scan report for 10.10.10.1 Host is up (0.0012s latency). PORT STATE SERVICE 80/tcp closed http MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.10.10.2 Host is up (0.00037s latency). PORT STATE SERVICE 80/tcp closed http MAC Address: 00:50:56:E1:24:A1 (VMware) Nmap scan report for 10.10.10.132 Host is up (0.00029s latency).
3. dmity
简介
- 功能简单,使用简单
默认 150 个最常用的端口
root@kali:~# dmitry Deepmagic Information Gathering Tool "There be some deep magic going on" Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host -o Save output to %host.txt or to file specified by -o file -i Perform a whois lookup on the IP address of a host -w Perform a whois lookup on the domain name of a host -n Retrieve Netcraft.com information on a host -s Perform a search for possible subdomains -e Perform a search for possible email addresses -p Perform a TCP port scan on a host * -f Perform a TCP port scan on a host showing output reporting filtered ports * -b Read in the banner received from the scanned port * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) *Requires the -p flagged to be passed
端口扫描
# 指定扫描 IP root@kali:~# dmitry -p 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed All scans completed, exiting # 指定输出文件 root@kali:~# dmitry -p 10.10.10.132 -o output.txt Deepmagic Information Gathering Tool "There be some deep magic going on" Writing output to 'output.txt.txt' ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed
4. nc
简介
root@kali:~# nc -h [v1.10-41.1] connect to somewhere: nc [-options] hostname port[s] [ports] ... listen for inbound: nc -l -p port [-options] [hostname] [port] options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -C Send CRLF as line-ending -z zero-I/O mode [used for scanning] port numbers can be individual or ranges: lo-hi [inclusive]; hyphens in port names must be backslash escaped (e.g. 'ftp\-data').
端口扫描
root@kali:~# nc -nv -w 1 -z 10.10.10.132 1-100 (UNKNOWN) [10.10.10.132] 80 (http) open (UNKNOWN) [10.10.10.132] 53 (domain) open (UNKNOWN) [10.10.10.132] 25 (smtp) open (UNKNOWN) [10.10.10.132] 23 (telnet) open (UNKNOWN) [10.10.10.132] 22 (ssh) open (UNKNOWN) [10.10.10.132] 21 (ftp) open
3. 僵尸扫描
- 利用 IPID 递增来判断主机端口是否开启
1. scapy
• i=IP()
• t=TCP()
• rz=(i/t)
• rt=(i/t)
• rz[IP].dst=IPz
• rz[TCP].dport=445
• rt[IP].src=IPz
• rt[IP].dst=IPt
• rt[TCP].dport=22
• az1=sr1(rz) / at=sr1(rt) / az2=sr1(rz)
• az1.display() / az2.display()
2. nmap
简介
使用脚本扫描适合做僵尸机的主机 -sI <zombie host[:probeport]>: Idle scan -Pn: Treat all hosts as online -- skip host discovery
发现僵尸机
# 发现脚本 root@kali:~# ls /usr/share/nmap/scripts | grep ipid # ipidseq: All zeros root@kali:~# nmap -p 445 10.10.10.132 --script=ipidseq.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT Nmap scan report for 10.10.10.132 Host is up (0.00043s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:0C:29:D0:AB:2C (VMware) Host script results: |_ipidseq: All zeros Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds # ipidseq: Incremental! root@kali:~# nmap -p 445 10.10.10.136 --script=ipidseq.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:26 EDT Nmap scan report for 10.10.10.136 Host is up (0.00042s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:0C:29:35:6A:2D (VMware) Host script results: |_ipidseq: Incremental! Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
扫描目标
root@kali:~# nmap 10.10.10.132 -sI 10.10.10.136 -Pn -p 0-200 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 06:29 EDT Idle scan using zombie 10.10.10.136 (10.10.10.136:80); Class: Incremental Nmap scan report for 10.10.10.132 Host is up (0.047s latency). Not shown: 193 closed|filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
4. 服务扫描
- 识别开放端口上进行的应用
- 是被目标操作系统
提高攻击效率
- Banner捕获
- 服务识别
- 操作系统识别
- SNMP分析
- 防火墙识别
Banner
- 软件开发商
- 软件名称
- 服务类型
- 版本号
- 直接发现一致的漏洞和弱点
连接建立后直接获取banner
另类服务识别方法
- 特征行为和响应字段
- 不同的响应可用于识别底层操作系统
SNMP
- 简单网络管理协议
- Community strings
- 信息查询或重新配置
识别和绕过防火墙筛选
1. banner
- banner 信息抓取能力有限
- nmap 响应特征分析识别访问
- 发送系列复杂的探测
- 依据响应特征 signature
1. nc
root@kali:~# nc -nv 10.10.10.132 80
(UNKNOWN) [10.10.10.132] 80 (http) open
GET /
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>
_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ | |/ _ | | __/ _` | '_ | |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
2. socket
• import socket
• bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
• bangrab.connect((“1.1.1.1", 21))
• bangrab.recv(4096)
3. dmity
简介
root@kali:~# dmitry Deepmagic Information Gathering Tool "There be some deep magic going on" Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host -o Save output to %host.txt or to file specified by -o file -i Perform a whois lookup on the IP address of a host -w Perform a whois lookup on the domain name of a host -n Retrieve Netcraft.com information on a host -s Perform a search for possible subdomains -e Perform a search for possible email addresses -p Perform a TCP port scan on a host * -f Perform a TCP port scan on a host showing output reporting filtered ports * -b Read in the banner received from the scanned port * -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) *Requires the -p flagged to be passed
服务扫描
# 指定 tcp 端口 root@kali:~# dmitry -p 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open 22/tcp open 23/tcp open 25/tcp open 53/tcp open 80/tcp open 111/tcp open 139/tcp open Portscan Finished: Scanned 150 ports, 141 ports were in state closed All scans completed, exiting # 读取 banner 信息 root@kali:~# dmitry -pb 10.10.10.132 Deepmagic Information Gathering Tool "There be some deep magic going on" ERROR: Unable to locate Host Name for 10.10.10.132 Continuing with limited modules HostIP:10.10.10.132 HostName: Gathered TCP Port information for 10.10.10.132 --------------------------------- Port State 21/tcp open >> 220 (vsFTPd 2.3.4) 22/tcp open >> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open >> 25/tcp open >> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open Portscan Finished: Scanned 150 ports, 144 ports were in state closed All scans completed, exiting
4. nmap
简介
root@kali:~# cat /usr/share/nmap/scripts/banner.nse -sV: Probe open ports to determine service/version info
服务扫描
# 指定脚本 root@kali:~# nmap -sT 10.10.10.132 -p 1-100 --script=banner.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:23 EDT Nmap scan report for 10.10.10.132 Host is up (0.0015s latency). Not shown: 94 closed ports PORT STATE SERVICE 21/tcp open ftp |_banner: 220 (vsFTPd 2.3.4) 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open telnet |_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD' 25/tcp open smtp |_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open domain 80/tcp open http MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 15.53 seconds # 探测打开端口以确定服务/版本信息 root@kali:~# nmap 10.10.10.132 -p 80 -sV Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:28 EDT Nmap scan report for 10.10.10.132 Host is up (0.00032s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) MAC Address: 00:0C:29:D0:AB:2C (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
5. amap
简介
root@kali:~# amap amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] Modes: -A Map applications: send triggers and analyse responses (default) -B Just grab banners, do not send triggers -P No banner or application stuff - be a (full connect) port scanner Options: -1 Only send triggers to a port until 1st identification. Speeeeed! -6 Use IPv6 instead of IPv4 -b Print ascii banner of responses -i FILE Nmap machine readable outputfile to read ports from -u Ports specified on commandline are UDP (default is TCP) -R Do NOT identify RPC service -H Do NOT send application triggers marked as potentially harmful -U Do NOT dump unrecognised responses (better for scripting) -d Dump all responses -v Verbose mode, use twice (or more!) for debug (not recommended :-) -q Do not report closed ports, and do not print them as unidentified -o FILE [-m] Write output to file FILE, -m creates machine readable output -c CONS Amount of parallel connections to make (default 32, max 256) -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3) -T SEC Connect timeout on connection attempts in seconds (default 5) -t SEC Response wait timeout in seconds (default 5) -p PROTO Only send triggers for this protocol (e.g. ftp) TARGET PORT The target address and port(s) to scan (additional to -i) amap is a tool to identify application protocols on target ports. Note: this version was NOT compiled with SSL support! Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
服务扫描
# 指定端口扫描 root@kali:~# amap -B 10.10.10.132 21 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:24:39 - BANNER mode Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n amap v5.4 finished at 2018-03-31 07:24:39 # 指定端口范围扫描 root@kali:~# amap -B 10.10.10.132 1-65535 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:25:15 - BANNER mode Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:23/tcp : #' Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:512/tcp : Where are you?\n Banner on 10.10.10.132:1524/tcp : root@metasploitable/# Banner on 10.10.10.132:2121/tcp : 220 ProFTPD 1.3.1 Server (Debian) [ffff10.10.10.132]\r\n Banner on 10.10.10.132:3306/tcp : >\n5.0.51a-3ubuntu5yG5q^`G!,n+'#vOd-P*!c Banner on 10.10.10.132:5900/tcp : RFB 003.003\n Banner on 10.10.10.132:6667/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n Banner on 10.10.10.132:6697/tcp : irc.Metasploitable.LAN NOTICE AUTH *** Looking up your hostname...\r\n amap v5.4 finished at 2018-03-31 07:25:21 # 指定端口范围扫描 root@kali:~# amap -B 10.10.10.132 20-32 amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:26:55 - BANNER mode Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n # 不显示关闭的端口 root@kali:~# amap -B 10.10.10.132 20-32 -q amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:27:31 - BANNER mode Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' amap v5.4 finished at 2018-03-31 07:27:31 # 显示二进制响应 root@kali:~# amap -B 10.10.10.132 20-32 -qb amap v5.4 (www.thc.org/thc-amap) started at 2018-03-31 07:28:27 - BANNER mode Banner on 10.10.10.132:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n Banner on 10.10.10.132:21/tcp : 220 (vsFTPd 2.3.4)\r\n Banner on 10.10.10.132:22/tcp : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n Banner on 10.10.10.132:23/tcp : #' amap v5.4 finished at 2018-03-31 07:28:27
5. 操作系统识别
操作系统是被技术
- 种类繁多
- 好产品采用多种技术结合
TTL 起始值
- windows:128(65–128)
- linux/unix:64(1-64)
- 某些 unix:255
1. python
简介
from scapy.all import * win="10.10.10.136" linu="10.10.10.132" aw=sr1(IP(dst=win)/ICMP()) al=sr1(IP(dst=linu)/ICMP()) if al[IP].ttl<=64: print "host is linux" else: print "host is windows"
2. nmap
简介
-O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
操作系统识别
root@kali:~# nmap 10.10.10.132 -O Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 07:42 EDT Nmap scan report for 10.10.10.132 Host is up (0.00034s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 00:0C:29:D0:AB:2C (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
3. xprobe2
简介
# 结果有误差 root@kali:~# xprobe2 Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu usage: xprobe2 [options] target Options: -v Be verbose -r Show route to target(traceroute) -p <proto:portnum:state> Specify portnumber, protocol and state. Example: tcp:23:open, UDP:53:CLOSED -c <configfile> Specify config file to use. -h Print this help. -o <fname> Use logfile to log everything. -t <time_sec> Set initial receive timeout or roundtrip time. -s <send_delay> Set packsending delay (milseconds). -d <debuglv> Specify debugging level. -D <modnum> Disable module number <modnum>. -M <modnum> Enable module number <modnum>. -L Display modules. -m <numofmatches> Specify number of matches to print. -T <portspec> Enable TCP portscan for specified port(s). Example: -T21-23,53,110 -U <portspec> Enable UDP portscan for specified port(s). -f force fixed round-trip time (-t opt). -F Generate signature (use -o to save to a file). -X Generate XML output and save it to logfile specified with -o. -B Options forces TCP handshake module to try to guess open TCP port -A Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections). Use with -T.
操作系统识别
root@kali:~# xprobe2 10.10.10.132 Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu [+] Target is 10.10.10.132 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.132. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.132. Module test failed [-] No distance calculation. 10.10.10.132 appears to be dead or no ports known [+] Host: 10.10.10.132 is up (Guess probability: 50%) [+] Target: 10.10.10.132 is alive. Round-Trip Time: 0.48084 sec [+] Selected safe Round-Trip Time value is: 0.96167 sec [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
4. p0f
简介
结合ARP 地址欺骗识别全网 OS
被动识别
5. SNMP 扫描
snmp
- 信息的金矿
- 经常被错误配置
- public / private / manager
MIB Tree.
- SNMP Management Information Base (MIB)
- 树形的网络设备管理功能数据库
- 1.3.6.1.4.1.77.1.2.25
1. onesixone
简介
root@kali:~# onesixtyone onesixtyone 0.3.2 [options] <host> <community> -c <communityfile> file with community names to try -i <inputfile> file with target hosts -o <outputfile> output log -d debug mode, use twice for more information -w n wait n milliseconds (1/1000 of a second) between sending packets (default 10) -q quiet mode, do not print log to stdout, use with -l examples: ./s -c dict.txt 192.168.4.1 public ./s -c dict.txt -i hosts -o my.log -w 100
SNMP 扫描
root@kali:~# dpkg -L onesixtyone /usr/share/doc/onesixtyone/dict.txt root@kali:~# onesixtyone -c dict.txt -i ipaddr.txt -o 161output.log -w 100
2. snmpwalk
简介
-v 1|2c|3 specifies SNMP version to use -c COMMUNITY set the community string
SNMP 扫描
root@kali:~# snmpwalk 10.10.10.132 -c public -v 2c
3. snmpcheck
简介
root@kali:~# snmpcheck -h Usage: snmpcheck [-x] [-n|y] [-h] [-H] [-V NUM] [-L] [-f] [[-a] HOSTS] -h Display this message. -a check error log file AND hosts specified on command line. -p Don't try and ping-echo the host first -f Only check for things I can fix HOSTS check these hosts for problems. X Options: -x forces ascii base if $DISPLAY set (instead of tk). -H start in hidden mode. (hides user interface) -V NUM sets the initial verbosity level of the command log (def: 1) -L Show the log window at startup -d Don't start by checking anything. Just bring up the interface. Ascii Options: -n Don't ever try and fix the problems found. Just list. -y Always fix problems found.
SNMP 扫描
snmpcheck -t 192.168.20.199 snmpcheck -t 192.168.20.199 -c private -v 2 snmpcheck -t 192.168.20.199 -w
6. SMB 扫描
- server message block 协议
- 微软历史上出现安全问题最多的协议
- 实现复杂
- 默认开放
- 文件共享
- 空会话未身份验证
- 密码策略
- 用户名
- 组名
- 机器名
- 用户、组SID
1. nmap
简介
-v: Increase verbosity level (use -vv or more for greater effect) root@kali:~# ll /usr/share/nmap/scripts/smb*
SMB 扫描
# 扫描主机开放端口 root@kali:~# nmap -v 10.10.10.132-140 --open Nmap scan report for 10.10.10.136 Host is up (0.00068s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2869/tcp open icslap 3389/tcp open ms-wbt-server MAC Address: 00:0C:29:35:6A:2D (VMware) Nmap scan report for 10.10.10.137 Host is up (0.0051s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address: 00:50:56:21:D2:3A (VMware) Read data files from: /usr/bin/../share/nmap Nmap done: 9 IP addresses (3 hosts up) scanned in 1.77 seconds Raw packets sent: 3027 (132.948KB) | Rcvd: 3003 (120.220KB) # 使用脚本 root@kali:~# nmap 10.10.132 -p 139,445 --script=smb-os-discovery.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:07 EDT Nmap scan report for 10.10.132 (10.10.0.132) Host is up (0.00039s latency). PORT STATE SERVICE 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
2. nbtscan
简介
root@kali:~# nbtscan NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko. This is a free software and it comes with absolutely no warranty. You can use, distribute and modify it under terms of GNU GPL. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>) -v verbose output. Print all names received from each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format. Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response. Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped. -r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix. -q Suppress banners and error messages, -s separator Script-friendly output. Don't print column and record headers, separate fields with separator. -h Print human-readable names for services. Can only be used with -v option. -m retransmits Number of retransmits. Default 0. -f filename Take IP addresses to scan from file filename. -f - makes nbtscan take IP addresses from stdin. <scan_range> what to scan. Can either be single IP like 192.168.1.1 or range of addresses in one of two forms: xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
SMB 扫描
root@kali:~# nbtscan -r 10.10.10.0/24 Doing NBT name scan for addresses from 10.10.10.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 10.10.10.0 Sendto failed: Permission denied 10.10.10.131 <unknown> <unknown> 10.10.10.132 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00 10.10.10.1 ASUS-WIN7 <server> <unknown> 00:50:56:c0:00:08 10.10.10.255 Sendto failed: Permission denied
3. enum4linux
简介
-a Do all simple enumeration (-U -S -G -P -r -o -n -i). This opion is enabled if you don't provide any other options.
SMB 扫描
root@kali:~# enum4linux -a 10.10.10.132
7. SMTP 扫描
1. nc
简介
VRFY root
扫描
root@kali:~# nc -nv 10.10.10.132 25 (UNKNOWN) [10.10.10.132] 25 (smtp) open 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) VRFY root
2. nmap
脚本
root@kali:~# ll /usr/share/nmap/scripts/smtp* -rw-r--r-- 1 root root 4309 3月 26 08:18 /usr/share/nmap/scripts/smtp-brute.nse -rw-r--r-- 1 root root 4771 3月 26 08:18 /usr/share/nmap/scripts/smtp-commands.nse -rw-r--r-- 1 root root 12006 3月 26 08:18 /usr/share/nmap/scripts/smtp-enum-users.nse -rw-r--r-- 1 root root 5873 3月 26 08:18 /usr/share/nmap/scripts/smtp-ntlm-info.nse -rw-r--r-- 1 root root 10150 3月 26 08:18 /usr/share/nmap/scripts/smtp-open-relay.nse -rw-r--r-- 1 root root 716 3月 26 08:18 /usr/share/nmap/scripts/smtp-strangeport.nse -rw-r--r-- 1 root root 14740 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2010-4344.nse -rw-r--r-- 1 root root 7661 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1720.nse -rw-r--r-- 1 root root 7584 3月 26 08:18 /usr/share/nmap/scripts/smtp-vuln-cve2011-1764.nse
SMTP 扫描
# smtp-enum-users.nse root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-enum-users.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:19 EDT Nmap scan report for 10.10.10.132 Host is up (0.00028s latency). PORT STATE SERVICE 25/tcp open smtp | smtp-enum-users: |_ Method RCPT returned a unhandled status code. MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds # smtp-open-relay.nse root@kali:~# nmap 10.10.10.132 -p 25 --script=smtp-open-relay.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:20 EDT Nmap scan report for 10.10.10.132 Host is up (0.00022s latency). PORT STATE SERVICE 25/tcp open smtp |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds
3. smtp-user-enum
简介
root@kali:~# smtp-user-enum smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum ) Usage: smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets ) options are: -m n Maximum number of processes (default: 5) -M mode Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY) -u user Check if user exists on remote system -f addr MAIL FROM email address. Used only in "RCPT TO" mode (default: user@example.com) -D dom Domain to append to supplied user list to make email addresses (Default: none) Use this option when you want to guess valid email addresses instead of just usernames e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc. Instead of simply the usernames foo and bar. -U file File of usernames to check via smtp service -t host Server host running smtp service -T file File of hostnames running the smtp service -p port TCP port on which smtp service runs (default: 25) -d Debugging output -t n Wait a maximum of n seconds for reply (default: 5) -v Verbose -h This help message Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball. Examples: $ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1 $ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1 $ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt $ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1
SMTP 扫描
smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
8. 防火墙识别
- 通过检查回包,可能识别端口是否经过防火墙过滤
- 设备多种多样,结果存在一定误差
1. nmap
简介
-sA (TCP ACK扫描) 这种扫描与目前为止讨论的其它扫描的不同之处在于 它不能确定open(开放的)或者 open|filtered(开放或者过滤的))端口。 它用于发现防火墙规则,确 定它们是有状态的还是无状态的,哪些端口是被过滤的。
防火墙识别
root@kali:~# nmap -sA 10.10.10.132 -p 22 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:30 EDT Nmap scan report for 10.10.10.132 Host is up (0.00032s latency). PORT STATE SERVICE 22/tcp unfiltered ssh MAC Address: 00:0C:29:D0:AB:2C (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
9. 负载均衡识别
-
简介
root@kali:~# lbd
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
usage: /usr/bin/lbd domain [port] {https}识别
识别百度
root@kali:~# lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.Checking for DNS-Loadbalancing: FOUND
www.a.shifen.com has address 61.135.169.121
www.a.shifen.com has address 61.135.169.125Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUNDChecking for HTTP-Loadbalancing [Date]: 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:48, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:49, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:50, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:51, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:52, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, 12:31:53, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: FOUND
< Last-Modified: Mon, 13 Jun 2016 02:50:05 GMTLast-Modified: Mon, 13 Jun 2016 02:50:04 GMT
< ETag: “575e1f5d-115”
ETag: “575e1f5c-115”www.baidu.com does Load-balancing. Found via Methods: DNS HTTP[Diff]
识别163邮箱
root@kali:~# lbd mail.163.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.Checking for DNS-Loadbalancing: FOUND
mail163.ntes53.netease.com has address 123.125.50.26
mail163.ntes53.netease.com has address 123.125.50.7
mail163.ntes53.netease.com has address 123.125.50.28Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUNDChecking for HTTP-Loadbalancing [Date]: 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:25, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:26, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:27, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:28, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:29, 12:32:30, 12:32:30, 12:32:30, 12:32:30, 12:32:30, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
mail.163.com does Load-balancing. Found via Methods: DNS
10. WAF 识别
1. wafw00f
简介
root@kali:~# wafw00f -h Usage: wafw00f url1 [url2 [url3 ... ]] example: wafw00f http://www.victim.org/ Options: -h, --help show this help message and exit -v, --verbose enable verbosity - multiple -v options increase verbosity -a, --findall Find all WAFs, do not stop testing on the first one -r, --disableredirect Do not follow redirections given by 3xx responses -t TEST, --test=TEST Test for one specific WAF -l, --list List all WAFs that we are able to detect -p PROXY, --proxy=PROXY Use an HTTP proxy to perform requests, example: http://hostname:8080, socks5://hostname:1080 -V, --version Print out the version -H HEADERSFILE, --headersfile=HEADERSFILE Pass custom headers, for example to overwrite the default User-Agent string
识别
root@kali:~# wafw00f -l Can test for these WAFs: Profense NetContinuum Incapsula WAF CloudFlare NSFocus Safedog Mission Control Application Shield USP Secure Entry Server Cisco ACE XML Gateway Barracuda Application Firewall Art of Defence HyperGuard BinarySec Teros WAF F5 BIG-IP LTM F5 BIG-IP APM F5 BIG-IP ASM F5 FirePass F5 Trafficshield InfoGuard Airlock Citrix NetScaler Trustwave ModSecurity IBM Web Application Security IBM DataPower DenyALL WAF Applicure dotDefender Juniper WebApp Secure Microsoft URLScan Aqtronix WebKnight eEye Digital Security SecureIIS Imperva SecureSphere Microsoft ISA Server
2. nmap
简介
root@kali:~# ll /usr/share/nmap/scripts/http-waf* -rw-r--r-- 1 root root 5422 3月 26 08:18 /usr/share/nmap/scripts/http-waf-detect.nse -rw-r--r-- 1 root root 19339 3月 26 08:18 /usr/share/nmap/scripts/http-waf-fingerprint.nse
识别
root@kali:~# nmap www.microsoft.com --script=http-waf-detect.nse Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:35 EDT Nmap scan report for www.microsoft.com (222.163.207.76) Host is up (0.0050s latency). rDNS record for 222.163.207.76: 76.207.163.222.adsl-pool.jlccptt.net.cn Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 52.88 seconds
3. nmap 查看脚本用法
root@kali:~# nmap --script-help=http-vuln-cve2013-0156.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-31 08:36 EDT
http-vuln-cve2013-0156
Categories: exploit vuln
https://nmap.org/nsedoc/scripts/http-vuln-cve2013-0156.html
Detects Ruby on Rails servers vulnerable to object injection, remote command
executions and denial of service attacks. (CVE-2013-0156)
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before
3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script sends 3 harmless
YAML payloads to detect vulnerable installations. If the malformed object
receives a status 500 response, the server is processing YAML objects and
therefore is likely vulnerable.
References:
* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/