Network Exploittation Basic
文章目录
- Network Exploittation Basic
- Introductory Networking
- Nmap
- task1 Deploy
- task2 Introduction
- task3 Nmap Switches
- task4 **Scan Types** Overview
- task5 **Scan Types** TCP Connect Scans
- task6 **Scan Types** SYN Scans
- task7 **Scan Types** UDP Scans
- task8 **Scan Types** NULL, FIN and Xmas
- task9 **Scan Types** ICMP Network Scanning
- task10 **NSE Scripts** Overview
- task11 **NSE Scripts** Working with the NSE
- task12 **NSE Scripts** Searching for Scripts
- task13 Firewall Evasion
- task14 Practical
- task15 Conclusion
Introductory Networking
task1 Introduction
无需回答
task2 The OSI Model: An Overview
1.Which layer would choose to send data over TCP or UDP?
4
传输层决定发送数据使用TCP或是UDP
2.Which layer checks received packets to make sure that they haven’t been corrupted?
2
数据链路层会检查数据包确保未损坏
3.In which layer would data be formatted in preparation for transmission?
2
数据在数据链路层格式化准备传输
4.Which layer transmits and receives data?
1
数据都需要在物理层转化为光电信号传输
5.Which layer encrypts, compresses, or otherwise transforms the initial data to give it a standardised format?
6
表示层将数据通过标准化接口提供给应用
6.Which layer tracks communications between the host and receiving computers?
5
会话层接收计算机之间的通信
7.Which layer accepts communication requests from applications?
7
应用层直接面向应用
8.Which layer handles logical addressing?
3
网络层处理逻辑寻址
9.When sending data over TCP, what would you call the “bite-sized” pieces of data?
segments
数据包TCP称为段,UDP称为数据图
10.Which layer would the FTP protocol communicate with?
7
FTP协议是FTP 是一种用于在计算机之间传输数据的协议。它通常使用称为 FTP 客户端的特殊程序访问。
11.Which transport layer protocol would be best suited to transmit a live video?
UDP
对数据准确性要求高使用TCP,要求不高使用UDP
task3 Encapsulation
1.How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?
Feames
数据链路层被称为Frames
2.How would you refer to data at layer 4 of the encapsulation process (with the OSI model), if the UDP protocol has been selected?
datagram
TCP被称为 segment,UDP被称为datagram
3.What process would a computer perform on a received message?
de-encapsulation
发送消息叫封装encapsulation,接收消息为de-encapsulation解封装
4.Which is the only layer of the OSI model to add a trailer during encapsulation?
data link
数据链路层封装时不仅会添加数据头,还会在尾部添加尾,用来校验
5.Does encapsulation provide an extra layer of security (Aye/Nay)?
Aye
数据链路层添加的尾部数据用来校验数据
task4 The TCP/IP Model
1.Which model was introduced first, OSI or TCP/IP?
TCP/IP
1982提出TCP/IP模型,后来国际标准化组织(ISO)也引入了OSI模型
2.Which layer of the TCP/IP model covers the functionality of the Transport layer of the OSI model (Full Name)?
Transport
3.Which layer of the TCP/IP model covers the functionality of the Session layer of the OSI model (Full Name)?
Application
4.The Network Interface layer of the TCP/IP model covers the functionality of two layers in the OSI model. These layers are Data Link, and?.. (Full Name)?
Physical
5.Which layer of the TCP/IP model handles the functionality of the OSI network layer?
Internet
6.What kind of protocol is TCP?
connection-based
TCP是面向对象、无连接的协议
7.What is SYN short for?
synchronise
8.What is the second step of the three way handshake?
syn/ack
9.What is the short name for the “Acknowledgement” segment in the three-way handshake?
task5 Networking Tools Ping
1.What command would you use to ping the bbc.co.uk website?
ping bbc.co.uk
2.Ping muirlandoracle.co.ukWhat is the IPv4 address?
217.160.0.152
3.What switch lets you change the interval of sent ping requests?
-u
-i interval 锁定间隔几秒发送ping包,默认一秒ping一次
4.What switch would allow you to restrict requests to IPv4?
-4
-4 使用IPv4,-6 使用IPv6
5.What switch would give you a more verbose output?
-v
使ping处于verbose方式,它要ping命令除了打印ECHO-RESPONSE数据包之外,还打印其它所有返回的ICMP数据包;
task6 Networking Tools Traceroute
1.Use traceroute on tryhackme.com
Can you see the path your request has taken?
无需回答
2.What switch would you use to specify an interface when using Traceroute?
-i
-i 使用指定的网络界面送出数据包
3.What switch would you use if you wanted to use TCP SYN requests when tracing the route?
-T
-T 使用TCP SYN
4.[Lateral Thinking] Which layer of the TCP/IP model will traceroute run on by default (Windows)?
Internet
task7 Networking Tools WHOIS
1.What is the registrant postal code for facebook.com?
无需回答
2.When was the facebook.com domain first registered?
94025
Registrant Postal Code: 94025
3.Perform a whois search on microsoft.com
29/03/1997
Creation Date: 1997-03-29T05:00:00Z
4.Which city is the registrant based in?
Redmond
5.[OSINT] What is the name of the golf course that is near the registrant address for microsoft.com?
Bellevue Golf Course
6.What is the registered Tech Email for microsoft.com?
msnhst@microsoft.com
task8 Networking Tools Dig
1.What is DNS short for?
Domain Name System
DNS是Domain Name System的简称
2.What is the first type of DNS server your computer would query when you search for a domain?
recursive
首先检索递归DNS服务器
3.What type of DNS server contains records specific to domain extensions (i.e. .com, .co.uk*, etc)*? Use the long version of the name.
Top-Level Domain
4.Where is the very first place your computer would look to find the IP address of a domain?
local cache
首先会在本地缓存中查找域名对应IP
5.[Research] Google runs two public DNS servers. One of them can be queried with the IP 8.8.8.8, what is the IP address of the other one?
8.8.4.4
6.If a DNS query has a TTL of 24 hours, what number would the dig query show?
86400
24*60*60
=86400
task9 Further Reading
无需回答
Nmap
task1 Deploy
Deploy the attached VM
task2 Introduction
1.What networking constructs are used to direct traffic to the right application on a server?
ports
2.How many of these are available on any network-enabled computer?
65535
3.[Research] How many of these are considered “well-known”? (These are the “standard” numbers mentioned in the task)
1024
小于1024的端口号是保留端口号
task3 Nmap Switches
1.What is the first switch listed in the help menu for a ‘Syn Scan’ (more on this later!)?
-sS
-sS – 使用TCP协议SYN进行扫描
2.Which switch would you use for a “UDP scan”?
-sU
-sU – 使用UDP扫描
3.If you wanted to detect which operating system the target is running on, which switch would you use?
-O
-O – 扫描操作系统版本
4.Nmap provides a switch to detect the version of the services running on the target. What is this switch?
-sV
-sV – 扫描运行服务版本
5.The default output provided by nmap often does not provide enough information for a pentester. How would you increase the verbosity?
-v
-V – 输出更详细的信息
6.Verbosity level one is good, but verbosity level two is better! How would you set the verbosity level to two?
(Note: it’s highly advisable to always use at least this option)
-vv
-vv – 输出第2级详细的信息,-vvv 第三级
7.We should always save the output of our scans – this means that we only need to run the scan once (reducing network traffic and thus chance of detection), and gives us a reference to use when writing reports for clients.
-oA
-oA – 保存.nmap,.xml,.gnmap种主要格式的nmap结果
8.What switch would you use to save the nmap results in a “normal” format?
-oN
-oN – 保存.nmap格式的nmap数据
9.A very useful output format: how would you save results in a “grepable” format?
-oG
-oG – 保存.gnmap格式的nmap扫描结果
10.Sometimes the results we’re getting just aren’t enough. If we don’t care about how loud we are, we can enable “aggressive” mode. This is a shorthand switch that activates service detection, operating system detection, a traceroute and common script scanning.
How would you activate this setting?
-A
-A – 全面扫描,包括操作系统,软件版本,脚本扫描和路由追踪
11.Nmap offers five levels of “timing” template. These are essentially used to increase the speed your scan runs at. Be careful though: higher speeds are noisier, and can incur errors!
How would you set the timing template to level 5?
-T5
-T5 – 使用第5级的速度进行扫描,可选参数1-5.数字越大越快
12.We can also choose which port(s) to scan.
How would you tell nmap to only scan port 80?
-p 80
-p – 指定扫描端口范围
13.How would you tell nmap to scan ports 1000-1500?
-p 1000-1500
14.A very useful option that should not be ignored:
How would you tell nmap to scan all ports?
-p-
-p- – 扫描所有端口
15.How would you activate a script from the nmap scripting library (lots more on this later!)?
–script
使用脚本扫描
16.How would you activate all of the scripts in the “vuln” category?
–script=vuln
–script=vuln – 使用类别为vuln的所有脚本扫描
task4 Scan Types Overview
1.Read the Scan Types Introduction.
task5 Scan Types TCP Connect Scans
1.Which RFC defines the appropriate behaviour for the TCP protocol?
RFC 793
2.If a port is closed, which flag should the server send back to indicate this?
RST
正常TCP扫描会发送SYN包完成三次握手建立TCP确定端口开放.如果端口关闭会发送RST(重置)响应包.
task6 Scan Types SYN Scans
1.There are two other names for a SYN scan, what are they?
Half-open Stealth
-sS 也被称为Half-open(半开) scans, or Stealth(隐形) scans
2.Can Nmap use a SYN scan without Sudo permissions (Y/N)?
n
使用-sS 需要用户有root权限
task7 Scan Types UDP Scans
1.If a UDP port doesn’t respond to an Nmap scan, what will it be marked as?
open|filtered
2.When a UDP port is closed, by convention the target should send back a “port unreachable” message. Which protocol would it use to do so?
ICMP
task8 Scan Types NULL, FIN and Xmas
1.Which of the three shown scan types uses the URG flag?
Xmas
2.Why are NULL, FIN and Xmas scans generally used?
firewall evasion
-sN,-sF,-sX 主要用来规避防火墙
3.Which common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?
Microsoft Windows
task9 Scan Types ICMP Network Scanning
1.How would you perform a ping sweep on the 172.16.x.x network (Netmask: 255.255.0.0) using Nmap? (CIDR notation)
nmap -sn 172.16.0.0/16
-sn 使用ICMP进行扫描
task10 NSE Scripts Overview
1.What language are NSE scripts written in?
lua
NSE scripts使用lua编写
2.Which category of scripts would be a very bad idea to run in a production environment?
intrusive
task11 NSE Scripts Working with the NSE
1.What optional argument can the ftp-anon.nse
script take?
maxlist
–script-help 脚本名 – 查询脚本参数
task12 NSE Scripts Searching for Scripts
1.Search for “smb” scripts in the /usr/share/nmap/scripts/
directory using either of the demonstrated methods.
What is the filename of the script which determines the underlying OS of the SMB server?
smb-os-discovery.nse
nmap脚本位于/usr/share/nmap/scripts/
2.Read through this script. What does it depend on?
smb-brute
task13 Firewall Evasion
1.Which simple (and frequently relied upon) protocol is often blocked, requiring the use of the -Pn
switch?
ICMP
2.[Research] Which Nmap switch allows you to append an arbitrary length of random data to the end of packets?
–data-length
–data-length – 将任意长度的随机数据附加到数据包末尾
task14 Practical
1.Does the target (10.10.229.236
)respond to ICMP (ping) requests (Y/N)?
N
机器无法ping通
2.Perform an Xmas scan on the first 999 ports of the target – how many ports are shown to be open or filtered?
999
3.There is a reason given for this – what is it?
Note: The answer will be in your scan results. Think carefully about which switches to use – and read the hint before asking for help!
no responses
4.Perform a TCP SYN scan on the first 5000 ports of the target – how many ports are shown to be open?
5
5.Open Wireshark (see Cryillic’s Wireshark Room for instructions) and perform a TCP Connect scan against port 80 on the target, monitoring the results. Make sure you understand what’s going on.
6.Deploy the ftp-anon
script against the box. Can Nmap login successfully to the FTP server on port 21? (Y/N)
y
task15 Conclusion
1.Read the conclusion.