服务扫描
通过之前的扫描我们已经可以知道在线主机的ip地址,开放的端口。比如我们发现一台机器开着21端口,但我们不能简单地认为21端口就开着的是个ftp服务,我们完全可以把web服务开在21端口。
我们不能简单地通过端口号来识别工作在后面的应用程序
-
识别开放端口上运行的应用
- 这些应用是什么版本,基于这些版本我们可以在网上寻找利用方式,一些旧版本存在的漏洞
-
识别目标操作系统
- 也可以发现目标操作系统上存在的某些弱点
-
如何识别
- Banner获取:不准确,可能是目标系统管理员伪造出来的,可以作为识别得一种手段。
- 服务识别
- 操作系统识别
- 基于指纹信息识别
- snmp分析:目标系统配置习惯不够好会开放出一些snmp这样的服务端口,可以通过snmp扫描获取目标系统版本,是通过系统内部搜索(准确较高)
Banner
可以获取
- 软件开发商
- 软件名称
- 服务类型
- 版本号
- 直接发现已知漏洞和弱点
但banner是可以修改的,所以需要结合另类服务识别方法
-
特征行为和响应字段
-
不同响应可应用于识别底层操作系统
- 比如windows的ping包和linux的是不同的,内容包括包头字段,等信息及定义方式。
-
SNMP
- 简单网络管理协议
- Community strings:可以理解为snmp的身份认证,默认有两种,只读和private(可读可写),可写的话甚至可以改交换机配置
- 信息查询或重新配置
Banner—nc
使用nc收集banner信息
nc -nv 192.168.1.1 22
使用python编写脚本
而scapy适用于三四层的注入嗅探,支持,缺乏对应用层的支持。
- 可以使用Socket模块,建立tcp连接,用于连接网络服务
>>> import socket
// 标准建立socket连接方式,socket.SOCK_STREAM表示TCP连接,创建socket对象
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
//连接ip,端口
>>> banner.connect(("192.168.37.128",25))
//recv方法进行接收数据(4096指大小)
>>> banner.recv(4096)
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n'
//需要关闭连接
>>> banner.close()
>>> exit()
有些应用banner是不允许获取的,所以python编程中不能这么简单,需要进行处理,避免失败后挂起
#!/usr/bin/python
# -*- coding: utf-8 -*-
#该脚本用于实现Banner信息的扫描,如果Banner信息不能获取,则pass
import socket
import select
import sys
if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1)
#连接间隔时间1秒的话则返回bangrab的值
#ready[0]表示没有被挂起
if ready[0]:
print "TCP Port " + str(port) + "." +bangrab.recv(4096)
bangrab.close()
except:
pass
执行结果
root@kali:~/Desktop# ./a.py 192.168.1.1 1 100
TCP Port 21.220 Welcome to virtual FTP service.
TCP Port 23.������!����F450A
root@kali:~/Desktop#
dmitry
默认常用端口扫描
root@kali:~/Desktop# dmitry -pb 192.168.1.1
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:192.168.1.1
HostName:192.168.1.1
Gathered TCP Port information for 192.168.1.1
---------------------------------
Port State
21/tcp open
>> 220 Welcome to virtual FTP service.
23/tcp open
80/tcp open
Portscan Finished: Scanned 150 ports, 146 ports were in state closed
All scans completed, exiting
nmap
使用nmap自带的脚本(/usr/share/nmap/scripts/)
nmap -sT 192.168.37.128 -p 25 --script=banner.nse
nmap -sT 192.168.37.128 -p 1-100 --script=banner.nse
执行结果
root@kali:~/Desktop# nmap -sT 192.168.1.1 -p 25 --script=banner.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 02:53 EDT
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.00073s latency).
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 0.73 seconds
root@kali:~/Desktop# nmap -sT 192.168.1.1 -p 1-100 --script=banner.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 02:54 EDT
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (1.0s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_banner: 220 Welcome to virtual FTP service.
23/tcp open telnet
|_banner: \xFF\xFD\x01\xFF\xFD\x1F\xFF\xFD!\xFF\xFB\x01\xFF\xFB\x03F450A
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 21.44 seconds
amap
专门为了发现服务
-q:显示清晰;
-b:显示详细信息;
root@root:~# amap -B 192.168.1.1 25
root@root:~# amap -B 192.168.1.1 1-100
服务扫描——服务识别
推荐使用nmap,由于Banner信息抓取能力有限,而nmap可以基于特征进行分析,有更丰富的手段
-sV参数是用来识别具体服务的,不仅仅依靠banner
root@root:~# nmap 192.168.1.1 -p 1-100 -sV #经常使用
操作系统识别
- 对操作系统的识别,可以判断出目标主机的操作系统类型,操作系统版本;
- 针对不同的操作系统的版本,我们可以版本了解到系统默认会开放哪些服务;或者老版本操作系统自身的漏洞等;
根据TTL值进行判断
- Windows:128(65-128)
- Linux/Unix:64(1-64)
- 某些Unix:255
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> win="192.168.37.128"
>>> linux="192.168.37.143"
>>> aw=sr1(IP(dst=win)/ICMP())
1.python脚本
#!/usr/bin/python
#该脚本用于通过TTL值的大小,简单的判断目标主机操作系统的类型
from scapy.all import *
import sys
if len( sys.argv ) !=2:
print "Usage - ./ttl_os.py [IP adress]"
print "Example - ./ttl_os.py 1.1.1.1"
sys.exit()
ip = sys.argv[1]
ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)
if ans == None:
print "No response was returned"
elif int(ans[IP].ttl)<=64:
print "Host is Linux/Unix"
else:
print "Host is Windows"
2.nmap -O
-O参数:识别操作系统
root@kali:~/Desktop# nmap -O 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 04:11 EDT
Nmap scan report for 192.168.1.1 (192.168.1.1)
Host is up (0.11s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp open microsoft-ds
514/tcp filtered shell
8080/tcp open http-proxy
32768/tcp open filenet-tms
52869/tcp open unknown
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), Linux 4.4 (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.79 seconds
3. Xprobe2(专门用于识别操作系统,但不是很准确)
root@root:~# xprobe2 192.168.1.1
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is 192.168.1.1
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distan
4.被动操作系统识别
- 主动扫描:通过向目标系统发包,通过返回的信息,判断目标操操作系统的类型;
- 被动扫描:不主动的向目标系统发包,基于一种网络抓包,监听的工作原理来进行识别目标操作系统;
root@root:~# p0f
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn) ]-
|
| client = 192.168.37.131/38136
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| client = 192.168.37.131/38136
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn+ack) ]-
|
| server = 96.17.15.27/80
| os = ???
| dist = 0
| params = none
| raw_sig = 4:128+0:0:1460:mss*44,0:mss::0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| server = 96.17.15.27/80
| link = Ethernet or modem
| raw_mtu = 1500
|