防火墙识别
在尽量隐蔽的情况下,扫描出防火墙的过滤规则,开放哪些端口;
我们的扫描行为,并不希望防火墙发现,所以扫描防火墙的目的就是通过发送的数据包,检查回包,识别防火墙过滤的端口;
设备多种多样,结果存在一定误差;
可以根据如下四种情况判断防火墙的过滤规则;
#!/usr/bin/python
#实现判断防火墙的过滤端口(注:脚本有点小问题,未解决)
from scapy.all import *
import sys
if len(sys.argv) != 3:
print ("This script needs 2 args!\nExample:./firewall_detect.py 192.168.0.0 80")
sys.exit()
ip = sys.argv[1]
port = int(sys.argv[2])
SYN_response = sr1(IP(dst = ip) / TCP(flags = "S", dport = port), timeout = 1, verbose = 0)
ACK_response = sr1(IP(dst = ip) / TCP(flags = "A", dport = port), timeout = 1, verbose = 0)
if (SYN_response == None) and (ACK_response == "None"):
print("1. Port is filtered or host is down!")
elif (SYN_response[TCP].flags == "SA" or SYN_response[TCP].flags == "SR") and (ACK_response == None):
print("2. Port is filtered!")
elif int(SYN_response[TCP].flags) == 18:
print ("Port is unfiltered and open" )
elif int(SYN_response[TCP].flags) == 20:
print ("Port is unfiltered and closed")
else:
print ("4. Port is Closed!")
Nmap识别防火墙
也是根据这张表进行对应
默认情况下扫描用的是syn包,然后看如何返回nmap -p22 192.168.1.1
再发一个ack包看返回nmap -p22 192.168.1.1 -sA
负载均衡识别
广域网负载均衡:原理可以理解为DNS轮询进行负载均衡,访问一个域名时被解析为多个ip地址
基于智能DNS,根据地区不同解析ip不同
服务器负载均衡:NGINX,apache等应用层负载均衡,当然也可以用网络层的负载均衡设备实现
软件开发还有组件级的负载均衡
在扫描阶段,有必要发现同一个域名下面有多少个服务器,这些服务器可能因为管理员配置不善,安全等级也不同。
lbd负载均衡识别
lbd www.baidu.com
root@kali:~# lbd www.sina.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: NOT FOUND
Checking for HTTP-Loadbalancing [Server]:
nginx
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 04:14:22, 04:14:22, 04:14:22, 04:14:22, 04:14:22, 04:14:22, 04:14:22, 04:14:23, 04:14:23, 04:14:23, 04:14:23, ^C
root@kali:~# lbd www.baidu.com
lbd - load balancing detector 0.4 - Checks if a given domain uses load-balancing.
Written by Stefan Behte (http://ge.mine.nu)
Proof-of-concept! Might give false positives.
Checking for DNS-Loadbalancing: FOUND
www.baidu.com has address 180.101.49.11
www.baidu.com has address 180.101.49.12
Checking for HTTP-Loadbalancing [Server]:
bfe/1.0.8.18
NOT FOUND
Checking for HTTP-Loadbalancing [Date]: 04:14:29, 04:14:29, 04:14:29, 04:14:29, 04:14:29, 04:14:29, 04:14:29, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:30, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:31, 04:14:33, 04:14:33, 04:14:33, 04:14:33, 04:14:33, 04:14:33, 04:14:33, NOT FOUND
Checking for HTTP-Loadbalancing [Diff]: NOT FOUND
www.baidu.com does Load-balancing. Found via Methods: DNS
参考:Kali Linux渗透测试之服务扫描(三)——防火墙识别、负载均衡识别、WAF识别
WAF识别
WAF(Web Application Firewallweb:Web 应用防火墙)。利用国际上公认的一种说法:Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。
使用
wafw00f -l
列出可检测到的WAF
root@kali:~# wafw00f -l
______
/ \
( Woof! )
\ ____/ )
,, ) (_
.-. - _______ ( |__|
()``; |==|_______) .)|__|
/ (' /|\ ( |__|
( / ) / | \ . |__|
\(_)_)) / | \ |__|
~ WAFW00F : v2.1.0 ~
The Web Application Firewall Fingerprinting Toolkit
[+] Can test for these WAFs:
WAF Name Manufacturer
-------- ------------
ACE XML Gateway Cisco
aeSecure aeSecure
AireeCDN Airee
Airlock Phion/Ergon
Alert Logic Alert Logic
AliYunDun Alibaba Cloud Computing
Anquanbao Anquanbao
AnYu AnYu Technologies
Approach Approach
AppWall Radware
Armor Defense Armor
ArvanCloud ArvanCloud
ASP.NET Generic Microsoft
ASPA Firewall ASPA Engineering Co.
Astra Czar Securities
AWS Elastic Load Balancer Amazon
AzionCDN AzionCDN
Azure Front Door Microsoft
Barikode Ethic Ninja
Barracuda Barracuda Networks
Bekchy Faydata Technologies Inc.
Beluga CDN Beluga
BIG-IP Local Traffic Manager F5 Networks
BinarySec BinarySec
BitNinja BitNinja
BlockDoS BlockDoS
Bluedon Bluedon IST
BulletProof Security Pro AITpro Security
CacheWall Varnish
CacheFly CDN CacheFly
Comodo cWatch Comodo CyberSecurity
CdnNS Application Gateway CdnNs/WdidcNet
ChinaCache Load Balancer ChinaCache
Chuang Yu Shield Yunaq
Cloudbric Penta Security
Cloudflare Cloudflare Inc.
Cloudfloor Cloudfloor DNS
Cloudfront Amazon
CrawlProtect Jean-Denis Brun
DataPower IBM
DenyALL Rohde & Schwarz CyberSecurity
Distil Distil Networks
DOSarrest DOSarrest Internet Security
DotDefender Applicure Technologies
DynamicWeb Injection Check DynamicWeb
Edgecast Verizon Digital Media
Eisoo Cloud Firewall Eisoo
Expression Engine EllisLab
BIG-IP AppSec Manager F5 Networks
BIG-IP AP Manager F5 Networks
Fastly Fastly CDN
FirePass F5 Networks
FortiWeb Fortinet
GoDaddy Website Protection GoDaddy
Greywizard Grey Wizard
Huawei Cloud Firewall Huawei
HyperGuard Art of Defense
Imunify360 CloudLinux
Incapsula Imperva Inc.
IndusGuard Indusface
Instart DX Instart Logic
ISA Server Microsoft
Janusec Application Gateway Janusec
Jiasule Jiasule
Kona SiteDefender Akamai
KS-WAF KnownSec
KeyCDN KeyCDN
LimeLight CDN LimeLight
LiteSpeed LiteSpeed Technologies
Open-Resty Lua Nginx FLOSS
Oracle Cloud Oracle
Malcare Inactiv
MaxCDN MaxCDN
Mission Control Shield Mission Control
ModSecurity SpiderLabs
NAXSI NBS Systems
Nemesida PentestIt
NevisProxy AdNovum
NetContinuum Barracuda Networks
NetScaler AppFirewall Citrix Systems
Newdefend NewDefend
NexusGuard Firewall NexusGuard
NinjaFirewall NinTechNet
NullDDoS Protection NullDDoS
NSFocus NSFocus Global Inc.
OnMessage Shield BlackBaud
Palo Alto Next Gen Firewall Palo Alto Networks
PerimeterX PerimeterX
PentaWAF Global Network Services
pkSecurity IDS pkSec
PT Application Firewall Positive Technologies
PowerCDN PowerCDN
Profense ArmorLogic
Puhui Puhui
Qiniu Qiniu CDN
Reblaze Reblaze
RSFirewall RSJoomla!
RequestValidationMode Microsoft
Sabre Firewall Sabre
Safe3 Web Firewall Safe3
Safedog SafeDog
Safeline Chaitin Tech.
SecKing SecKing
eEye SecureIIS BeyondTrust
SecuPress WP Security SecuPress
SecureSphere Imperva Inc.
Secure Entry United Security Providers
SEnginx Neusoft
ServerDefender VP Port80 Software
Shield Security One Dollar Plugin
Shadow Daemon Zecure
SiteGround SiteGround
SiteGuard Sakura Inc.
Sitelock TrueShield
SonicWall Dell
UTM Web Protection Sophos
Squarespace Squarespace
SquidProxy IDS SquidProxy
StackPath StackPath
Sucuri CloudProxy Sucuri Inc.
Tencent Cloud Firewall Tencent Technologies
Teros Citrix Systems
Trafficshield F5 Networks
TransIP Web Firewall TransIP
URLMaster SecurityCheck iFinity/DotNetNuke
URLScan Microsoft
UEWaf UCloud
Varnish OWASP
Viettel Cloudrity
VirusDie VirusDie LLC
Wallarm Wallarm Inc.
WatchGuard WatchGuard Technologies
WebARX WebARX Security Solutions
WebKnight AQTRONIX
WebLand WebLand
RayWAF WebRay Solutions
WebSEAL IBM
WebTotem WebTotem
West263 CDN West263CDN
Wordfence Defiant
WP Cerber Security Cerber Tech
WTS-WAF WTS
360WangZhanBao 360 Technologies
XLabs Security WAF XLabs
Xuanwudun Xuanwudun
Yundun Yundun
Yunsuo Yunsuo
Yunjiasu Baidu Cloud Computing
YXLink YxLink Technologies
Zenedge Zenedge
ZScaler Accenture
识别防火墙
wafw00f http://www.baidu.com
nmap WAF识别脚本
root@kali:~# nmap www.baidu.com --script=http-waf-detect.nse