服务扫描:
不能简单的通过端口号来识别服务,目标系统开放80端口不一定开放着http服务,要通过对目标系统进行服务扫描,来识别开放的端口后面到底是什么服务,运行什么样的应用;
1. 服务扫描——Banner(简单但不准确)
- 通过连接服务器的端口,使其返回的banner信息,可能查不到,也可能是管理员伪造的;
- 通过软件开发商,软件名称,服务类型,版本号(直接发现已知的漏洞和弱点);
- 对于Banner信息的捕获,需要建立完整的TCP连接;
- 另类服务识别方法:1. 特征行为和响应字段; 2. 不同的响应可用于识别底层操作系统;
(1)nc
root@root:~# nc -nv 192.168.37.128 25
(UNKNOWN) [192.168.37.128] 25 (smtp) open
220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
root@root:~# nc -nv 192.168.37.128 80
(UNKNOWN) [192.168.37.128] 80 (http) open
get
HTTP/1.1 400 Bad Request
Date: Sun, 14 Apr 2019 05:32:15 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> banner.connect(("192.168.37.128",25))
>>> banner.recv(4096)
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n'
>>> banner.close()
>>> exit()
(2)socket——用于连接网络服务
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket #导入socket模块
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #SOCK_STREAM表示为TCP连接<
>>> banner.connect(("192.168.37.128",25)) #连接的IP地址和端口
>>> banner.recv(4096) #接收返回包大小
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n' #获取到的Banner信息
>>> banner.close() #关闭连接
>>> exit()
在很多情况下,系统的banner信息不允许抓取,recv函数无返回将会被挂起;针对这个问题,写如下脚本进行处理:
#!/usr/bin/python
# -*- coding: utf-8 -*-
#Author:橘子女侠
#Time:2019/04/14
#该脚本用于实现Banner信息的扫描,如果Banner信息不能获取,则pass
import socket
import select
import sys
if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1) #连接间隔时间1秒
if ready[0]:
print "TCP Port " + str(port) + "." +bangrab.recv(4096)
bangrab.close()
except:
pass
结果如下:
root@root:~# chmod +x ./banner.py
root@root:~# ./banner.py 192.168.37.128 1 200
TCP Port 25.220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
TCP Port 110.+OK WIN-N7TAB1239LM.st13.com Winmail Mail Server POP3 ready
TCP Port 143.* OK IMAP4 ready! WIN-N7TAB1239LM.st13.com Winmail Mail Server MagicWinmail Extend IMAP 102
(3) dmitry
root@root:~# dmitry -pb 192.168.37.128
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:192.168.37.128
HostName:bogon
Gathered TCP Port information for 192.168.37.128
---------------------------------
Port State
25/tcp open
>> 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
53/tcp open
Portscan Finished: Scanned 150 ports, 147 ports were in state closed
All scans completed, exiting
(4)nmap
使用nmap自带的脚本(/usr/share/nmap/scripts/)
root@root:~# nmap -sT 192.168.37.128 -p 25 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:40 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00046s latency).
PORT STATE SERVICE
25/tcp open smtp
|_banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) sca