服务扫描
banner捕获
软件开发商
软件名称
服务类型
版本号
直接发现已知的漏洞和弱点
连接建立后直接获取banner
另类服务识别方法
特征行为和响应字段
不同的响应可用于识别底层的操作系统,但是管理员可以伪造banner信息导致扫描不准确
nc
nc -nv 192.168.1.134 25 获取服务banner
python socket
使用python socket模块用于连接网络服务扫描
可以编写脚本获取banner信息
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket #导入socket模块
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #SOCK_STREAM表示为TCP连接<
>>> banner.connect(("192.168.37.128",25)) #连接的IP地址和端口
>>> banner.recv(4096) #接收返回包大小
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n' #获取到的Banner信息
>>> banner.close() #关闭连接
>>> exit()
脚本编写
在很多情况下,系统的banner信息不允许抓取,recv函数无返回将会被挂起;针对这个问题,写如下脚本进行处理:
#!/usr/bin/python
# -*- coding: utf-8 -*-
#Author:橘子女侠
#Time:2019/04/14
#该脚本用于实现Banner信息的扫描,如果Banner信息不能获取,则pass
import socket
import select
import sys
if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1) #连接间隔时间1秒
if ready[0]:
print "TCP Port " + str(port) + "." +bangrab.recv(4096)
bangrab.close()
except:
pass
dmitry
dmitry -pb 172.16.36.135
nmap
nmap -sT 192.168.101.22 -p 25 --script=banner.nse调用了banner识别应用
namap 1.1.1.1 -p1-100 -sV 使用指纹来识别(实际使用指纹识别效果更好,指纹就是主流程序的一些签名,nmap底层有一个hash签名库,将这些主流签名hash值签名匹配,准确度的话比匹配端口和banner等高的多)应用,结果更加准确,效果也好,nmap确实很强大
amap
amap -B 172.16.36.135 21 通过banner识别应用
amap -B 172.16.36.135 1-65535
amap -B 172.16.36.135 1-65535 | grep on
amap 172.16.36.135 21 不使用banner来识别应用
amap 172.16.36.135 20-30
amap 172.16.36.135 20-30 -q (-q:显示清晰;-b:显示详细信息)
map 172.16.36.135 20-30 -q
操作系统识别
操作系统识别技术
TTL起始值
windows:128(65-128)
linux/unix:64(1-64)
某些unix:255
如果被扫描者,想隐藏伪造自己的信息来迷惑扫描者,那么扫描者可以使用不同扫描技术的工具进行扫描定性。这样被扫描者需要隐藏的信息就比较多了
一般来说总会有破绽存在
scapy
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> win="192.168.37.128"
>>> linux="192.168.37.143"
>>> aw=sr1(IP(dst=win)/ICMP())
Begin emission:
..*Finished to send 1 packets.
Received 3 packets, got 1 answers, remaining 0 packets
>>> aw.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1213
flags=
frag= 0L
ttl= 128
proto= icmp
chksum= 0x69d0
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>> al=sr1(IP(dst=linux)/ICMP())
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> al.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 31514
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0x3364
src= 192.168.37.143
dst= 192.168.37.131
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
根据ttl来写python脚本扫描
#!/usr/bin/python
#Author:橘子女侠
#该脚本用于通过TTL值的大小,简单的判断目标主机操作系统的类型
from scapy.all import *
import sys
if len( sys.argv ) !=2:
print "Usage - ./ttl_os.py [IP adress]"
print "Example - ./ttl_os.py 1.1.1.1"
sys.exit()
ip = sys.argv[1]
ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)
if ans == None:
print "No response was returned"
elif int(ans[IP].ttl)<=64:
print "Host is Linux/Unix"
else:
print "Host is Windows"
nmap
namp -O 192.168.1.133 信息很多,nmap牛皮
xprobe2
xprobe2 192.168.1.133 结果偏差比较大,不准确不用
被动操作系统识别
主要通过抓包分析
被动扫描
p0f
root@root:~# p0f
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn) ]-
|
| client = 192.168.37.131/38136
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| client = 192.168.37.131/38136
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn+ack) ]-
|
| server = 96.17.15.27/80
| os = ???
| dist = 0
| params = none
| raw_sig = 4:128+0:0:1460:mss*44,0:mss::0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| server = 96.17.15.27/80
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http request) ]-
|
| client = 192.168.37.131/38136
| app = Safari 5.1-6
| lang = English
| params = dishonest
| raw_sig = 1:Host,User-Agent,Accept=[*/*],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],?Cache-Control,Pragma=[no-cache],Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http response) ]-
|
| server = 96.17.15.27/80
| app = ???
| lang = none
| params = none
| raw_sig = 1:Content-Type,?Content-Length,?Last-Modified,?ETag,Accept-Ranges=[bytes],Server,X-Amz-Cf-Id=[kUgYdtbDIrNX_jkcyy6MvN4hq0Cy_EscpxcYwco2FM-wif_8vyNkzA==],?Cache-Control,Date,Connection=[keep-alive]:Keep-Alive:AmazonS3
|
`----
^C[!] WARNING: User-initiated shutdown.
All done. Processed 15 packets.
root@root:~# uname -a
Linux root 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux
p0f结合arp地址欺骗识别全网OS,将流量导入到这台