渗透测试-主动信息收集(3)
主动信息收集
- 最直接与目标系统交互通信
- 无法避免留下访问的痕迹
- 使用受控的第三方电脑进行探测
- 使用代理或者已经被控制的主机
- 做好被封杀的准备
- 使用嗓音疑惑目标,淹没真是的探测流量
- 扫描
- 发送不同的探测,根据返回结果判断目标状态
发现
- 识别活着的主机
- 潜在的被攻击对象
- 输出一个IP地址列表
- 2、3、4层发现(网络7层模型)
发现–二层发现(数据链路层)
-
发现的是IP,而不是端口
-
优点:扫描速度快、可靠
-
缺点:不可路由
-
Arp协议:
- 抓包
Arping
-
arping 1.1.1.1 -c 1
-
arping 1.1.1.1 -d
-
arping -c 1.1.1.1 | grep “bytes from” |cut -d" " -f 5 | cut -d"(" -f 2 | cut -d")" -f 1
-
脚本
-
arping1.sh eth0 > addrs
-
#!/bin/bash if ["$#" -ne 1];then echo "Usage - ./arping.sh [interface]" echo "Example - ./arping.sh eth0" echo "Example will perface an ARP scan of the local subnet to which eth0 is assigned" exit fi interface=$1 prefix=$(ifconfig $interface | grep 'inet addr' | cut -d":" -f 2 | cut -d" " -f 1 | cut -d"." -f 1-3) for addr in $(seq 1 254);do arping -c 1 $prefix.$addr |grep "bytes from" | cut -d" " -f 5 | cut -d"(" -f 2 |cut -d")" -f 1 done
-
arping2.sh addrs
#!/bin/bash if ["$#" -ne 1];then echo "Usage - ./arping.sh [interface]" echo "Example - ./arping.sh eth0" echo "Example will perface an ARP scan of the local subnet to which eth0 is assigned" exit fi file=$1 for addr in $(cat $file);do arping -c 1 $prefix.$addr |grep "bytes from" | cut -d" " -f 5 | cut -d"(" -f 2 |cut -d")" -f 1 done
-
Nmap(很强大)
- nmap -sn 1.1.1.1-254
- nmap -sn 1.1.1.0/24
- nmap -sn -iL iplist.txt
Netdiscover
- 专用于二层发现
- 可用于无线和交换网络环境
- 主动和被动探测
- 主动
- netdiscover -i eth0 -r 1.1.1.0/24
- netdiscover -l iplist.txt
- 被动
- netdiscover -p
- 主动 arp容易触发报警
Scapy
-
作为Python库进行调用
-
也可以作为单独的工具使用
-
抓包、分析、创建、修改、注入网络流量
-
安装组件: apt-get install python-gnuplot
-
使用:
- scapy
- ARP().display()
- Sr1 ()
- scapy
-
Python脚本
-
arp1.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./arp_sidc.py [interface]") print("Example - ./arp_disc.py eth0") print("Example will perform an ARP scan of the local subnet to which eh0 is assigned") sys.exit() interface = str(sys.argv[1]) ip = subprocess.check_output('ifconfig' + interface + " |grep `inet addr` | cut -d':' -f 2 | cut -d' ' -f 1", shell=True).strip() prefix = ip.split('.')[0] + '.'+ ip.split('.')[1] + '.'+ ip.split('.')[2] + '.' for addr in range(0, 254): answer = stl(ARP(pdst=prefix+str(addr)), timeout=0.1, verbose=0) if answer == None: pass else: print(prefix+str(addr))
-
arp2.py
-
#!/usr/bin/python import logging import sys from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./arp_sidc.py [interface]") print("Example - ./arp_disc.py eth0") print("Example will perform an ARP scan of the local subnet to which eh0 is assigned") sys.exit() filename = str(sys.argv[1]) file = open(filename, "r") for addr in file: answer = stl(ARP(pdst=addr.strip()), timeout=0.1, verbose=0) if answer == None: pass else: print(addr.strip())
-
发现–三 层发现(网络层)
- 优点
- 可路由
- 速度比较快
- 缺点
- 速度比二层网络慢
- 经常被边界防火墙过滤
- IP、icmp协议
Ping
-
ping 1.1.1.1 -c 2
-
ping -R 1.1.1.1 / traceroute 1.1.1.1
-
ping 1.1.1.1 -c 1 |grep “bytes from” | cut -d" " -f 4 | cut -d":" -f 1
-
脚本
-
ping.sh 1.1.1.0
-
#!/bin/bash if ["$#" -ne 1];then echo "Usage - ./ping.sh [interface]" echo "Example - ./ping.sh eth0" echo "Example will perface an ARP scan of the local subnet to which eth0 is assigned" exit fi interface=$1 prefix=$(echo $1 | cut -d"." -f 1-3) for addr in $(seq 1 254);do ping -c 1 $prefix.$addr |grep "bytes from" | cut -d" " -f 4 | cut -d"." -f 1 & done
-
Scapy
-
OSI多层堆叠手工声称ICMP包—IP/ICMP
-
ip = IP()
-
ip.dst=“1.1.1.1”
-
ping = ICMP()
-
a = sr1(ip/ping)
-
a.display()
-
Ping 不存在的地址
- a = sr1(ip/ping.timeout=1)
-
a = sr1(IP(dst=“1.1.1.1”)/ICMP(),timeout=1)
-
脚本
-
ping1.py 1.1.1.0 > addrs
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./pinger.py [interface]") print("Example - ./pinger.py 192.168.1.0") print("Example will perform an IMCP scan of the 192.168.1.0/24 range") sys.exit() address = str(sys.argv[1]) prefix = address.split('.')[0] + '.'+ address.split('.')[1] + '.'+ address.split('.')[2] + '.' for addr in range(1, 254): answer = stl(IP(pdst=prefix+str(addr))/IMCP(), timeout=0.1, verbose=0) if answer == None: pass else: print(prefix+str(addr))
-
ping2.py addrs
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./pinger.py [interface]") print("Example - ./pinger.py 192.168.1.0") print("Example will perform an IMCP scan of the 192.168.1.0/24 range") sys.exit() filename = str(sys.argv[1]) file = open(filename, "r") for addr in file: answer = stl(IP(pdst=addr.strip())/IMCP(), timeout=0.1, verbose=0) if answer == None: pass else: print(addr.strip())
-
Nmap
- nmap -sn 1.1.1-255
- nmap -iL iplist.txt -sn
Fping
- fping 1.1.1.1 -c 1
- fping -g 1.1.1.1 1.1.1.2
- fping -g 1.1.1.0/24
- fping -f iplist.txt
Hping
- 能够发送几乎任意TCP/IP包
- 功能强大但每次只能扫描一个目标
- hping3 1.1.1.1 -icmp -c 2
- for addr in ( s e q 1254 ) ; d o h p i n g 31.1.1. (seq 1 254); do hping3 1.1.1. (seq1254);dohping31.1.1.addr --icmp -c 1 >> handle.txt & done
发现–四 层发现(传输层)
- 优点
- 可路由且结果可靠
- 不太可能被防火墙过滤
- 甚至可以发现所有端口都被过滤的主机
- 缺点
- 基于状态过滤的防火墙可能过滤扫描
- 全端口扫描速度慢
- TCP
- 未经请求的ACK—RST
- SYN–SYN/ACK、RST
- UDP
- ICMP端口不可达、一去不复返
TCP
-
ACK–TCP Port—RST
-
Scapy
-
i = IP() i.dst="1.1.1.1" t=TCP() t.flags="A" r=(i/t) a = sr1(r) a.display()
-
a=sr1(IP(dst=“1.1.1.1”)/TCP(dport=80,flags=“A”),timeout=1)
-
ACK_Ping.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./ACK_Ping.py [interface]") print("Example - ./ACK_Ping.py 192.168.1.0") print("Example will perform a TCP ACK ping scan of the 192.168.1.0/24 range") sys.exit() address = str(sys.argv[1]) prefix = address.split('.')[0] + '.'+ address.split('.')[1] + '.'+ address.split('.')[2] + '.' for addr in range(1, 254): response = stl(IP(pdst=prefix+str(addr))/TCP(dport=2222, flags="A"), timeout=0.1, verbose=0) try: if int(response[TCP].flags) == 4: print(prefix+str(addr)) except Exception as e: pass
-
-
UDP
-
UDP-UDP Port–ICMP
-
i = IP() i.dst="1.1.1.1" u = UDP() U.DPORT=3333 r=(i/u) a=sr1(r.timeout=1,verbose=1) a.display() # ICMP
-
UDP_Ping.py
-
UDP发现不可靠
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./UDP_Ping.py [interface]") print("Example - ./UDP_Ping.py 192.168.1.0") print("Example will perform a UDP ACK ping scan of the 192.168.1.0/24 range") sys.exit() address = str(sys.argv[1]) prefix = address.split('.')[0] + '.'+ address.split('.')[1] + '.'+ address.split('.')[2] + '.' for addr in range(1, 254): response = stl(IP(pdst=prefix+str(addr))/UDP(dport=2222), timeout=0.1, verbose=0) try: if int(response[IP].proto) == 1: print(prefix+str(addr)) except Exception as e: pass
-
Nmap
- nmap 1.1.1.1-254 -PU53 -sn
- nmap 1.1.1.1-254 -PA80 -sn
- nmap -iL iplist.txt -PA80 -sn
Hping
-
hping3 0-udp 1.1.1.1 -c 1
-
for addr in ( s e q 1254 ) ; d o h p i n g 3 − − u d p 1.1.1. (seq 1 254); do hping3 --udp 1.1.1. (seq1254);dohping3−−udp1.1.1.addr -c 1 >> r.txt; done
-
grep Unreachable r.txt | cut -d" " -f 5 |cut -d"=" -f 2
-
./udp_hping.sh 1.1.1.0
-
#!/bin/bash if ["$#" -ne 1];then print("Usage - ./udp_hping.py [/24 network address]") print("Example - ./udp_hping.py 192.168.1.0") print("Example will perform a UDP ping sweep of the 192.168.1.0/24 network and output to an output.txt file") exit fi prefix=$(echo $1 |cut -d "." -f 1-3) for addr in $(seq 1 254); do hping3 $prefix.$addr --udp -c 1 >> r.txt; done grep Unreachable r.txt |cut -d " " -f 5 | cut -d "=" -f 2 >> output.txt rm r.txt
-
-
hping3 1.1.1.1 -c 1 (TCP)
-
hping3 1.1.1.1
-
./tcp_hping.sh
-
#!/bin/bash if ["$#" -ne 1];then print("Usage - ./tcp_hping.py [/24 network address]") print("Example - ./tcp_hping.py 192.168.1.0") print("Example will perform a TCP ping sweep of the 192.168.1.0/24 network and output to an output.txt file") exit fi prefix=$(echo $1 |cut -d "." -f 1-3) for addr in $(seq 1 254); do hping3 $prefix.$addr -c 1 >> r.txt; done grep ^len r.txt |cut -d " " -f 2 | cut -d "=" -f 2 >> output.txt rm r.txt
-
Flag 0 --ACK、RST
-
端口扫描
- 端口对应网络服务及应用端程序
- 服务端程序的漏洞通过端口攻入
- 发现开放的端口
- 更具体的攻击面
UDP端口扫描
- 假设ICMP port-unreachable 相应代表端口关闭
- 目标系统不响应ICMP portunreachable时,可能产生误判
- 完整的UPD应用层请求
- 准确性高
- 耗时巨大
Scapy UDP Scan
-
端口关闭: ICMP port-unreachable
-
端口开放: 没有回包
-
了解每一种给予UDP的应用层包结构很有帮助
-
与三层相同的技术
-
误判
-
Scapy
-
sr1(IP(dst=“1.1.1.1”)/DUP(dport=53),timeout=1,verbose=1)
-
./udp_scan.py 1.1.1.1 1 100
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 4: print("Usage - ./udp_scan.py [Target-IP] [First Port] [Last Port]") print("Example - ./udp_scan.py 192.168.1.1 1 100") print("Example will UDP scan ports 1 through 100 on 192.168.1.1") sys.exit() ip = sys.argv[1] start = int(sys.argv[2]) end = int(sys.argv[3]) for port in range(start, end): answer = stl(IP(pdst=ip)/UDP(dport=port), timeout=5, verbose=0) time.sleep(1) if answer == None: print(port) else: pass
-
Nmap
- namp -sU 1.1.1.1
- 默认的1000个参数
- ICMP host-unreachable
- nmap 1.1.1.1 -sU -p 53
- nmap -iL iplist.txt -sU -p 1-200
TCP端口扫描
-
1. -> SYN 2. <- SYN,ACK 3. -> ACK
-
给予连接的协议
-
三次握手
-
隐蔽扫描–syn
- 不建立完整连接
- 应用日志不记录扫描行为–隐蔽
-
僵尸扫描
- 极度隐蔽
- 实施条件苛刻
- 可伪造源地址
- 选择僵尸机
- 闲置系统
- 系统使用递增的IPID(如今是随机的IPID条件不达标,老机器win xp,win 2000, win 2003)
- 0
- 随机
-
全连接扫描
-
所有的TCP扫描方式
-
都是给予三次握手的变化来判断目标端口状态
隐蔽端口扫描
- Syn–syn/ack-rst
Scapy
-
sr1(IP(dst=“1.1.1.1”)/TCP(dport=80),timeout=1,verbose1)
-
./syn_scan.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 4: print("Usage - ./syn_can.py [Target-IP] [First Port] [Last Port]") print("Example - ./syn_can.py 192.168.1.1 1 100") print("Example will TCP SYN scan ports 1 through 100 on 192.168.1.1") sys.exit() ip = sys.argv[1] start = int(sys.argv[2]) end = int(sys.argv[3]) for port in range(start, end): answer = stl(IP(dst=ip)/TCP(dport=port), timeout=1, verbose=0) if answer == None: pass else: if int(a[TCP].flags)==18: print(port) else: pass
Nmap
- nmap -sS 1.1.1.1 -p 80,21,25,110,443
- nmap -sS 1.1.1.1 -p 1-100
- nmap -sS 1.1.1.1 -p --65535 --open
- nmap -sS 1.1.1.1 -p- --open
- nmap -sS iplist.txt -p 80
Hping3
- hping3 1.1.1.1 --scan 80 -S
- hping3 1.1.1.1 --scan 80,21,25,443 -S
- hping3 1.1.1.1 --scan 0-65535 -S
- hping3 -c 10 -S --spoof 1.1.1.1 -p ++1 1.1.1.3
全连接端口扫描
Scapy
-
Syn扫描不需要raw packets
-
内核认为syn/ack是非法包,直接发rst中断连接
-
全连接扫描对scapy比较困难
-
sr1(IP(dst=“1.1.1.1”)/TCP(dport=22,flags=“S”))
-
./tcp_scan1.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) response = sr1(IP(dst="192.168.43.22")/TCP(dport=80,flags="S")) reply = sr1(IP(dst="192.168.43.22")/TCP(dport=80,flags="A", ack=(response[TCP].seq + 1)))
-
./tcp_scan2.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) SYN = IP(dst="192.168.43.22")/TCP(dport=445,flags="S") print("-- SENT --") SYN.display() print("\n\n-- RECEIVED --") response = sr1(SYN, timeout=1,verbose=0) response.display() if int(response[TCP].flags) == 18: print("\n\n-- SENT --") A = IP(dst="192.168.43.22")/TCP(dport=445,flags="A", ack=(response[TCP].seq + 1)) A.display() print("\n\n-- RECEIVED --") response2 = sr1(A, timeout=1,verbose=0) response2.display() else: print("SYN-ACK not returned")
-
iptables -A OUTPUT -p tcp --tcp-flags RST -d 192.168.20.2 -j DROP
Nmap
- nmap -sT 1.1.1.1 -p 80
- nmap -sT 1.1.1.1 -p 80,21,25
- nmap -sT 1.1.1.1 -p 80-2000
- namp -sT -iL iplist.txt -p 80
- 默认1000个常用端口
Dmitry
- 功能简单,但使用简便
- 默认150个最常用的端口
- dmitry -p 1.1.1.1
- dmitry -p 1.1.1.1 -o output
NC
- nc -nv -w 1 -z 1.1.1.1 1-100
- for x in $(seq 20 30); do nc -nv -w 1 -z 1.1.1.1 $x;done |grep open
- for x in ( s e q 2030 ) ; d o n c − n v − w 1 − z 1.1.1. (seq 20 30); do nc -nv -w 1 -z 1.1.1. (seq2030);donc−nv−w1−z1.1.1.x 80;done
僵尸扫描
Scapy
-
zombile.py
-
i=IP() t=TCP() rz=(i/t) rt=(i/t) rz[IP].dst=IPz rz[TCP].dport=445 rz[TCP].flags="SA" rt[IP].src=IPz rt[IP].dst=IPt rt[TCP].dport=22 rt[TCP].flags="S" az1=sr1(rz) / at=sr1(rt,timeout=1 ) / az2=sr1(rz) az1.display() / az2.dislay()
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) def ipid(zombie): reply1 = sr1(IP(dst=zombie)/TCP(flags="SA"), timeout=2, verbose=0) send(IP(dst=zombie)/TCP(flags="SA"), verbose=0) reply2 = sr1(IP(dst=zombie)/TCP(flags="SA"), timeout=2, verbose=0) if reply2[IP].id == (reply1[IP].id +2): print("IPID sequence is incremental and target appears to be idle. ZOMBLE LOCATED") response = input("Do you want to use this zomble perform a scan? (Y or N)") if response.upper() == "Y": target = input("Enter the IP address of the target system: ") zombiescan(target,zombie) else: print("Either the IPID sequence is not incremental or the target is not idle. NOT A GOOO ZOMBLE") def zombiescan(target,zombie): print("\nScanning target " + target + " with zomble " + zombie) print("\n------------- Open Ports on Target -------------") for port in range(1, 100): try: start_val = sr1(IP(dst=zombie)/TCP(flags="SA",dport=port), timeout=2, verbose=0) send(IP(src=zombie, dst=target)/TCP(flags="SA"), verbose=0) end_val = sr1(IP(dst=zombie)/TCP(flags="SA"), timeout=2, verbose=0) if end_val[IP].id == (start[IP].id + 2): print(port) except: pass print("------------ Zombie Scan Suite ------------") print("1. Identify Zombie Host") print("2. Perform Zombie Scan") ans = input("Select an Option (1 or 2):") if ans == "1": zombie = input("Enter IP address to test IPID sequence:") ipid(zombie) else: if ans == "2": zombie = input("Enter IP address for zombie system:") target = input("Enter IP address for scan target:") zombiescan(target, zombie)
Nmap
- 发现僵尸机
- nmap -p 445 1.1.1.1 --script=ipidseq.nse
- 扫描目标
- nmap 1.1.1.1 -sI 1.1.1.2 -Pn -p 0-100
服务扫描
- 识别开放端口上运行的应用
- 识别目标操作系统
- 提高攻击效率
- Banner捕获
- 软件开发商
- 软件名称
- 服务类型
- 版本号
- 直接发现已知的漏洞和弱点
- 连接建立后直接获取banner
- 服务识别
- 另类服务识别方法
- 特征行为和响应字段
- 不同的响应可用于识别底层操作系统
- 另类服务识别方法
- 操作系统识别
- SNMP分析
- 简单网络管理协议
- Community strings
- 信息查询或重新配置
- 防火墙识别
- 识别和绕过防火墙筛选
- Banner捕获
Banner
NC
- nc -nv 1.1.1.1 22
Python socket
-
socket 模块用于连接网络服务
-
import socket bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM) bangrab.connect(("1.1.1.1", 21)) bangrab.recv(4096) # '220' (vsFTP 2.3.4)\r\n bangrab.close() exit()
-
#!/usr/bin/python import sys import socket import select if len(sys.argv[1]) != 4: print("Usage - ./banner_grab.py [Target-IP] [First Port] [Last Port]") print("Example - ./banner_grab.py 192.168.1.1 1 100") print("Example will grab banner for TCP ports 1 through 100 on 192.168.1.1") sys.exit() ip = sys.argv[1] start = int(sys.argv[2]) end = int(sys.argv[3]) for port in range(start, end): try: bangrab = socket.socket(socket.AF_INET, socket.SOCK_STREAM) bangrab.connect((ip, port)) ready = select.select([bangrab],[],[],1) if ready[0]: print("TCP Port " + str(port) + "-" + bangrab.recv(4096)) bangrab.close() except Exception as e: pass
-
Banner 不允许抓取,recv函数无返回将挂起!!
-
./ban_grab.py 1.1.1.1 1 100
Dmitry
- dmitry -p 1.1.1.1
- dmitry -pd 1.1.1.1
Nmap
- nmap -sT 1.1.1.1 -p 22 --script=banner.nse
- nmap -sT 1.1.1.1 -p 1-100 --script=banner.nse
Amap
- amap -B 1.1.1.1 21
- amap -B 1.1.1.1 1-65535
- amap -B 1.1.1.1 1-65535 |grep on
服务识别
- Banner信息抓取能力有限
- nmap响应特征分析识别服务
- 发送系列复杂的探测
- 依据响应特征signature
NC
- nc -nv 1.1.1.1 80
Nmap
- nmap 1.1.1.1 -p 80 -sV # 通过指纹匹配
Amap
- amap 1.1.1.1 80
- amap 1.1.1.1 20-30
- amap 1.1.1.1 20-30 -q
- amap 1.1.1.1 20-30 -qb
操作系统识别
- 操作系统识别技术
- 种类繁多
- 好产品采用多种技术组合
- TTL起始值
- Windows: 128 (65-128)
- Linux: 64(1-64)
- 某些Unix:255
- 被动识别操作系统
- IDS
- 抓包分析
- 被动扫描
Scapy
-
python
-
from scapy.all import * win = "1.1.1.1" linux="1.1.1.2" aw=sr1(IP(dst=win)/ICMP()) al=sr1(IP(dst=linux)/ICMP()) if al[IP].ttl<=64: print("host is Linux") else: print("host is Windows")
-
./ttl_os.py
-
#!/usr/bin/python import logging import sys import subprocess from scapy.all import * import time logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 2: print("Usage - ./ttl_os.py [Target-IP]") print("Example - ./ttl_os.py 192.168.1.1") print("Example will perform ttl analysis to attempt to determine whether the system is Windows or linux") sys.exit() ip = sys.argv[1] ans=sr1(IP(dst=ip)/ICMP(),timeout=1,verbose=0) if ans == None: print("No response was returned") elif int(ans[IP].ttl) <= 64: print("Host is Linux/Unux") else: print("Host is Windows")
Nmap
- namp 使用多种技术识别操作系统
- nmap 1.1.1.1 -O
- 系统服务特征
Xprobe2
- xprobe2 1.1.1.1
- 结果有误差
被动扫描
- p0f
- 结合ARP地址欺骗识别全网OS
SNMP扫描
Snmp
- 信息的金矿
- 经常被错误配置
- public / private / manager
MIB Tree
- SNMP Management Information Base (MIB)
- 树形的网络设备管理功能数据库
- 1.3.6.1.4.1.77.1.2.25
Onesixtyone
- onesixtyone 1.1.1.1 public
- onesixtyone -c dict.txt -i hosts.txt -o my.log -w 100
Snmpwalk
-
显示不太友好
-
snmowalk 1.1.1.1 -c public -v 2c
-
用户
- snmowalk -c public -v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25
Snmpcheck
-
显示友好
-
snmpcheck -t 1.1.1.1
-
snmpcheck -t 1.1.1.1 -v private -v 2
-
snmpcheck -t 1.1.1.1 -w
SMB扫描
- Server Message Block 协议
- 微软历史上出现安全问题最多的协议
- 实现复杂
- 默认开放
- 文件共享
- 空会话未身份认证访问(SMBI)
- 密码策略
- 用户名
- 组名
- 机器名
- 用户、组SID
Nmap
- nmap -v -p 139,445 1.1.1.1-20
- nmap -v -p 139,445 1.1.1.1-20 --open
- nmap 1.1.1.1 -p 139,445 --script=smb-os-discovery.nse
- nmap 1.1.1.1,5 -p 139,445 --script=smb-os-discovery.nse
- nmap -v -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 1.1.1.1
- unsafe 破坏性扫描,会造成脆弱的服务崩溃
- safe 安全的扫描
- nmap -v -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 1.1.1.1 -Pn
nbtscan
- nbtscan -r 1.1.1.0/24
Enum4linux
- enum4linux -a 1.1.1.1
SMTP扫描
NC
- nc -nc 1.1.1.1 25
- VRTY root
Nmap
-
nmap smtp.163.com -p 25 --script=smtp-enum-uers.nse --script-args=smtp-enum-users.methocls={VRTY}
-
nmap smtp.163.com -p 25 --script=smtp-open-relay.nse
-
smtp-user-enum -M VRTY -U user.txt -t 1.1.1.1
-
./smtp.py # 存在bug
-
#!/usr/bin/python import sys import socket if len(sys.argv)!=2: print("Usage: smtp.py <username>") sys.exit(0) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(("1.1.1.1", 25)) banner = s.recv(1024) pritn(banner + "aaaaaaaaaaaa") s.send("RCPT" + sys.argv[1] + "\r\n") result =s.recv(1024) print(result) s.close()
防火墙识别
- 通过检查会包,可能识别端口是否经过防火墙过滤
- 设备多种多样,结果存在一定误差
Send | Response | Type | |
---|---|---|---|
1 | SYN | No | Filtered |
ACK | RST | ||
2 | SYN | SYN+ACK / SYN+RST | Filtered |
ACK | No | ||
3 | SYN | SYN+ACK / SYN+RST | Unfiltered / Open |
ACK | RST | ||
4 | SYN | No | Closed |
ACK | No |
Scapy
-
./fw_detect.py 1.1.1.1 43
-
#!/usr/bin/python import sys import logging from scapy.all import * logging.getLogger('scapy.runtime').setLevel(logging.ERROR) if len(sys.argv[1]) != 3: print("Usage - ./fw_detect.py [Target-IP] [Target Port]") print("Example - ./fw_detect.py 192.168.1.1 443") print("Example will determine if filtering existe on port 443 of host 192.168.1.1") sys.exit() ip = sys.argv[1] port = int(sys.argv[2]) ACK_response=sr1(IP(dst=ip)/TCP(dport=port,flags="A"),timeout=1,verbose=0) SYN_response=sr1(IP(dst=ip)/TCP(dport=port,flags="S"),timeout=1,verbose=0) if (ACK_response == None) and (SYN_response==None): print("Port is either unstatefully filtered or host is down") elif ((ACK_response == None) or (SYN_response==None)) and not ((ACK_response == None) and (SYN_response==None)): print("Stateful filtering in place") elif int(SYN_response[TCP].flags) == 18: print("Port is unstatefully and open") elif int(SYN_response[TCP].flags) == 20: print("Port is unstatefully and closed") else: print("Unable to determine if the port is filtered")
Nmap
- nmap有系列防火墙过滤检测功能
- nmap -sA 1.1.1.1 -p 22
负载均衡识别
- 广域网负载均衡
- DNS
- Http-Loadbalancing
- Nginx
- Apache
Lbd
- lbd www.baidu.com
- lbd mail.163.com
WAF识别
- web应用防火墙
Wafw00f
- wafw00f -l
- wafw00f www.microsoff.com
Nmap
- nmap www.microsoff.com --script=http-waf-detect.nse
Nmap介绍
-
namp -iR 100 -p 22 # 随机扫描100IP
-
namp 1.1.1.0/24 --exclude 1.1.1.1-100 # 跳过扫描
-
namp 1.1.1.0/24 --excludefile iplist.txt # 跳过扫描
-
namp -sL 1.1.1.0/24 # 列出扫描IP
-
zenmap