小白日记11:kali渗透测试之服务扫描-banner、dmitry、nmap特征库、操作系统识别、SNMP

服务扫描

不能单纯的以端口辨别服务。很多网络服务是漏洞频发的高危对象,对网络上的特定服务进行扫描,往往能让我们少走弯路,增加渗透成功的几率。确定开放端口后,通常会对相应端口上所运行服务的信息进行更深入的挖掘,通常称为服务查点。
 
1、Banner捕获(最主要最简单,也是最不准确)
连接服务器的端口,利用其返回的banner信息,但可能是管理员伪造的。
【软件开发商软件名称,服务类型,版本号--可直接发现已知的漏洞,但如果不是很熟悉的话,需要长时间查找资料】
必须建立完整的TCP连接,才能直接获得banner
结合另类服务识别:1、特征行为和响应字段;2不同的响应可用于识别底层系统
 
NC
root@kali:~# nc -nv 192.168.1.107 80
(UNKNOWN) [192.168.1.107] 80 (http) open
get #需要在此get一下
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre> _ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_| Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started #账号已出,可爆破 </pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>
</pre></div><div><span style="font-size:18px;">Python socket(socket模块用于连接网络服务)</span></div><div><span style="font-size:18px;"></span><pre name="code" class="plain">root@kali:~# python
Python 2.7.12+ (default, Sep 1 2016, 20:27:38)
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import socket <strong>#导入库</strong>
>>>
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) <strong>#标准socket语句写法 #SOCK_STREAM表示为TCP连接</strong>
>>> banner.connect(("192.168.1.107",21)) <strong>#连接IP,端口</strong>
>>> banner.recv(4096) <strong> #用recv()接收返回包</strong>
'220 (vsFTPd 2.3.4)\r\n' <strong> #banner信息</strong>
>>> banner.close() <strong> #手动回收对象</strong>
>>> exit() <strong> #退出</strong>

很多系统不允许抓取banner信息,recv函数会被挂起,需做特殊处理

<pre name="code" class="plain">#!/usr/bin/python

import socket
import select
import sys if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
print "Example will grab banners for TCP ports 1 through 100 on 1.1.1.1"
sys.exit() ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3]) for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1) #连接间隔时间1秒
if ready[0]:
print "TCP Port " + str(port) + "." +bangrab.recv(4096)
bangrab.close()
except:
pass

后面需再通过其他工具进行验证


Dmitry
root@kali:~# dmitry -pb 192.168.1.107       #-pb
Deepmagic Information Gathering Tool
"There be some deep magic going on" ERROR: Unable to locate Host Name for 192.168.1.107
Continuing with limited modules
HostIP:192.168.1.107
HostName: Gathered TCP Port information for 192.168.1.107
--------------------------------- Port State 21/tcp open
>> 220 (vsFTPd 2.3.4) 22/tcp open
>> SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 23/tcp open
>> ���� ��#��'
25/tcp open
>> 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 53/tcp open Portscan Finished: Scanned 150 ports, 144 ports were in state closed All scans completed, exiting

Nmap

root@kali:~# nmap -sT 192.168.1.107 -p 22 --script=banner.nse    #-p也可指定端口范围 banner.nse 扫描脚本

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:30 CST
Nmap scan report for 192.168.1.107
Host is up (0.00062s latency).
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.77 seconds

ls | grep *** 查询某脚本

amap(专门用于发现开放端口后的服务的工具)
 
发现banner:  #-b参数,也可指定端口范围,使用grep on可过滤不开放端口返回结果
root@kali:~# amap -B 192.168.1.107 25
amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:36:05 - BANNER mode Banner on 192.168.1.107:25/tcp : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n amap v5.4 finished at 2016-09-11 22:36:05

2、服务识别

Banner信息抓取能力比较有限,而且不一定准确。
发现端口后应用的版本,基于版本,到其官网寻找其漏洞,针对性的找其利用代码,或者利用逆向工程或模糊测试发现其漏洞。
 
Nmap(基于特征库,还有其他脚本可以结合使用)
-sV  #可信度高
root@kali:~# nmap 192.168.1.107 -p1-100 -sV

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 22:40 CST
Nmap scan report for 192.168.1.107
Host is up (0.00017s latency).
Not shown: 94 closed ports
<strong>PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)</strong>
MAC Address: 08:00:27:EB:1D:BC (Oracle VirtualBox virtual NIC)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

amap(没nmap详细,但也有其优点)【可作为nmap的验证工具】

root@kali:~# amap 192.168.1.107 1-100 -qb           #q显示清晰,b显示更多信息
amap v5.4 (www.thc.org/thc-amap) started at 2016-09-11 22:44:17 - APPLICATION MAPPING mode Protocol on 192.168.1.107:22/tcp matches ssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
Protocol on 192.168.1.107:22/tcp matches ssh-openssh - banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1\n
Protocol on 192.168.1.107:80/tcp matches http - banner: <html><head><title>Metasploitable2 - Linux</title></head><body>\n<pre>\n\n _ _ _ _ _ _ ____ \n _ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \\ \n| '_ ` _ \\ / _ \\ __/ _` / _
Protocol on 192.168.1.107:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Sun, 11 Sep 2016 144435 GMT\r\nServer Apache/2.2.8 (Ubuntu) DAV/2\r\nX-Powered-By PHP/5.2.4-2ubuntu5.10\r\nContent-Length 891\r\nConnection close\r\nContent-Type text/html\r\n\r\n<html><head><title>Metasploitable2 - Linux</title><
Protocol on 192.168.1.107:21/tcp matches ftp - banner: 220 (vsFTPd 2.3.4)\r\n
Protocol on 192.168.1.107:23/tcp matches telnet - banner: #'
Protocol on 192.168.1.107:25/tcp matches smtp - banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\r\n
Protocol on 192.168.1.107:53/tcp matches dns - banner: \f amap v5.4 finished at 2016-09-11 22:44:29
 

3、操作系统识别

识别操作系统,因为操作系统在开启时,便默认开放些服务;针对老版本系统的漏洞进行渗透,提权、获得操作权限。
1.TTL起始值:Windows系统【128(65-128)】;Linux/Unix【64(1-64)】,某些Unix为255
[路由器劫持:可通过TTL值确定,劫持点;TTL也可修改]
#!/usr/bin/python

from scapy.all import*
import logging
logging.getLogger( "scapy.runtime" ).setLevel(logging.ERROR)
import sys if len( sys.argv ) !=2:
print "Usage - ./ttl_os.py [IP adress]"
print "Example - ./ttl_os.py 1.1.1.1"
print "Example will preform ttl analysis to attemptto determine whether the systems is Windows or Linux/Unix"
sys.exit() ip = sys.argv[1] ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0) if ans == None:
print "No response was returned"
elif int(ans[IP].ttl)<=64:
print "Host is Linux/Unix"
else:
print "Host is Windows"
 

2.Nmap

-O #此参数用于检测主机系统 #结合端口判断特征
root@kali:~# nmap -O 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-11 23:48 CST
Nmap scan report for DD-WRT (192.168.1.1)
<strong>Host is up (0.17s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
MAC Address: 1C:BD:B9:27:D5:32 (D-Link International)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.8 - 2.6.30 #可去官网查该范围的linux系统是否有缓存区溢出等漏洞
Network Distance: 1 hop</strong> OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds

3、Xprobe2(专门用于识别操作系统,更为详细,但不是很准确)

<strong>root@kali:~# xprobe2 192.168.1.115
</strong>
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu [+] Target is 192.168.1.115
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.1.115. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.1.115. Module test failed
[-] No distance calculation. 192.168.1.115 appears to be dead or no ports known
[+] Host: 192.168.1.115 is up (Guess probability: 50%)
[+] Target: 192.168.1.115 is alive. Round-Trip Time: 0.00094 sec
[+] Selected safe Round-Trip Time value is: 0.00188 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP2" (Guess probability: 93%)
[+] Other guesses:
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 93%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 93%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP SP1" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows XP" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 92%)
[+] Host 192.168.1.115 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 92%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.<strong>
</strong>

被动操作系统识别

基于抓包分析,可部署在网络出口处,则可被动检测
 
p0f  #直接输入,即可实现被动监听 #还可能发现些证书信息
root@kali:~# p0f
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> --- [+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.<strong>
</strong>

·可以结合ARP地址欺骗识别全网OS

 

4、基于指纹信息识别(能比较准确的识别)

nmap:拥有大量的指纹信息库。

5、SNMP扫描(简单网络管理协议)

#客户端使用UDP161端口,服务端使用UDP161端口;与DHCP相似,基于UDP,使用67、68。服务器用单号

若SNMP配置不当,则会产生漏洞。属于网络管理员最容易配置疏漏的服务。有两个community strings,一个只读,一个可写。

基于SNMP,进行网络设备监控,如:交换机、防火墙、服务器,CPU等其系统内部信息。基本都可以监控到。

community:登录证书,容易被管理员遗忘修改其特征字符 #可用字典破解community

MIB库:MIB Tree

【SNMP配置】

onesixtyone 192.168.1.115 public

能扫出硬件信息,当返回信息较少时,可能已经被修改community,可使用下一条指令

#dpkg -L onesixtyone ###查询字典

onesixtyone -c dict.txt -i hosts -o my.log -w 100   #字典爆破community

snmpwalk命令

snmpwalk 192.168.1.115 -c public -v 2c

#能查出更多的信息 -v指定版本,2c使用比较广泛#能查出MIB库ID号,安装的软件

snmpwalk -c public -v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25   #OID

#查询用户账号

snmpcheck -t 192.168.20.199

snmpcheck -t 192.168.20.199 -c private -v 2

snmpcheck -t 192.168.20.199 -w

6、识别边界防火墙

为了去绕过和躲避。

上一篇:Docker 核心技术之仓库


下一篇:mysql设置密码