服务扫描:
不能简单的通过端口号来识别服务,目标系统开放80端口不一定开放着http服务,要通过对目标系统进行服务扫描,来识别开放的端口后面到底是什么服务,运行什么样的应用;
1. 服务扫描——Banner(简单但不准确)
- 通过连接服务器的端口,使其返回的banner信息,可能查不到,也可能是管理员伪造的;
- 通过软件开发商,软件名称,服务类型,版本号(直接发现已知的漏洞和弱点);
- 对于Banner信息的捕获,需要建立完整的TCP连接;
- 另类服务识别方法:1. 特征行为和响应字段; 2. 不同的响应可用于识别底层操作系统;
(1)nc
root@root:~# nc -nv 192.168.37.128 25
(UNKNOWN) [192.168.37.128] 25 (smtp) open
220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
root@root:~# nc -nv 192.168.37.128 80
(UNKNOWN) [192.168.37.128] 80 (http) open
get
HTTP/1.1 400 Bad Request
Date: Sun, 14 Apr 2019 05:32:15 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> banner.connect(("192.168.37.128",25))
>>> banner.recv(4096)
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n'
>>> banner.close()
>>> exit()
(2)socket——用于连接网络服务
root@root:~# python
Python 2.7.14+ (default, Mar 13 2018, 15:23:44)
[GCC 7.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket #导入socket模块
>>> banner=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #SOCK_STREAM表示为TCP连接<
>>> banner.connect(("192.168.37.128",25)) #连接的IP地址和端口
>>> banner.recv(4096) #接收返回包大小
'220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n' #获取到的Banner信息
>>> banner.close() #关闭连接
>>> exit()
在很多情况下,系统的banner信息不允许抓取,recv函数无返回将会被挂起;针对这个问题,写如下脚本进行处理:
#!/usr/bin/python
# -*- coding: utf-8 -*-
#Author:橘子女侠
#Time:2019/04/14
#该脚本用于实现Banner信息的扫描,如果Banner信息不能获取,则pass
import socket
import select
import sys
if len( sys.argv ) !=4:
print "Usage - ./banner_grab.py [Target.IP] [First Port] [Last Port]"
print "Example - ./banner_grab.py 1.1.1.1 1 100"
sys.exit()
ip = sys.argv[1]
start = int(sys.argv[2])
end = int(sys.argv[3])
for port in range(start,end):
try:
bangrab=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
bangrab.connect((ip,port))
ready=select.select([bangrab],[],[],1) #连接间隔时间1秒
if ready[0]:
print "TCP Port " + str(port) + "." +bangrab.recv(4096)
bangrab.close()
except:
pass
结果如下:
root@root:~# chmod +x ./banner.py
root@root:~# ./banner.py 192.168.37.128 1 200
TCP Port 25.220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
TCP Port 110.+OK WIN-N7TAB1239LM.st13.com Winmail Mail Server POP3 ready
TCP Port 143.* OK IMAP4 ready! WIN-N7TAB1239LM.st13.com Winmail Mail Server MagicWinmail Extend IMAP 102
(3) dmitry
root@root:~# dmitry -pb 192.168.37.128
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:192.168.37.128
HostName:bogon
Gathered TCP Port information for 192.168.37.128
---------------------------------
Port State
25/tcp open
>> 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
53/tcp open
Portscan Finished: Scanned 150 ports, 147 ports were in state closed
All scans completed, exiting
(4)nmap
使用nmap自带的脚本(/usr/share/nmap/scripts/)
root@root:~# nmap -sT 192.168.37.128 -p 25 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:40 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00046s latency).
PORT STATE SERVICE
25/tcp open smtp
|_banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds
root@root:~# nmap -sT 192.168.37.128 -p 1-100 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:41 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00065s latency).
Not shown: 96 closed ports
PORT STATE SERVICE
25/tcp open smtp
|_banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
MAC Address: 00:0C:29:3B:24:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 15.47 seconds
(5)amap
root@root:~# amap -B 192.168.37.128 25
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:44:33 - BANNER mode
Banner on 192.168.37.128:25/tcp : 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n
amap v5.4 finished at 2019-04-14 14:44:33
root@root:~# amap -B 192.168.37.128 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:44:52 - BANNER mode
Banner on 192.168.37.128:25/tcp : 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n
amap v5.4 finished at 2019-04-14 14:45:03
2. 服务扫描——服务识别
- Banner信息抓取能力有限;
- 需要借助于另类服务和识别方法进行进一步和准确性的判断;
(1)Nmap(开放端口对应的服务和版本)
root@root:~# nmap 192.168.37.128 -p 1-100 -sV #经常使用
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 14:47 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00036s latency).
Not shown: 96 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Winmail smtpd
53/tcp open domain Microsoft DNS 6.1.7601 (1DB1446A) (Windows Server 2008 R2 SP1)
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-04-14 06:47:51Z)
MAC Address: 00:0C:29:3B:24:57 (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2008:r2:sp1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
(2)Amap
- -q:显示清晰;
- -b:显示详细信息;
root@root:~# amap 192.168.37.128 1-100
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:24 - APPLICATION MAPPING mode
Protocol on 192.168.37.128:25/tcp matches smtp
Protocol on 192.168.37.128:80/tcp matches http
Protocol on 192.168.37.128:80/tcp matches http-apache-2
Protocol on 192.168.37.128:25/tcp matches nntp
Protocol on 192.168.37.128:88/tcp matches mysql
Unidentified ports: 192.168.37.128:1/tcp 192.168.37.128:2/tcp 192.168.37.128:3/tcp 192.168.37.128:4/tcp 192.168.37.128:5/tcp 192.168.37.128:6/tcp 192.168.37.128:7/tcp 192.168.37.128:8/tcp 192.168.37.128:9/tcp 192.168.37.128:10/tcp 192.168.37.128:11/tcp 192.168.37.128:12/tcp 192.168.37.128:13/tcp 192.168.37.128:14/tcp 192.168.37.128:15/tcp 192.168.37.128:16/tcp 192.168.37.128:17/tcp 192.168.37.128:18/tcp 192.168.37.128:19/tcp 192.168.37.128:20/tcp 192.168.37.128:21/tcp 192.168.37.128:22/tcp 192.168.37.128:23/tcp 192.168.37.128:24/tcp 192.168.37.128:26/tcp 192.168.37.128:27/tcp 192.168.37.128:28/tcp 192.168.37.128:29/tcp 192.168.37.128:30/tcp 192.168.37.128:31/tcp 192.168.37.128:32/tcp 192.168.37.128:33/tcp 192.168.37.128:34/tcp 192.168.37.128:35/tcp 192.168.37.128:36/tcp 192.168.37.128:37/tcp 192.168.37.128:38/tcp 192.168.37.128:39/tcp 192.168.37.128:40/tcp 192.168.37.128:41/tcp 192.168.37.128:42/tcp 192.168.37.128:43/tcp 192.168.37.128:44/tcp 192.168.37.128:45/tcp 192.168.37.128:46/tcp 192.168.37.128:47/tcp 192.168.37.128:48/tcp 192.168.37.128:49/tcp 192.168.37.128:50/tcp 192.168.37.128:51/tcp 192.168.37.128:52/tcp 192.168.37.128:53/tcp 192.168.37.128:54/tcp 192.168.37.128:55/tcp 192.168.37.128:56/tcp 192.168.37.128:57/tcp 192.168.37.128:58/tcp 192.168.37.128:59/tcp 192.168.37.128:60/tcp 192.168.37.128:61/tcp 192.168.37.128:62/tcp 192.168.37.128:63/tcp 192.168.37.128:64/tcp 192.168.37.128:65/tcp 192.168.37.128:66/tcp 192.168.37.128:67/tcp 192.168.37.128:68/tcp 192.168.37.128:69/tcp 192.168.37.128:70/tcp 192.168.37.128:71/tcp 192.168.37.128:72/tcp 192.168.37.128:73/tcp 192.168.37.128:74/tcp 192.168.37.128:75/tcp 192.168.37.128:76/tcp 192.168.37.128:77/tcp 192.168.37.128:78/tcp 192.168.37.128:79/tcp 192.168.37.128:81/tcp 192.168.37.128:82/tcp 192.168.37.128:83/tcp 192.168.37.128:84/tcp 192.168.37.128:85/tcp 192.168.37.128:86/tcp 192.168.37.128:87/tcp 192.168.37.128:89/tcp 192.168.37.128:90/tcp 192.168.37.128:91/tcp 192.168.37.128:92/tcp 192.168.37.128:93/tcp 192.168.37.128:94/tcp 192.168.37.128:95/tcp 192.168.37.128:96/tcp 192.168.37.128:97/tcp 192.168.37.128:98/tcp 192.168.37.128:99/tcp 192.168.37.128:100/tcp (total 97). [Note: the -q option suppresses this listing]
amap v5.4 finished at 2019-04-14 14:49:37
root@root:~# amap 192.168.37.128 1-100 -q
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:44 - APPLICATION MAPPING mode
Protocol on 192.168.37.128:25/tcp matches smtp
Protocol on 192.168.37.128:80/tcp matches http
Protocol on 192.168.37.128:80/tcp matches http-apache-2
Protocol on 192.168.37.128:88/tcp matches mysql
Protocol on 192.168.37.128:25/tcp matches nntp
amap v5.4 finished at 2019-04-14 14:49:56
root@root:~# amap 192.168.37.128 1-100 -qb
amap v5.4 (www.thc.org/thc-amap) started at 2019-04-14 14:49:59 - APPLICATION MAPPING mode
Protocol on 192.168.37.128:25/tcp matches nntp - banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n502 unimplemented\r\n
Protocol on 192.168.37.128:25/tcp matches smtp - banner: 220 WIN-N7TAB1239LM.st13.com Winmail Mail Server ESMTP ready\r\n502 unimplemented\r\n
Protocol on 192.168.37.128:80/tcp matches http - banner: HTTP/1.1 200 OK\r\nDate Sun, 14 Apr 2019 065001 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
Protocol on 192.168.37.128:80/tcp matches http-apache-2 - banner: HTTP/1.1 200 OK\r\nDate Sun, 14 Apr 2019 065001 GMT\r\nServer Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45\r\nX-Powered-By PHP/5.4.45\r\nContent-Length 11\r\nConnection close\r\nContent-Type text/html\r\n\r\nHello World
Protocol on 192.168.37.128:88/tcp matches mysql - banner:
amap v5.4 finished at 2019-04-14 14:50:11
3. 操作系统识别
- 对操作系统的识别,可以判断出目标主机的操作系统类型,操作系统版本;
- 针对不同的操作系统的版本,我们可以版本了解到系统默认会开放哪些服务;或者老版本操作系统自身的漏洞等;
(1)scapy(根据TTL值简单判断操作系统的类型)
root@root:~# scapy
WARNING: No route found for IPv6 destination :: (no default route?)
INFO: Can't import python ecdsa lib. Disabled certificate manipulation tools
Welcome to Scapy (2.3.3)
>>> win="192.168.37.128"
>>> linux="192.168.37.143"
>>> aw=sr1(IP(dst=win)/ICMP())
Begin emission:
..*Finished to send 1 packets.
Received 3 packets, got 1 answers, remaining 0 packets
>>> aw.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 1213
flags=
frag= 0L
ttl= 128
proto= icmp
chksum= 0x69d0
src= 192.168.37.128
dst= 192.168.37.131
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
>>> al=sr1(IP(dst=linux)/ICMP())
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> al.display()
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 28
id= 31514
flags=
frag= 0L
ttl= 64
proto= icmp
chksum= 0x3364
src= 192.168.37.143
dst= 192.168.37.131
\options\
###[ ICMP ]###
type= echo-reply
code= 0
chksum= 0xffff
id= 0x0
seq= 0x0
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
使用脚本的方式:ttl_os.py
#!/usr/bin/python
#Author:橘子女侠
#该脚本用于通过TTL值的大小,简单的判断目标主机操作系统的类型
from scapy.all import *
import sys
if len( sys.argv ) !=2:
print "Usage - ./ttl_os.py [IP adress]"
print "Example - ./ttl_os.py 1.1.1.1"
sys.exit()
ip = sys.argv[1]
ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)
if ans == None:
print "No response was returned"
elif int(ans[IP].ttl)<=64:
print "Host is Linux/Unix"
else:
print "Host is Windows"
root@root:~# vim ttl_os.py
root@root:~# chmod +x ttl_os.py
root@root:~# ./ttl_os.py 192.168.37.128
Host is Windows
root@root:~# ./ttl_os.py 192.168.37.143
Host is Linux/Unix
(2)Nmap
- -O:识别操作系统的类型
root@root:~# nmap -O 192.168.37.128 #扫描Windows
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 18:02 CST
Nmap scan report for bogon (192.168.37.128)
Host is up (0.00074s latency).
Not shown: 973 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
465/tcp open smtps
593/tcp open http-rpc-epmap
636/tcp open ldapssl
993/tcp open imaps
995/tcp open pop3s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3306/tcp open mysql
6000/tcp open X11
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49167/tcp open unknown
MAC Address: 00:0C:29:3B:24:57 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
root@root:~# nmap -O 192.168.37.143 #扫描Linux
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 18:04 CST
Nmap scan report for bogon (192.168.37.143)
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:EF:E0:1D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.21 seconds
(3)Xprobe2(专门用于识别操作系统,但不是很准确)
oot@root:~# xprobe2 192.168.37.128
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is 192.168.37.128
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.37.128. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.37.128. Module test failed
[-] No distance calculation. 192.168.37.128 appears to be dead or no ports known
[+] Host: 192.168.37.128 is up (Guess probability: 50%)
[+] Target: 192.168.37.128 is alive. Round-Trip Time: 0.52607 sec
[+] Selected safe Round-Trip Time value is: 1.05214 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.37.128 Running OS: (Guess probability: 88%)
[+] Other guesses:
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: �3G�U (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: (Guess probability: 88%)
[+] Host 192.168.37.128 Running OS: ��3G�U (Guess probability: 88%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
root@root:~# xprobe2 192.168.37.143
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is 192.168.37.143
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.37.143. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.37.143. Module test failed
[-] No distance calculation. 192.168.37.143 appears to be dead or no ports known
[+] Host: 192.168.37.143 is up (Guess probability: 50%)
[+] Target: 192.168.37.143 is alive. Round-Trip Time: 0.50384 sec
[+] Selected safe Round-Trip Time value is: 1.00768 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Host 192.168.37.143 Running OS: ����U (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
(4) 被动操作系统识别
- 主动扫描:通过向目标系统发包,通过返回的信息,判断目标操操作系统的类型;
- 被动扫描:不主动的向目标系统发包,基于一种网络抓包,监听的工作原理来进行识别目标操作系统;
root@root:~# p0f
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn) ]-
|
| client = 192.168.37.131/38136
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| client = 192.168.37.131/38136
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (syn+ack) ]-
|
| server = 96.17.15.27/80
| os = ???
| dist = 0
| params = none
| raw_sig = 4:128+0:0:1460:mss*44,0:mss::0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (mtu) ]-
|
| server = 96.17.15.27/80
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http request) ]-
|
| client = 192.168.37.131/38136
| app = Safari 5.1-6
| lang = English
| params = dishonest
| raw_sig = 1:Host,User-Agent,Accept=[*/*],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],?Cache-Control,Pragma=[no-cache],Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
|
`----
.-[ 192.168.37.131/38136 -> 96.17.15.27/80 (http response) ]-
|
| server = 96.17.15.27/80
| app = ???
| lang = none
| params = none
| raw_sig = 1:Content-Type,?Content-Length,?Last-Modified,?ETag,Accept-Ranges=[bytes],Server,X-Amz-Cf-Id=[kUgYdtbDIrNX_jkcyy6MvN4hq0Cy_EscpxcYwco2FM-wif_8vyNkzA==],?Cache-Control,Date,Connection=[keep-alive]:Keep-Alive:AmazonS3
|
`----
^C[!] WARNING: User-initiated shutdown.
All done. Processed 15 packets.
root@root:~# uname -a
Linux root 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux