信息收集之主机服务扫描

一般来说,我们进行信息收集时需要去了解目标主机上运行的服务,称为服务扫描。可以达到:

  • 识别开放端口上运行的应用
  • 识别目标操作系统
  • 提高攻击效率

我们想要达到的目的:

  • Banner捕获
  • 服务识别
  • 操作系统识别
  • SNMP分析
  • 防火墙识别

1. Banner

目的:

  • 软件开发商
  • 软件名称
  • 服务类型
  • 版本号(直接发现已知的漏洞和弱点)

识别方法

1.1 nc连接识别

root@kali:~# nc -nv 120.78.49.231 22
(UNKNOWN) [120.78.49.231] 22 (ssh) open
SSH-2.0-OpenSSH_7.4
^C
root@kali:~# 

1.2 python socket


>>> import socket
>>> banner = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> banner.connect(("192.168.1.200", 22))
>>> banner.recv(4096)
b'SSH-2.0-OpenSSH_7.8p1 Debian-1\r\n'
>>> banner.close()

1.3 nmap

nmap -sT 192.168.1.145 --script=banner.nse
# 要使用banner脚本必须用sT (全TCP连接)
C:\Users\w5023
λ nmap -sT 192.168.1.200 -p 22 --script=banner.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-12 13:48 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.1.200
Host is up (0.00013s latency).

PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_7.8p1 Debian-1
MAC Address: 00:0C:29:19:00:C7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

1.4 amap

root@kali:~# amap -B 120.78.49.231 22

amap v5.4 (www.thc.org/thc-amap) started at 2018-09-12 13:55:52 - BANNER mode

Banner on 120.78.49.231:22/tcp : SSH-2.0-OpenSSH_7.4\r\n

amap v5.4 finished at 2018-09-12 13:55:52

也可以指定端口范围:

amap -B 192.168.1.145 1-65535 
amap -B 192.168.1.145 1-65535 | grep on

2. 服务识别

2.1 nmap响应特征识别

λ nmap 120.78.49.231 -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-12 14:00 ?D1ú±ê×?ê±??
Nmap scan report for 120.78.49.231
Host is up (0.023s latency).
Not shown: 996 filtered ports
PORT    STATE  SERVICE  VERSION
21/tcp  closed ftp
22/tcp  open   ssh      OpenSSH 7.4 (protocol 2.0)
80/tcp  open   http     nginx
443/tcp open   ssl/http nginx

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.55 seconds

2.2 Amap

amap 192.168.1.134 80
amap 172.16.36.135 20-30
amap 172.16.36.135 20-30 –q 
amap 172.16.36.135 20-30 -qb

例如:

root@kali:~# amap 106.75.73.171 80 -q
amap v5.4 (www.thc.org/thc-amap) started at 2018-09-12 14:16:28 - APPLICATION MAPPING mode

Protocol on 106.75.73.171:80/tcp matches http
Protocol on 106.75.73.171:80/tcp matches http-apache-2

amap v5.4 finished at 2018-09-12 14:16:34

3. 操作系统识别

操作系统识别技术:

  • 种类繁多
  • 好产品采用多种技术组合

3.1 TTL起始值(没啥用,直接nmap)

  • Windows:128(65-128)
  • Unix/Linux:64(1-64)
  • 某些Unix:255
λ ping 192.168.1.200

正在 Ping 192.168.1.200 具有 32 字节的数据:
来自 192.168.1.200 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.1.200 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.1.200 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.1.200 的回复: 字节=32 时间<1ms TTL=64

3.2 nmap

nmap 192.168.1.145 -O
λ nmap 192.168.1.200 -O
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-12 14:40 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.1.200
Host is up (0.00031s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:19:00:C7 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.87 seconds

3.3 xprobe2 (不准确,误差大)

xprobe2 192.168.1.145

3.4 被动操作系统识别

  • IDS
  • 抓包分析
  • p0f (结合arp地址欺骗识别全网os)

4. SNMP扫描

  • snmp(简单网络管理协议)

信息的金矿
经常被错误配置
public/private/manager

  • MIB Tree

SNMP Management Information Base (MIB)
树形的网络设备管理功能数据库
1.3.6.1.4.1.77.1.2.25

onesixtyone 1.1.1.1 public
onesixtyone -c dict.txt -i hosts -o my.log -w 100

扫描:

snmpwalk 192.168.20.199 -c public -v 2c
用户:  snmpwalk -c public -v 2c 1.1.1.1 1.3.6.1.4.1.77.1.2.25
snmpcheck -t 192.168.20.199
snmpcheck -t 192.168.20.199 -c private -v 2
snmpcheck -t 192.168.20.199 -w

5. SMB扫描

  • Server Message Block协议

微软历史上出现问题最多的协议
实现复杂
默认开放
文件共享
空会话未身份认证访问(SMB1)

扫描:

检查是否存在漏洞
nmap -v -p 135,445 192.168.1.0/24  (-v显示详细信息)
nmap 192.168.1.145 -p 139,445 --script=smb-os-discovery.nse

# 检查是否存在漏洞(已经失败,无法使用)
nmap -v -p139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.1.145

nbtscan -r 192.168.1.0/24

enum4linux -a 192.168.1.145

6. SMTP扫描(扫描邮件服务器)

1. 检查是否开启25端口

nc -nv 1.1.1.1 25
  VRFY root(初级)

2. 枚举用户账号

nmap smtp.163.com -p25 --script=smtp-enum-users.nse --script-args=smtp-enumusers.methods={VRFY} 
# 指定使用什么方式,默认用root账号,也可加别的参数(指定字典)

3. 扫描邮件开放中继

nmap smtp.163.com -p25 --script=smtp-open-relay.nse

4. 指定字典扫描邮箱账号

smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1

7. 防火墙扫描

  • python脚本检测
  • nmap检测
nmap 127.0.0.1 -sA

8. 负载均衡识别

广域网负载均衡
DNS
HTTP-Loadbalancing
Nginx
Apache

举例:

lbd www.baidu.com
lbd mail.163.com

9. WAF识别

直接使用wafw00f:

wafw00f -l (列举防火墙类型)
wafw00f http://www.microsoft.com

也可以用nmap:

nmap www.microsoft.com --script=http-waf-detect.nse

以上是安全牛学习总结

1 + 5 =
快来做第一个评论的人吧~